The Low-Tech First Step for a Hacker to Gain Entry Into Your Systems and Infrastructure, Or Steal Information Socially
“Social engineering”, in IT and data security circles, refers to malicious hackers using “low-tech” means of infiltrating a company to steal information for profit. The information theft could be company secrets or customers’ private data, but the hacker’s objective is to make money in a nefarious way using the data stolen.
We read about data hacks seemingly every day, think of the biggest hack in history with Equifax. But, what’s this low-tech approach? Social engineering is all about getting access to a company’s top-secret, insider information by way of its employees and it’s usually a first step approach by hackers to gain access to systems, (like Equifax), for a much larger full-scale breach and steal attack.
It goes without saying that a company needs its employees. Nevertheless, employees are, by far, a company’s weakest security link. In social engineering, hackers exploit weaknesses (from a security standpoint), in a company’s employees to achieve their vile ends and they do it with kindness, manipulation, and lies. You think only Grandma and Grandpa are scammed? Well, think again. Social engineering happens every day and works on all age groups, ethnicities, and even the U.S. Government!
For instance, one aspect of human psychology that a hacker can target through social engineering is the fact that very few people desire to be distrustful of others. They want to believe that others mean well and are being honest with them. They want to be kind and helpful. As employees, they especially want to believe the best of those who appear to be fellow employees and that they are there to help the business. So, for example, a hacker will get a hold of the name of a Director or VP in the company (very easy to do using LinkedIn for example), and call a “selected” employee and pretend to be an IT tech support in need of an employee’s password. Of course, they will name drop the Director’s name or VP so as sound official and spew out some official scenario that requires them to remotely access the employee’s computer—for some “urgent matter in need of immediate attention.” What’s really funny about this type of scenario is the fact that many social engineers, while enacting it, will go so far as to say that they’re investigating or trying to prevent some sort of hacking attempt on unsuspecting employees’ computers! “
Stories of social engineering abound wherein hackers simply show up in a company’s lobby and brazenly insist that they need to be given entrance to the main part of the building in order to help with some important IT issue. Then there are stories wherein hackers have posed as employees in the outside smoking area, getting cozy with “fellow smoker employees” who courteously let them inside when they’ve “forgotten their ID badge back at their desk”. Such hackers might even get the chance to slip a few malware-laden thumb-drives onto unsuspecting (real) employees’ desks.
For those of you that like to record your life on Facebook or other social media, well, you are a hacker’s dream. Hackers intent on social engineering in today’s world often rely simply on reading an employee’s social media account to figure out the best psychological trick to getting him to let them inside a company’s computer system unawares. Perhaps “another employee” makes a post prompting him to click on a link in response. Perhaps that “other employee” sends him an email and gets him to click on what appears to be a social media link about the company when it’s really a spear phishing link.
Social engineering hackers who are worth their salt are adept at their targets. They’re able to speak company lingo and jargon. If they show up in person, even though they may not even have so much as a fake ID on them, they know how to dress the part. They know how to get inside the heads of a company’s unaware employees.
Not even CEOs are immune to social engineering attacks. For even a company’s “whales” are human, all too human.
There are a lot of ways that your company can minify the possibility of getting “hacked open” by brilliantly malicious social engineers. One of them is simply to ensure that every employee uses one of those strong passwords—the ones with a minimum of eight characters and a mix of upper and lowercase letters and some numbers and symbols thrown in. Your employees ought to have these on all of their computers and devices in case they ever get stolen or accessed by, say, one of those fake “IT support” guys that the receptionist allows into the main offices.
Another preventive measure is suggested by Greg Kelley, EnCE, DFCP, of Vestige Digital Investigations. He says, “Not everyone in the company needs access to everything. Does the project manager need pricing information? Does the sales person need operations information? By restricting what data each person has access to, you limit your exposure when an…employee’s account is compromised by an outsider.”
And Joseph Steinberg, CEO of SecureMySocial, says, “All access to the Internet from [personal] devices—or from devices brought by visitors to your office—should be done via a separate network than [the one] used for company computers. Many routers come equipped with such a capability. Personal devices can be infected with malware that can steal data if the devices are connected to corporate networks.”
But the strongest, most effective way of minifying the potential harm done by social engineering hackers is to create a whole company culture that’s aware of, and voluntarily taking part in, being on guard against them. This might make employees, at least at first, feel like they’re being just a little bit paranoid. Perhaps they are. But as the saying goes, just because you’re paranoid doesn’t mean that they’re not out to get you. Social engineering hackers depend on, and count on, your employees being unaware of them and too trusting.
Creating this company culture of awareness starts at the top, in the C-suite where your “whales” are. Even if yours is a small company without any C-suite, the principle is still the same. The uppermost leadership of the company has to make it clear to everyone else that it supports employee awareness about social engineering, and that it is open to allocating whatever resources are necessary, financial or otherwise, to maintain that crucial level of awareness.
Once the uppermost level has given the thumbs-up, the next step is to get all of your departments together on the same “awareness team”. Human resources, purchasing, sales and marketing, project management, IT engineers—no matter which, all departments have to voluntarily agree to take part in the efforts of the security department to be on guard against social engineering infiltration. Here, at E-Complish, we do random social engineering against ourselves. We find this to be a very effective method for keeping all employees on their toes. We even use it as a training tool in the aftermath of when an employee really got hacked!”
Your security department should not be negative about this awareness culture, either. That is, employees need to be made to feel excited and proud to take part. They shouldn’t feel scolded or intimidated. Instead, reward their voluntary compliance. The security guys need to tell employees how to do things to make the company’s and clients’ data more secure, in contrast to being finger-waggers who try to impose strict limitations on employees’ freedom.
In the end, social engineering hackers cannot win against a company with aware employees. And take it from us, we love it when we get to rub it in the hacker’s nose when his silly little call to one of our employees fails miserably! It’s time for a beer on those days…