Author: Nitin Bhatnagar
Social engineering refers to the infringement of organizational security by influencing employees into exposing confidential information. Its main tool is the use of psychological tricks to attain an employee’s trust, instead of technical practices. Social engineering comprises frauds such as obtaining a password by acting as an employee or leveraging social media platforms to identify new employees and trap them into providing customer critical information. It also includes many other efforts that breach security by achieving trust. Such breaches can prove deadly in Indian organizations.
Before we start exploring about how to fight social engineering attacks, we have to understand and analyze the different type of social engineers among us. In an Indian context, social engineers can be of various forms such as hackers, penetration testers, disgruntled employees, Identity thieves and even sales representatives.
Humans are often the weakest link in a breach. Social engineers use different strategies to gain access to your company’s secret information. The most important preventive measure on this front is to train your employees and enforce the best security practices, policies and procedures.
Various techniques are used by the social engineers such as shoulder surfing and dumpster diving. They can also gain access to critical information using phishing attacks through email and phone.
This refers to the attacker looking over an individual’s shoulder as he types in his passcode and password/PIN on a keypad. The attacker commits this to his/her memory for future misuse.
To avoid such acts ensure that you never surf the Internet in crowded public locations. Be especially careful while accessing your financial information or personal information using your user ID and password.
In this method, social engineer(s) search your garbage for potentially useful information. You must securely purge critical information using shredders to avoid such information theft. Common shredder types that Indian businesses can look at are:
Particle-cut shredders: Create tiny square or circular pieces.
Paper masher bag: These use specially designed bags to safely dispose confidential documents. Paper mashers mash documents to a pulp to make them unreadable.
Phishing techniques draft well-organized emails that attract recipients to visit a bogus website. Websites are usually designed using well-known and trusted brands to convince the individual to provide financial and/or personal information. Such bogus websites send malicious program/code (such as Trojan key logging software) that gets installed on the unsuspecting user’s computer and collect sensitive information.
Indian companies are now seeing many targeted phishing attacks against top honchos. Attackers develop thought-out phishing emails that target management representatives like the CEO, CFO or COO. These emails convince senior business leaders to click on links to a non-business website embedded with malicious code. Attackers crack into the organizational networks to access critical information such as emails, servers and financial systems. Such emails often offer attractive offers like new business opportunities for the organization or competition related information that appeals to the victim.
In such attacks, the social engineer is well versed with the company’s current situation. He/she may also be someone who knows the top official as well as the latest internal developments in the organization. Attackers may also gain information about the organization from social media platforms or from public forums.
Over the phone (IVR)
Interactive voice response (IVR) techniques help reconstruct a legitimate-sounding replicas of a bank or other financial/mobile VAS providers/Telecom institution’s IVR systems. The victim is provoked (typically via a phishing e-mails) to call the provider’s toll free number or ask for the right time to call in order to “verify” information. Once the target opts to call in or calls back, the call will fail continuously. The attacker ensures that the victim enters PINs/passwords numerous times or other critical data like date of birth, credit/debit card numbers, expiry date and CVV. [Phone phishing is also known as vishing]
Controls that defend against social engineering attacks
- Deter public revealing of information: Avoid giving personal information over the phone in public places. Such attacks may even use known/unknown email communication from your friends or colleagues.
- Limit the use of social media: Using social media have to be used to be in touch with your friends and colleagues rather than revealing your personal information if at all required make it restricted to individual rather than making it public remove it once done with the task.
- Ensure awareness and education: Join cyber safety awareness sessions on the Internet which detail how you can protect yourself from cyber-attacks.
- Get management buy-in: Managers require an understanding of their role to be able to define what requires protection, and why. This measure should ensure that appropriate protective measures are taken to protect against associated risks.
- Strengthen your information security policy: Put in place a well-documented and accessible security policy. This in conjunction with associated standards and guidelines form the foundation of a good security strategy.
- Strengthen physical security: Implement strong physical access controls in the organization, Maintain visitor logs and CCTV installations at areas which store or use critical data.
- Implement two factor authentication: Two-factor authentication is the process of a requesting entity presenting some evidence of its identity to a second entity. It requires the use of two out of three authentication factors.
These factors are:
- Something that the user knows (For example, a password or a PIN)
- Something that the user has (such as an ATM card or a smart card)
- Something the user is (Biometric characteristic which can include fingerprints or retina scans.
Adopt security measures: Deploy intrusion detection systems to monitor network activity. Enforced use of antivirus on all systems and servers will protect organizations from possible attacks.