Password Policy – Social Engineering
Written by Chris Thornton, 26 July 2016
With standard anti-virus software unable to protect your business against this form of cyber attack, we ask: what is social engineering?
‘Social Engineering’ is a phrase that will mean very little to the average end user. In short, Social Engineering is the act of bypassing all existing IT security measures with a view to exploiting your employees directly. In short, it is “The art of manipulating people into giving up sensitive information or gaining their trust to exploit them”.
Social engineering is the cause of most successful attacks against an organisation and is widely regarded as the most prevalent threat in the digital world. Social Engineering can be particularly tricky to manage as standard business anti-virus solutions can’t do much to defend against it. Additional layers of security such as email & web filtering can reduce your overall risk, however the biggest risk to your organisation is the actions of your employees.
Attack Vectors of Social Engineering
The two main forms of Social Engineering are Phishing & Vishing which both involve impersonation in one form or another:
Phishing is the simplest for a hacker or scammer to achieve and consists of sending your end users emails with a URL or malicious attachment that the end user must click for the attack to work (e.g. just think of the typical ‘Nigerian Prince’ Scam). Spear Phishing is the most common and dangerous form of this: where an attacker will make an email appear as it is from a different email address than it actually is. Some Spear phishing is also effective at bypassing email filtering systems and can only be caught by end user knowledge on the subject by double checking the source of emails.
Vishing scams are similar to phishing but are carried out over the phone. Vishing scams occur when a scammer or hacker phones your end users and attempts to extract information on various need to know subjects. Two examples of vishing are related to the TalkTalk data breach & a local Dundee business being conned out of millions. Attacks of this nature are on the increase and it is important that your staff are aware of them and are careful about the information they are prepared to share.
So how can social engineering be prevented?
There are a few key points to be aware of to protect yourself from a social engineering attack:
- Be suspicious of any unexpected communication especially if it’s from a supposed authority figure.
- If unexpected communication occurs, double check the identity of that individual and make sure they are of trustworthy reputation.
- Ensure business processes are in place to properly authorise transfer of money or sensitive data.
- End User Education! The last line of defence is the end user, and because social engineering targets end users they must be well informed.
There are plenty of things that can be done to prevent social engineering. However, because it targets people rather than the machine, it requires that the human must be able to identify and respond correctly to this form of attack. As these attacks are designed to bypass computer security, the only way to efficiently deal with them is through end user education.
Computing technology is ever-changing and system security is improving at a fast pace. However, sometimes people and companies aren’t so quick to adapt. Due to this, social engineering is an area of IT security that you must be aware of as vulnerabilities can be exploited at every level of your organisation.
These will only be secured with permanent vigilance and continuous education of your team.
Shackleton & Microsoft Sponsor DACC AGM 2016
The Dundee & Angus Chamber of Commerce AGM is an opportunity for local businesses to have their say, and Shackleton is proud to be sponsoring the DACC AGM 2016…
Keeping The Office Informed: Communicating With Technology
Communication is crucial to small business - fortunately, in the modern workplace, employees can stay in touch no matter where they are in the world...