It all begins with a team of hackers that spy on a specific company and seek out data needed to hack into its system. Members of this team underhandedly make people cooperate with them through psychological tricks. Once they do, these intruders obtain data necessary (as usernames and passwords) to access company networks. Knowing that most business staff workers are kind and polite as well as trusting, hackers pretend they’re employees of the targeted enterprise while asking for simple favors. Rather than physically breaking into an enterprise’s system, they seek out information as a way to get unauthorized access to it. This practice is referred to as social engineering.
As you know, a chain is as strong as its weakest link. If security were a chain, its weakest link would be the natural human kindness to trust anybody based on his or her word alone. No matter how effective our firewalls and our antivirus and anti-spyware programs work, they can only do so much to deter intruders. Every business needs a security policy to prohibit “visitors” from entering secured areas of its buildings. Employees must be trained not to let in strangers or answer security-related questions over the phone.
Gaining Company Info
Just like hackers, social engineers seek to gain confidential facts or unauthorized access as a means of finding out more about a targeted company. With such data, intruders can commit fraud, obtain network access, undergo industrial espionage, steal one’s identity, or simply raise havoc with the company’s network. Common targets of such malicious acts are telephone companies, answering services, prominent corporations, banks, military and government agencies, and hospitals. Still, any company, large or small can be a victim to social engineering.
Why is social engineering becoming widespread? Because asking people for passwords or other illicit access data is much simpler than technical computer hacking. Even those with a great degree of hacking expertise find it’s much simpler to make a phone call and ask one for his password.
Companies are attacked via social engineering on a physical basis. Sources of illicit info about an entity are sought in the workplace, through the phone system, from trash cans, and via online access. Hackers have been known to walk into offices pretending to be a consultant or janitor. Such a person will casually strut around the workplace and seek out papers with passwords on them or watch over employees’ shoulders as they log in. Once the intruder found such data, that person will leave the premises and enter into the company’s network from their home.
Hacking by Phone
Another popular form of social networking is done over the phone. A potential hacker will call a user and impersonate one who has authority or relevance as a means of getting data from the user. Often, a hacker may claim they’re calling from within the corporation and then will play tricks on its operator. Such a person will say something like, “Hello, I am your representative from AT&T and I will need some info from you to fix a problem with your account.” They may ask for one’s AT&T card number and PIN combination.
One of the most vulnerable places of social engineering within a company is its help desk. Its staff are trained to be friendly, but taught the minimum necessary to answer common inquiries. Most of its employees know little, if anything about the security of their employer and are also paid low wages. All they do is answer a caller’s questions and move onto the next caller. Hence, the help desk is a potential gold mine for hackers and a large security hole for the entity.
Yet another method called “shoulder surfing” is done at pay phones and ATMs, especially at large airports. People lurk around these machines and peek over users’ shoulders to obtain credit card and PINs. Users must be extra careful when using them.
Going Through Trash
Illicit information is also obtained via dumpster diving. Social engineering is done by pulling out discarded documents and company materials as phone books, employee handbooks, memos, calendars, system manuals, and any other sensitive data printed on paper. Additional data can be found on user/password login lists, source code printouts, floppy disks, storage tapes, stationery, and discarded computer equipment.
How are these items useful to a hacker? Company phone books list the names and numbers of employees hackers can call and beguile. Organization charts reveal names and positions of a company’s staff. Employee handbooks give the hacker an idea of how secure the business is (or isn’t). Technical information found in system manuals and source code reveals sensitive data needed to unlock and access the network. Media such as disks, tapes, and hard drives may hold all kinds of data that will benefit a hacker. Stationery and memo forms serve as an authentic way to send employees malicious correspondence.
Requesting Info Online
Working online is yet another form of social engineering. Some hackers send online-forms to be filled out by users and require the entry of a username and password, email address, or card number and PIN combination. With these forms are advertisements stating the user has won some sort of sweepstakes and all he needs to do is supply information to claim his prize. Also, people tend to use the same username/password pair for more than one account and once a hacker has these two pieces of data, he may access other sites that the user visits frequently. Some users respond through their corporate email addresses unknowingly letting the hacker know where they work. Yet other hackers will send correspondence via the US mail asking for info.
Yet, the oldest trick in social engineering is pretending to be the network administrator. Real network administrators already know the username/password combinations of every employee, even if one decides to change theirs on the spur of the moment. If there are concerns related to a company’s network, employees should talk with their networker face-to-face.
Social engineering is becoming increasingly popular among hackers. It is best to be alert at all times and never give information out over the phone, even if the voice sounds familiar. Never open up emails, especially attachments, from parties you don’t know. Shred all documents before throwing them in the trash and have all computer media and hardware physically destroyed before disposing of them. Remember, legitimate network staff and company reps will never call you and ask for passwords. If you’re unsure about a request made via the phone, arrange to meet the caller in person.