UNDERSTANDING AND TACKLING SOCIAL ENGINEERING

A company cannot rely on a thought, “Our systems are protected with top of the line security products and our employees are aware of security. We are completely safe”.

The development of several systems and protection gadgets might resolve the security problems but the crucial component to security is the individual and not the machine itself. Installing of the latest applications will not guarantee a comprehensive protection of the system.

WHY? Here is the real life instance that shows us WHY.

Four of the high-level executives received emails, which seemed to have come from an employee inside the U.S.-based Fortune 500 manufacturing firm. The email looked 100% genuine. The message on the email had communication about a corporate plan the CEO was advocating. One of the executives clicked on the link from the email and that was all that was needed. That single ignorant click released malware into the system and infected the executive’s computer. This provided the attackers a path into the company’s network, which allowed them to sniff for passwords and they were able to gain access to multiple systems. Incidents similar to this happen to companies every other day.

Today, the volume of information possessed is directly related to the power that an individual can have over the other. Thus it is crucial to not only to obtain but also protect it from possible attacks. Social engineering is a method by which a person or group of persons are manipulated to provide access to particular information or used to induce certain behavior. Social engineering is based on using psychological ruses or tactics on the system user thus gaining significant data like the usernames, passwords, access codes, security codes, credit card numbers and additional information for direct profits or hidden ones. People that reveal data are aware of that but they usually consider that the information provided is not vital but the goal of social engineers is to connect the dots or join the pieces together from the information gathered from numerous sources. Social engineering takes benefit of the inherent nature of humans to manipulate others and acquire sensitive information.

How can awareness be created in the company to prevent an incident mentioned above?

One can do this by asking a lot of questions like, “How vulnerable are the employees in your company to the usual social engineering threats such as phishing, smishing, office snooping? If your employees see a random USB drive, how likely are they to pick it up and plug it in the computer? Do your employees know about techniques and scams used by social engineers”?

Along with asking pertinent questions there are various methods that can be use to create awareness.

Knowledge Assessment- Create a customized, scenario based questionnaire about social engineering and other security issues, to check the knowledge of your employees on those issues. With the help of the knowledge assessment, company can understand better about the employee’s knowledge on security and can create a customized training to educate to employees based on the results (which area of security the company needs to focus on for training).

Education and training- Organization’s should train and educate their employees about security that can help them understand about the issue better, making them more unwilling to revel companies or personal information. Example: how to properly discard documents?, question the credentials of the people they are dealing with, how to deal with unknown emails and the links embedded on it etc.

Policies- Company should prepare a very comprehensive policy regarding the company’s security and thorough instructions that can help employee understand on how to appropriately handle company’s information and user data.

Apart from these methods, company should train employees using various methods as well as track their involvement in it. If the employee’s understand the problem, the company policy towards it and the provided training, then they will be able to handle the issue appropriately. It is a very good possibility that even after using the finest and high-priced security technologies, an organization remains entirely vulnerable. A good social engineer can collect information about that organization by simply getting trust and being friendly with the user. Therefore it is up to us to understand the problem and not let ourselves become vulnerable.

References

Agrawal, M. G. (2012, June n.d). A Survey on Social Engineering and The Art of Deception. Retrieved December 16, 2015, from International Journal of Innovations in Engineering and Technology (IJIET): http://ijiet.com/wp-content/uploads/2012/08/5.pdf

Cybertec. (n.d, n.d n.d). Photo Credit: Social Engineering Attack. Retrieved December 16, 2015, from Cybertec Security: https://www.cybertec-security.com/what-we-do/social-engineering-attack/

Savage, M. (2015, n.d n.d). Gaining awareness to prevent social engineering techniques, attacks. Retrieved December 16, 2015, from Tech Target Search Security: http://searchsecurity.techtarget.com/magazineContent/Gaining-awareness-to-prevent-social-engineering-techniques-attacks