P.T. Barnum claimed that there’s a sucker born every minute, and he may have been right. Hackers frequently get hold of sensitive information or gain unauthorized access privileges simply by manipulating insiders — a technique known as “social engineering.”
As with any con game, the goal of social engineering is to gain the victim’s trust so the con artist can carry out his fraudulent scheme. But while the classic confidence trick exploits the victim’s dishonesty and greed, many social engineering techniques rely upon the inherent “niceness” of the average person.
Con artists may pretend to be an employee, convince the target that the request is normal and let plain-old friendliness do the rest. The skilled hacker will gain information very slowly, asking only for small favors or gaining information through seemingly innocent conversation. Once trust is established, the hacker will be able to start acquiring sensitive information and access necessary to break into a system.
Social engineering has proven very successful but there are steps a company can take to guard against a social engineering attack:
- Put It in Black and White. A comprehensive security policy gives end-users the tools they need to resist the hacker’s scheme. End-users should not have to consider whether certain information can be given out. It should be well defined beforehand by people who have thought seriously about the value of the information.
- Be Aware. Once the security policy has been established and approved, all employees should be trained in security awareness. Security awareness is more complicated than just telling people not to give their passwords away. Employees must know what kind of information a social engineer can use and what kinds of situations are suspect. Employees should know how to identify confidential information and should understand their responsibility to protect it.
- Be Resistant. Resistance training helps prevent employees from being persuaded to give information away that the hacker might need. Employees need to be wary of anyone who calls up asking for information, and to ensure that visitors aren’t left alone to snoop about. Even seemingly legitimate emails should be questioned since it’s very simple for a con artist to “spoof” an insider’s email address.
- Get on the Offensive. Incident response is designed to stop the con artist before he can manipulate someone in the organization who does not know or care about security. There needs to be a well-defined process that an employee can begin as soon as he suspects something is wrong. This process should aggressively go after the hacker and proactively inform other potential victims.
- Acknowledge the Threat. Of course, the most important step is for organizations to acknowledge that social engineering is a very real threat. Most organizations have committed significant resources to protect against hacking and other types of electronic attack, but few realize that successful hackers seldom have to force their way in. Once organizations start taking social engineering seriously it will become a much more difficult, if not impossible, technique for a hacker to employ.