Social engineering, according to Quest Software, can be defined as the technique of using deception and manipulation to gain sufficient knowledge to dupe an unwary individual, employee or company.
For example, the Windows Event Viewer scam involved telemarketers calling people, telling them they have a virus and requesting the recipient's authority to run a Windows program called Event Viewer in order to fix ‘so-called’ bugs in the operating system. Other callers claim they can remove the virus for a fee and ask for people's credit card details.
In this series, Computerworld Australia examines some of the information security threats facing small businesses and larger enterprises today. We’ve looked at internal negligence and continue the series by speaking to experts about the problem of social engineering.
The threat of social engineering
Scammers have called people posing as a member of their company’s IT department and named the person’s boss in order to gain their trust, according to Sophos Asia Pacific director, Rob Forsyth.
“So if the ‘IT department’ rang and said that Pete [not his real name] has told them your computer was having a problem and they had been asked to fix it, would you do their bidding?,” he asks. “Social engineering is the major tool used by criminals to build trust and undermine security.”
Check Point Software Technologies Australia and New Zealand managing director, Scott McKinnel, says social engineering is such a large threat because it utilises the invariability and flaws in human nature.
“Social engineering is so dangerous because it takes advantage of the one fallible part of any access point-- human users,” he says.
He adds that people are naturally curious and will click on a uniform resource locater [URL] and download attachments without always thinking about security.
“What makes social engineering so cunning is that it takes advantage of human behaviour and is often disguised as something a person is expecting to receive in their daily working life such as a link or attachment directly to a work email address.”
In a business environment, employees’ machines are supposed to be protected by an antivirus solution so that even if social engineering works the network will remain safe, according to Bitdefender chief security research officer, Catalin Cosoi.
“Social engineering can overcome this obstacle too, as in some cases carefully crafted messages will attempt to persuade the victim to disable the solution that protects a computer. It’s a highly adaptive threat, constantly changing shape and baits,” he says.
Extent of the threat
Once someone has control of the employee’s computer, it is a much easier task to begin to mine data and dig deeper into company systems, according to Sophos’ Forsyth.
“In the case of the Sony PlayStation Network hacking, the loss of customer data resulted in a fall in market capitalisation of US$2 billion,” he says. “It took almost 70 years to establish the brand value of Sony, but in a matter of days this value was destroyed simply by careless data keeping.”
Social engineering attacks can go undetected when downloading malware and when attackers gain access to a system, warns Check Point’s McKinnel. From there, a system can be compromised by releasing critical passwords, or using an organisation's resources as part of a botnet to send spam.
“The cost of such security breaches can be enormous for an organisation,” McKinnel says. “Not only can valuable intellectual property be stolen, but there is the danger of breaching regulatory and compliance issues, the risk of immeasurable damage to a brand/customer confidence and the fall out of auditing and legal costs.”
Bitdefender’s Cosoi says social media is a very important vector for targeted attacks against companies. “The future of such attacks lies in social malware and social engineering-- convincing people to infect themselves by installing applications that have a background agenda.”
Addressing social engineering
Check Point’s McKinnel says the best way to mitigate the risk of social engineering is a mix of technology, simple security policies and user awareness.
“Having a simply-written security policy that staff and users can understand is key, and that policy needs to be supported by regularly repeated education focusing on the implications of security issues rather than just the rules,” he says.
In addition, companies should make the security policy accessible to staff and users by avoiding technical jargon and sharing posters around the office.
“Technology can also assist in user awareness,” adds McKinnel. “Employ technology that places the onus back on individuals and reinforces user education.”
For instance, pop up click boxes can be deployed before users download anything that looks high risk, send sensitive information or use media websites. “This technology embeds security practices into business processes without slowing down regular work activity,” he says.
Sophos’ Forsyth agreed that education is the key to rebutting attacks. “If staff are made aware of their part in protecting customer data [and trust] they will appreciate the need for vigilance,” he says.
“This training should be a joint responsibility of the information technology [IT] and human resources [HR] departments. It should also be a core component of staff induction and staff should receive regular updates on the latest threats.”
Social networks and instant messaging services should also be closely monitored to lessen the risk of social engineering, according to Bitdefender’s Cosoi.
“Sometimes, classified information can be leaked by employees through social network profiles or even personal blogs,” he says. “Some of the most frequent details that go public ahead of time are product-launch dates, product screenshots or other branding elements such as logos and boxes.”
Follow Hamish Barwick on Twitter: @HamishBarwick