Thursday, 9 July 2015
Social Engineering - Clever Manipulation of the Natural Human Tendency
What is social engineering?
Cyber security threats are looming large in terms of size, scope and frequency. At the same time, companies are becoming much more aware of IT security threats and are investing in security to reduce risks and protect company assets from fraud, identity theft and intellectual property theft.
Even with IT security practices in place, sometimes the weakest link is the employee – who can fall prey to Social Engineering — a tactic used by cyber criminals to “get inside” an organization by gathering intelligence using a telephone call, in person or via email. Cyber criminals have perfected the art of getting humans to unknowingly divulge information and letting them think that the information being shared is being done for official use under a false sense of security. Human behaviour is the main reason for opening the gate for attackers and stems out of curiosity, fear and lack of understanding of how Social Engineering operates.
2 basic ways to detect these attacks would involve being vigilant to:
1. Information that under normal circumstances the attacker would not have access to
2. Something which is too good to be true. A good example would be an email telling you that you have won a lottery without even participating in it
5 simple guidelines to prevent cyber-attacks through Social Engineering:
1. Never share passwords: Organizations will never ask you to share your passwords. If at all it is being asked, you must then know that you are under attack!
2. Don’t share too much: The more the attacker knows about you, the easier it is for them to mislead you into doing what they want. Sharing small pieces of information over time provides the attacker with enough information to create a complete picture of you.
3. Verify contacts: You may be called by your bank, credit card company, mobile service provider or other organizations for legitimate reasons. If you have any doubt as to whether a request for information is legitimate or not, call them back on the number that you already have and ask for the caller. This way, when you call the organization, you know you are really talking to the right person. It seems like a hassle, but safeguarding your identity and personal information is well worth the additional step.
4. Research the facts: Be suspicious of any unsolicited messages. Even if an email looks like it is from a company you use, it is always better to do some research. In this case, use a search engine to go to the real company’s site, or refer to a phone directory to find their phone number.
5. Beware of any downloads: Unless you don’t know the sender personally, downloading a suspicious file is a mistake!
Education is key to avoid attacks through Social Engineering and companies should provide an opportunity to employees to learn and understand the risks involved. It is a good practice to share information with examples of common tactics used by attackers and teach employees how to identify and recognize email traps. Tell them how to avoid dangerous attachments, malicious links, etc. and how to use portable devices such as storage devices etc. in a safe way.