There was a time, not long ago, when the term social engineering meant the manipulation of behavior and various outcomes through public policy. It referred to political issues.
The digital revolution has led to a new meaning for the term, and it’s one you should know about: “social engineering” is a threat to data system security based on “the art of influencing people to disclose information and to get them to act inappropriately.”
In other words, it’s a con job to get people to reveal things about their passwords and related digital assets to help thieves gain access to a system or database.
The important point about social engineering is that it is another human risk factor that you need to address in your risk management plan. Your efforts to harden the computer systems in your organization against technical intrusion will be pointless if the people who have access to them are vulnerable to social engineering attacks.
Your “human firewall” has to be as effective as your digital one.
Almost everyone who uses email and other common Internet utilities has been exposed to social engineering attacks. That famous Nigerian prince who wants you to click on his incredible offer to share his wealth in return for a minor favor is a crude version of the fraud. Yet it illustrates the simple, seemingly innocuous interactions people are lured into that can lead to very damaging and costly intrusions. Some common social engineering tactics include (among others):
- Impersonation: This deception can be someone pretending to be a trusted vendor or co-worker, or a person in authority. It might be done through an actual phone call or it could be a simple email that looks like it comes from a known and trusted source.
- Phishing: In various forms and over different devices, this attack tries to elicit a click on a link or submission of security information (a password) from a seemingly authoritative source.
- Tailgating: Attackers gain physical access to secure areas, perhaps by following legitimate employees closely when they enter. This attack clearly demonstrates how low-tech social engineering can be.
- Baiting: This fraud technique takes advantage of an employee’s curiosity. The attacker leaves a digital “bait” such as a thumb drive where someone might find it and then open it to see what’s there.
Since social engineering depends on people’s normal tendency to trust, your efforts to mitigate the risk depends on pre-empting and preventing the potential relationship between the attacker and his/her potential victims.
Education and training are the key preventative elements, complemented by a corporate culture that emphasizes systematic risk management and responsibility from the top on down.
Typical social engineering scams follow a 4-stage process: information gathering; relationship development; exploitation; and execution. Your training and education can be built to address weaknesses that can occur at each of these stages, effectively inoculating your employees against these attacks.
Social engineering attacks occur more frequently than you might expect. Some recent very high profile hacks into corporate and government websites may very well have been abetted by “soft” human errors committed by people not sufficiently tuned to the nature of the attack. It may very well be human to err, but it is smart policy to avoid it.
The threat of social engineering is detailed in our latest white paper on Social Engineering Fraud.