Security Standards  «Prev 

Threat of Social Engineering

What does the threat of Social Engineering consist of?

Social engineering is the use of tricks and disinformation to gain access to passwords and other sensitive information.
For example, when a group of high school students wanted to gain access to the computer network of a local business, they created a survey form that was ostensibly part of a social studies project. The survey asked for what seemed like innocuous personal information, such as the names of all of the secretaries and executives and their spouses, as well as the names of children and pets.
Security Flaw made by humans: The students were able to quickly penetrate the targeted system because most of the people on the network were using the names of pets and spouses for their passwords.
In other attacks, hackers have posed as legitimate employees who have lost their passwords.
Because users often assume that any email must come from a legitimate source, a hacker posing as a systems administrator or department manager by phone or email can gain access to a great deal of information relatively easily. To prevent this type of social engineering, add an authentication process to your mail servers.
You can use the person's cell phone for 2-factor authentication or use Google Authenticator.

Guide to Network Security

Additional Theory on Social engineering

This attack uses social skills to obtain information such as passwords or PIN numbers to be used against information systems. For example, an attacker may impersonate someone in an organization and make phone calls to employees of that organization requesting passwords for use in maintenance operations. The following are additional examples of social engineering attacks:
  1. E-mails to employees from a cracker requesting their passwords to validate the organizational database after a network intrusion has occurred
  2. E-mails to employees from a cracker requesting their passwords because work has to be done over the weekend on the system
  3. E-mails or phone calls from a cracker impersonating an official who is conducting an investigation for the organization and requires passwords for the investigation
  4. Improper release of medical information to individuals posing as doctors and requesting data from the records of patients
  5. A computer repair technician convincing a user that the hard disk on his or her PC is damaged and unrepairable and installing a new hard disk for the user, the technician then taking the original hard disk to extract information and sell the information to a competitor or foreign government
The best defense against social engineering attacks is an information security policy addressing social engineering attacks and educating the users about these types of attacks.

Many attacks do not use computers
  1. A hacker calls the system administrator
  2. A bad actor may attempt to retrieve credit card bills in the dumpster
Online versions
  1. A black hat may send a trojan virus in an email
  2. A picture or movie that is downloaded can contain malicious code

Possibility of Theft

The possibility of theft is not the only way in which laptops present a security risk. The threat to your network is that a data thief who is able to enter your premises may be able to plug a laptop into the network, crack passwords (or obtain a password via social engineering), and download data to the portable machine, which can then be easily carried away. New handheld computers are coming with more security devices built in. For example, the Hewlett-Packard iPAQ 5555 includes biometric (fingerprint recognition) technology to prevent unauthorized users from accessing the data.