Tuesday 17 December, 2013
The best security you could hope for is still the trusty password. If you create a strong password and keep it hidden from others, there’s virtually no way for hackers or anyone else to get into your system. But that’s the problem. Human error is more deadly than programming weaknesses or unprotected networks.
Beyond any high-tech hacking techniques, there are a number of ways people can obtain access to sensitive data through psychological trickery. These techniques fall under the umbrella term ‘social engineering.’
What’s Your Password?
A story recently broke that NSA whistleblower Edward Snowden obtained access to 20 to 25 people’s sensitive data and it wasn’t through cracking encryption. He did it by simply asking them. This simple request made him privy to even more sensitive data that he later leaked about the NSA’s clandestine activities.
Most of us realize we should never give out our password under any circumstances. But we still do it. What’s amazing is that in Snowden’s case, he was working in a high-level security environment! He wasn’t just running an ecommerce business.
If someone needs access to a system, don’t give them the password. Give them access. You can do this by making them an admin and giving them a temporary password. When the person no longer needs access, change your password just in case.
Funny Phone Calls
Another great social engineering tactic is to call a business pretending to be a co-worker and asking for sensitive information. Through simple internet research, the caller may know personal information about the co-worker they’re pretending to be and what they do at the company. Since we trust co-workers and it’s often hard to tell someone’s voice over the phone, it’s easy to fall for this.
The best way to guard against this is to create clear policies regarding giving out sensitive information on the phone and enforce them strictly. Educate your employees about possible attacks and ask them to verify.
Phishing is the most common type of social engineering attack. This is an attack where you receive an email that looks like it’s from a business or service you use. The email contains a link and urges you to click it. Once you click it, the hacker has access to your email and possibly your system. A common example would be an urgent message from your bank saying your account is overdrawn with a link to correct the problem.
It’s easy to avoid phishing scams. Whenever you get an email with a link in it, delete the email, go to the company’s website, and log in there. If there is actually a problem or alert, you’ll see it there.
Preventing Social Engineering
The best way to prevent any kind of social engineering attack is to conduct regular risk assessments and have your system penetration tested. This is a test where a company tries to infiltrate your system. By doing this, they can discover its weaknesses and recommend ways to patch them up.
Social engineering takes little in the way of skills or technology. It relies on the planning of the attacker and their ability to thoroughly research their target. This is a threat that every business should be aware of and protect against.