Hacking the human is easily done through social engineering. On several occasions, sensitive data is obtained through human manipulation as opposed to network vulnerabilities.
One of my favorite small examples are password questions. Have you ever had a password protected by personal questions? For example: “Who was your favorite teacher?” or “What is your mother’s maiden name?” By cracking these questions, one can easily obtain access to the account or POTENTIALLY even the password itself. And to obtain the answer to that “Secret question?”
“Hey JoeSchmoe – I just saw my favorite teacher at the store! Do you have a favorite teacher? Oh really? What was his/her name?” = password unlocked.
My favorite definition of Social Engineering is:
“Exploiting human vulnerabilities.”
… and it is just that. It is manipulating humans to provide information to sensitive data. Below are some ways to prevent social engineering.
- ID Badge – If someone is wandering the hallways of your department without an ID Badge – question them. All too often social engineers roam hallways of offices and they go unquestioned. Many companies are now enforcing ID Badges for all employees and nonemployees to prevent the possibility of Social Engineering from occurring.
- Lock your computer – As mentioned above, social engineers will wander the hallways of offices. What are they looking for? An unlocked computer to quickly gain access without the use of a password. Lock your computer every time you leave your desk!
- USB Devices – Many companies are banning the use of USB devices. Why? Hackers can quickly obtain sensitive data by simply plugging in a USB device to download data of their choice. One way they are doing this is through “Key Drops.” A social engineer will wander the hallways and bathrooms of an office building and “accidentally” drop a USB device on counters, desks, and anywhere else they might be easily discovered. As soon as someone finds the USB device, their first reaction is to snoop the contents. The moment that USB device is plugged in and the file is opened, the file transfers begin from the computer to the USB device which are then transmitted to the social engineer’s computer for viewing pleasure. Pretty simple huh?
I could talk for days about social engineering, but I wanted to bring light to some of the major topics for how to prevent a social engineering attack from happening in a company setting. If you train your employees to guard sensitive data the way they would guard their own data, you could possibly help prevent intrusion and/or infection.