Social Engineering – Hacking – How to Protect Yourself

Posted on July 24, 2011

I feel it necessary to educate you on one of the more popular “hacking” methods currently used by a variety of groups all around the world. While normal hacking methods are still an on-going threat, hackers are intelligent and innovative and you should be prepared for “Social Engineering”.

-------------------

Social engineering is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. In the United Kingdom, social engineering using impersonation (e.g. to gain information over the phone) is known informally as blagging. In addition to criminal purposes, social engineering has also been employed by debt collectors, private investigators, bounty hunters and tabloid journalists.

A study by Google researchers analyzing fake AV distribution found that up to 90% of all domains involved in distributing fake antivirus software used social engineering techniques.

Sourced from: Wikipedia.org.

-------------------

In our industry, the most dangerous and commonly used method of Social Engineering is the “Fake Helpdesk”, or more accurately described as “tricking employees into thinking the person on the phone is a legitimate helpdesk technician from the IT department.”. It’s VERY common to find employees doing exactly what the fake support technician requests without any inquiry as to the reason for the support work, or a request for identification.

Even with all the right infrastructure in place including firewalls, intrusion prevention packages, real-time monitoring solutions, and strict password policies, a simple phone call from a patient and polite hacker can penetrate your entire network in minutes. We’ve seen it, this should be taken very seriously.

How to protect yourself

1)      Ask for identification (name, company, phone number and website).

2)      If you receive a call or email from anyone requesting you complete a task or provide information and you do not recognize the caller, start asking questions.

3)      If you receive a call or email, NEVER give out your information.

4)      If you receive a call or email, NEVER accept technical support unless you are 100% confident the person is someone you’ve dealt with before. If you haven’t, see 3).

5)      If you receive a call, the caller should have no objection letting you call them back at their head-office after you find the number yourself (use their website).

6)      Verify the user calling is from a company you normally deal with.

7)      If something doesn’t feel right, call your manager.

8)      Call your IT Department to verify the legitimacy of the call.


Educate Your Team

Ensure your staff are aware of the threat and educate them. Make sure they possess the knowledge to ask the right questions and contact the right people if something doesn’t add up.


Test You Staff

Be pro-active and attempt a “Social Engineering” hack at your locations. How difficult it is to acquire information from your staff? More training may be required. Take the time to educate your team, this threat is real and you need to take precautions.

Did you know?

1)      Caller ID can be faked (or in fancy terms, SPOOFED)? Although it might say “Royal Bank” or “SIRKit Ltd”, this can easily be manipulated.

2)      Banks and Government agencies will never call you and ask for your personal information. You will always have to call them.

3)      Banks and Government agencies will never e-mail you a request for information. You will always have to call them, or use their website.

4)      Legitimate organizations will never e-mail you with a link to change your password or provide login details.

5)      E-mail is rarely encrypted. Never send sensitive information via email. EVER.

6)      You will never be notified by e-mail that you’ve won anything of significance. It’s pretty much guaranteed to be fake.

7)      E-mail addresses can be faked. Although your e-mail application says billgates@microsoft.com or kris@sirkit.ca, it’s not guaranteed that the e-mails originated from these addresses.

8)      When you click on a link in an e-mail, verify the web address AFTER the page loads. Always look at the name right before the .com, .net, .org or .ca. This is the TRUE domain.
Hopefully this gives you a bit of insight into the threat.
If you have any questions at all, please do not hesitate to contact us.

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.