Dealing with the Unknown
Posted on Thursday, August 31, 2017
Social engineers are the con artists of the electronic age-known for exploiting people’s natural desire to help in order to access systems and information. Exercise caution with unfamiliar persons.
What is social engineering? As security measures make it increasingly difficult for hackers to get access to the systems and information they desire, the wired world has witnessed the birth of a new breed of computer criminal. Social engineers recognize that employees are the weakest link in IT security systems, and will go to great lengths to manipulate people for their own gain. Whether working individually or in an organized ring, social engineers will use non-technical tactics to obtain passwords, uncover system configurations, and collect any other information that allows hackers to tap into a network.
Admit it: you are the weakest link! Every computer system in the world relies on humans-which means every system element (software, platform, network and equipment) is subject to the judgment calls of employees who want to trust the people around them. Social engineers are likely to attempt several classic scams: they may pose as a technician on a routine service call or assume the identity of a fellow employee with an urgent problem.
Recognize the signs. Social engineers are ruthless. They will try lying, cheating, tricking, seducing, extorting, intimidating and even threatening employees to get what they want. Their entire modus operandi is based on deception and on taking advantage of social norms of fairness and honesty. Watch out for the following tactics:
• Diffusing responsibility: The social engineer will try to make you feel you are not solely responsible for your actions. By creating situations with many factors that confuse the issue or dilute personal responsibility, the social engineer is more likely to succeed in getting you to reveal information you might otherwise withhold. If the social engineer drops the names of decision makers or claims another employee with higher status authorized the action, pass the request on to the people named and ask for their verification.
• Ingratiation: In this case, the social engineer will play upon every employee’s desire to get ahead. S/he will suggest that by revealing the information requested, you will get ahead-perhaps by gaining advantage over a competitor and making a good impression on management. Social engineers are also known to target personnel who may lack the social skills needed to develop satisfying workplace relationships.
• False trust: If the stakes are high enough, social engineers will invest time and energy in building trust with an employee. Following a series of small interactions that were positive and problem free, the social engineer will manipulate the trust to achieve his/her real objective.
Other tactics include encouraging an employee to feel it is a moral duty to grant the request, generating feelings of guilt, and soliciting cooperation by presenting the voice of reason, logic and patience.
Stand and deliver a strategic response. Any time you receive an unusual request, your first strategy should be to verify the person’s identity and find out what authority s/he is acting under.
• Never respond immediately to an information request. Always say you’ll need to look into it and ask for contact information. That will give you time to verify if the request is legitimate and a means of confirming the caller’s identity and organizational affiliation.
• Never reveal your passwords to anyone.
• Never allow other individuals to ‘piggy back’ your access card into restricted areas. Even a person who looks familiar may be a disgruntled ex-employee with an axe to grind.
• Exercise extreme care when disposing of sensitive information in hard copy. Social engineers are not averse to rummaging through garbage bins and reconstructing shredded paper.
• Remember that keeping private information where it belongs is your responsibility.
Be consistent - even with colleagues. Some estimates suggest that up to 80 per cent of computer attacks are carried out by insiders. This doesn’t mean you should distrust your co-workers, but it does mean you should exercise a degree of caution when asked probing questions about systems and information. If you are not sure that s/he is authorized to collect such information, try to verify the ‘need to know’ with a supervisor before divulging any information.