Social Engineering - The Growing Art of Human Persuasion

CIOs have traditionally been combating data attacks through technology, but there’s another looming threat gaining attention that bypasses those efforts – targeted social engineering.

One kind of threat, called “spear phishing,” uses targeted attack methods that manipulate employees into giving up access to your company's system. They usually come in the form of an email and when your employee clicks on a link, it installs a virus or trojan that allows the attacker to gain access.

It can be an official looking internal document that lures your employee to follow certain instructions, or an email from an attacker who befriended your employee on a social network site like Twitter or Facebook in which they deceive them into checking out a link they sent. Little do they know it's a trap that will expose your business data.

Earlier this year, an online scammer made off with Social Security numbers after sending a virus to a computer at the Department of Human Services office in Coos Bay. An email was sent to multiple employees within the department but only one clicked on the link, which then downloaded an application that recorded keystrokes and sent them to an external address.

MTV Networks was also breached when an employee's computer was compromised through an internet connection. Experts said an employee may have fallen victim to a social engineering trick that allowed a trojan to be installed on their machine. Data included the names, Social Security numbers, birth dates and salaries of around 5,000 employees.

Spear phishing corporate executives heightened during April of last year. The New York Times reported that “thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case.”

The intent was to have the executive click on the embedded link to view the full subpoena, which would download malicious software that secretly records keystrokes and sends data to a remote computer. Criminals would then capture passwords to access personal or corporate information. Researchers who analyzed the downloaded file reported that “less than 40 percent of commercial antivirus programs were able to recognize and intercept the attack.” Almost everyone is vulnerable to a well orchestrated phishing attack and this shows executives are no exception. According to a security researcher at the University of Illinois at Urbana-Champaign, at least 2,000 executives became victims of this phishing scam. What this means is that corporate executives need to be just as aware of scams as their employees.

Another way to gain access to valuable company data is by physical access. Most people are not confrontational and typically want to be helpful. Attackers prey on this basic human behavior. Many times NCX Group has gained access to server rooms by relying on the helpful nature of employees. We have discovered through our physical assessments that access to critical areas are especially easy during times of upheaval or disarray within an organization. If you are in the middle of construction, people typically become desensitized to having unknown people working within their building and tend to let their guard down. Downsizing can also be very distractive to employees as they aim to be more accommodating and helpful, thinking it might affect their job longevity.

Financial institutions are particularly vulnerable because the financial industry remains in flux. Many employees are anxious about their future employment and the stability of their institution, which could lure them into clicking on links in emails to learn more. These emails are ripe for the clicking and employees need to be very cautious when accessing any link. Physical security at financial institutions may lax during these times, too. Again, the willingness to be helpful or accommodating without following the proper security procedures can put your company at risk.

Beware of changes within the business that distract from normal working conditions. Know your business culture and keep your guard up when times are chaotic.

Your only defense is to ensure your employees have a critical understanding and vital role in protecting your information assets. This is accomplished by maintaining good policies and procedures and conducting frequent and regularly scheduled security training awareness classes. Repetition will help employees follow protocol and security measures. More eyes knowing what to watch for and being alert to deceptive tactics can keep your information safe and away from thieves.

ITSolutions|Currie welcomes the opportunity to provide security awareness for your organization.

For a free consultation on how our experts can help you secure your data at a price that will fit your budget, call us at 209-578-9739 or request a representative to call you.

ITSolutions|Currie is a leading information risk management firm specializing in the assessment and mitigation of risk associated with today's technologies and business processes.