Social engineering is the art of manipulating people into performing actions or divulging confidential information and/or proprietary information, non-disclosed information or usernames and passwords. It is the classic approach of the confidence man, convincing someone he or she is something they are not. If you think your personnel would never be fooled, you’re fooling yourself. There is a reason this approach to criminal activity has a long successful history.
In the early days of computer security, social engineering might have involved a hacker calling one of your employees and talking him or her into giving up authentication credentials or login information to private systems. The current state of the art makes this approach seem quite primitive.
One risk out of many new social engineering threats involves your personnel receiving e-mails which easily pass as internal messages or communications from legitimate business partners. These emails often lure the end-user to a website, which will collect some form of confidential information and even their login credentials. Since the original email so closely mimics legitimate communications, end-users often do not hesitate to ultimately provide the confidential information, information about remote access to systems, and even logon credentials.
With a few simple tools and some common hacking skills, attackers can routinely fool as many as 15 percent of employees. With the relative ease of crafting such an attack and the phenomenal success rate it is easy to understand why email social engineering is so common among hackers and such a headache for security professionals.
While you may not be able to completely stop social engineering attacks, taking a proactive approach can minimize the damage this type of attack can do to your organization. Take the first step by frequently training all personnel of the dangers involved with current social engineering threats, details about current threat scenarios, and routinely test them to ensure adherence. The testing itself helps to create awareness of these issues and the aggregate result data can be built into the training process itself.
Ultimately, your only defense against social engineering attacks rests with smart decisions by all levels of personnel, from the lowest level to the highest. When discussing the details around the social engineering testing in your next audit, ensure your audit vendor is well versed in performing current scenarios and has a deliverable set that provides valuable feedback to contribute towards your internal employee training program.