The Windows Club

TheWindowsClub covers authentic Windows 11, Windows 10 tips, tutorials, how-to's, features, freeware. Created by Anand Khanse, MVP.

Secure your Data; Social Engineering Techniques and Prevention

Download Windows Speedup Tool to fix errors and make PC run faster

A piece of recent news made me realize how human emotions and thoughts can be (or, are) used for others’ benefit. Almost every one of you knows Edward Snowden, the whistleblower of NSA snooping the world over. Reuters reported that he got around 20-25 NSA people to hand over their passwords to him to recover some data he leaked later. Imagine how fragile your corporate network can be, even with the strongest and best of security software!

social_engineering

What is Social Engineering

Human weakness, curiosity, emotions, and other characteristics have often been used in extracting data illegally – be it any industry. The IT Industry has, however, given it the name of social engineering. I define social engineering as:

“The method whereby an external person gains control over one or more employees of any organization by any means with intention to obtain the organization’s data illegally”

Here is another line from the same news story that I want to quote – “Security agencies are having a hard time with the idea that the guy in the next cubicle may not be reliable“. I modified the statement a bit to fit it into the context here. You can read the full news piece using the link in the References section.

In other words, you do not have complete control over your organization’s security, with social engineering evolving much faster than techniques to cope with it. Social engineering can be anything like calling up someone, saying you are tech support, and asking them for their login credentials. You must have received phishing emails about lotteries, rich people in the Middle East and Africa wanting business partners, and job offers asking you for your details.

Unlike phishing attacks, social engineering is much of direct person-to-person interaction. The former (phishing) employs a bait – that is, the people “fishing” are offering you something, hoping that you will fall for it. Social engineering is more about winning the confidence of internal employees so that they divulge the company details you need.

Read: Popular methods of Social Engineering.

Known Social Engineering Techniques

There are many, and all of them use basic human tendencies to get into the database of any organization. The most used (probably outdated) social engineering technique is to call and meet people and make them believe they are from technical support who need to check your computer. They can also create fake ID cards to establish confidence. In some cases, the culprits pose as state officials.

Another famous technique is to employ your person in the target organization. Since this con is your colleague, you might trust him with company details. The external employee might help you with something, so you feel obliged, and that is when they can make out the maximum.

I also read some reports about people using electronic gifts. A fancy USB stick delivered to your company address or a pen drive lying in your car can be a disaster. In one case, someone deliberately left some USB drives in the parking lot as bait.

You are blessed if your company network has good security measures at each node. Otherwise, these nodes provide an easy passage for malware – in that gift or “forgotten” pen drives – to the central systems.

As such, we cannot provide a comprehensive list of social engineering methods. It is a science at the core, combined with art on top. And you know that neither of them has any boundaries. Social engineering guys keep on getting creative while developing software that can also misuse wireless devices to gain access to company Wi-Fi.

Read: What is Socially Engineered Malware.

Prevent Social Engineering

I do not think there is any theorem that admins can use to prevent social engineering hacks. The techniques change constantly, and hence, it becomes difficult for IT admins to keep track of what happens.

Of course, one needs to monitor social engineering news to be informed enough to take appropriate security measures. For example, in the case of USB devices, admins can block USB drives on individual nodes, allowing them only on the server that has a better security system. Likewise, Wi-Fi would need better encryption than most local ISPs provide.

Training employees and conducting random tests on different employee groups can help identify weak points in the organization. It would be easy to train and caution the weaker individuals. Alertness is the best defense. The stress should be that login information should not be shared even with the team leaders – irrespective of the pressure. If a team leader needs to access a member’s login, s/he can use a master password. That is just one suggestion to stay safe and avoid social engineering hacks.

The bottom line is that, apart from malware and online hackers, IT people must also take care of social engineering. While identifying methods of a data breach (like writing down passwords, etc.), the admins should also ensure their staff is smart enough to identify a social engineering technique to avoid it altogether. What do you think are the best methods to prevent social engineering? If you have come across any interesting case, please share with us.

Cyber criminals widely use Social Engineering Attacks as one of the most sophisticated methods to puncture an organization and use cleverly devised methods to deceive company employees and individuals into handing over confidential and restricted company data. Microsoft has released their new ebook which helps you better detect Social engineering attacks, gives an insightful introduction to various methods involved in such attacks and acutely prevent your organization from being compromised.

Social Engineering Attacks

Social Engineering Attacks

Microsoft has talked about how to protect the weakest security link in your organization – your own end users. Talking about the serious problem of increasing fondness for Social Engineering methods, Microsoft shares information regarding the massive increase of 270% in the number of social engineering victims identified by the FBI.

Social Engineering is an easy yet so effective way to manipulate company employees so that they give away confidential and valuable company information. There are several methods of Social Engineering. Typically involving psychological manipulation, Social Engineering attackers target the employees in a sophisticated and utterly unsuspecting manner, seeking very confidential information like passwords, bank information, or even taking control of your computer to install some malicious software in your system.

It won’t be hyperbolic to say that these hackers know the veritable security gaps in your organization’s network. Classified company information can be revealed up to an unrepairable limit due to the unidentified weaklings in your organizational security network. Social engineers walk in the crowd. They are those daily faces that you meet and greet. With a game of patience and trust, they are always eyeing for easy targets. It would help if you familiarized yourself with the social engineering techniques so that anyone with a malicious intent can be identified before the valuable information is undermined.

Quoting the famous developer of the first commercial antivirus program, John McAfee, Microsoft states,

“Social engineering has become about 75% of an average hacker’s toolkit, and for the most successful hackers, it reaches 90% or more.”

With the frightening aftereffects, Social Engineering is a real problem with few real solutions. Below are some of the insights of such attacks:

  1. Attackers are increasingly infecting computers by tricking people into doing it themselves – Prank calls, Phishing attacks, and malicious emails are just a few ways to get the employees to hurt the company’s reputation with their own hands.
  2. More than 2 billion mobile apps that steal personal data have been willingly downloaded – This is a terrifying fact. Average smartphone users can be easily targeted into downloading malevolent mobile apps that help attackers gain information just like that!
  3. On social media, Phishing is ten times more likely than malware – Social media, with its fast-paced outreach, is becoming yet another medium for hackers to create fake accounts looking rather legitimate and target the end users over there.

Protect your organization against Social Engineering Attacks

With time, it’s becoming a pressing matter of concern for organizations to protect their vulnerable people and keep vulnerable data out of malicious hands. You need to devise plans and work on real-world prevention strategies to mitigate the risk associated. Microsoft, in its ebook, sheds light on various methods that can help you clearly articulate an easy-to-understand security policy.

In the end, quoting John Chambers, CEO of CISCO, word to the wise says:

“There are two types of companies: Those that have been hacked, and those who don’t know they have been hacked.”

Now read: What is Socially Engineered Malware and what precautions can you take?

References

[1] Reuters, Snowden Persuaded NSA Employees Into Obtaining Their Login Info

[2] Boing Net, Pen Drives Used to Spread Malware.

ArunKumar@TWC

Arun Kumar has been a Microsoft MVP (2010-12). He is obsessed with technology, especially the Internet. He deals with the multimedia content needs of training and corporate houses.