Social Engineering is a security term that may be thrown around in corporate offices numerous times a week, month, or quarter, but does everyone at your company know what it really means?
Annual or even more frequent security training for employees is a common practice throughout most organizations, often in the hope that employees learn from past mistakes and pay attention to these examples help to prevent future threats. Social Engineering describes technical and physical attacks that use deception against a company where the attackers hope to gain personally identifiable information (PII) or company secrets that users would not normally share. Many of these attacks are disguised in ways that can make them hard to detect, meaning most people do not know that the information they share actually ends up being used maliciously.
Social Engineering attacks could involve anything from Phishing and Vishing attacks to dumpster diving and shoulder surfing. Over the next few weeks we will look closer at Social Engineering and its attack techniques, tactics and procedures (TTPs) in order to help you stop these types of attacks from preying on your company. Even when faced with different variations of these attacks, many can be prevented with training and familiarity of what to look for, potentially saving your company significant time and money while reducing your overall risk exposure.
Shoulder surfing is something that most people do every day in one way or another. Most of the time, this simple practice is done without the intention of stealing information. This practice can be used for malicious purposes however, so it is important to prevent unwanted parties from viewing confidential information or trade secrets displayed on your screen.
Shoulder surfing is actually a form of social engineering. It basically means an unauthorized third party is able to view a screen and any confidential data displayed on an electronic device. This privacy risk is common in public environments such as coffee shops or open office areas where co-workers, clients, and others can walk by a location where someone is working and their wandering eyes may able to see the private data on your screen.
Shoulder surfing risk can effectively be mitigated with simple, cost-efficient practices. One of easy way to counter shoulder surfing is to sit with your back to a wall. This way you are limiting other people’s ability to view your screen and data. You can also protect against shoulder surfing using a privacy screen for your computer. These inexpensive screens may however reduce your daily ease-of-use.
Also, shoulder surfing risk is not limited to public environments. Many times, attackers plan to gain visual access to a computer screen while an employee is unsuspecting and in their normal workplace. Visitors to a company, for instance, can easily glance at screens as they walk around and tour the company floor. The risk here is that many people believe they are safe from malicious intent at work, but vendors, onsite clients, other visitors, even co-workers should be considered possible privacy risks. Precautions against shoulder surfing to enhance security should always be practiced whether you are at work or in public environments.
Ultimately, employing these simple mitigation tactics we have shared can help reduce the likelihood of shoulder surfing affecting your business and may even end up preventing a costly security breach at your company and loss of trust from your customers.
Considering various types of Social Engineering attacks, realize that all of them can be dangerous and have detrimental effects on the entire organization. Many people believe they know the different kinds of Social Engineering and how to avoid them, but they really only know a few different methods, mostly on the cyber side. While many of these attacks are cyber, there are also plenty that are physical. This week, we will look into the dirty job of dumpster diving and how to prevent it.
Dumpster Diving is the act of an unwanted party going through the trash at a company whether it be inside or outside the building. The attacker is usually looking for some type of confidential information that got put in the trash. Trade secret information should be disposed of properly. Most people want to use shredding as a form of destruction, but just because it is broken into little pieces does not mean that it cannot be put back together. One way to properly destroy some documents is burn them using burn bags in conjunction with a paper incineration method or service. This erases all existence of the document.
Companies should also rotate when they cycle out old, important documents. You should not get rid of documents on a predictable schedule such as the last week of every quarter or month. This type of trend allows an attacker to know when to come and look for the documents. Another way to prevent Dumpster Diving is by locking up main garbage cans at the office. If the cans or dumpsters are kept behind locked gates it will make it harder for attackers to get to the dumpster.
Dumpster diving is becoming less relevant in today’s world where most documents are digital, but there are occasions where it happens. Most people are not trained on this security risk or what not to throw away. Without proper training, there will always be a weakness in your company.
Social Engineering attacks can be physical or cyber. One type of physical attack includes Tailgating, and it is not done in a car. Tailgating, in a social engineering sense, is when a person gains unwanted entrance into a facility by using tricks and tactics to fool the employees of that company.
Most people know that when they are walking around their company, they have to have their identification badge on them and visible so anybody that passes knows they belong there. Unfortunately, this practice has become rare. Because of the lack of visible badge enforcement and verification, it makes it easier to gain unauthorized access to a facility without raising suspicion.
Criminals have many tricks in their arsenal to trick people into letting them into a building. One common way of doing this is by hanging out around the area of the building that is commonly used by smokers. If the social engineer locates that area and act like they are on a smoke break, they can wait for an employee of that company to come out then easily start a conversation with them. It is likely that, at the end of the break, the employee will go to open the door and hold it open for the criminal masquerading as an employee to walk in. Another method employed by criminals to get an employee to grant them access to a building is to walk toward the entrance with their hands full. Common courtesy can easily override the uninitiated’s sense of security and spurn individuals to open the door for someone who has no business being there.
Some criminals will even buy boxes of donuts to bring in with them to make it look like they cannot open the door because they have a hand full of donuts (and everyone will open the door for someone holding donuts). People will also walk really close to others when going into work in the morning with the goal of grabbing the door before it closes.
These social engineering tactics can be thwarted–and risk to your organization reduced–by simply asking to see the person’s badge. If they cannot produce a badge, they should not be allowed into the office.
Dave Kennedy is the Founder of TrustedSec and Co-Founder and Chief Technology Officer of Binary Defense. He started both these companies with the goal of improving the security industry and promoting the advancement of the industry through quality services.