Hackers know your network security might be their toughest route to getting at your data. So they turn to other means... such as social engineering (SE). SE is a nontechnical method of intrusion that relies on human interaction to trick users into handing over the keys to the kingdom. Unfortunately, it works—and it works well. In fact, SE is one of the biggest threats to your company security.
What should you be on the lookout for? Here are 10 common SE ploys you and your users need to know about.
1: The familiarity exploit
This exploit is one of the most widely used by those perpetrating SE hacks. It works like this. Hackers make themselves familiar to those around you. Slowly but surely they become known within the confines of the company. They come around a lot, and eventually they become trusted. At that point they can begin working their way inside the company, gaining access to areas of the company they shouldn't be, entering the building after hours, etc.
2: The information exploit
When you are approached by someone with all the knowledge they should have, it's easy to believe they are part of the plan. So when that stranger enters the company building with an intimate knowledge of the building or of one or more employees, you might be inclined to give them a free pass. In today's world, it is incredibly easy to gather information about a person. Facebook, Twitter, Instagram, Pinterest... they make everyone an easy mark for an information exploit. If someone claims to have intimate knowledge of a fellow employee, summon the employee to the reception area and call the knower on their hack.
3: The new hire exploit
If someone really wants to gain access to company information (or servers or employees), they can apply for a job. This is one of the main reasons why every new employee must be thoroughly vetted. Of course, some social engineers will still fly under the radar. New employees should always be put on a rather short leash at first. It might sound a bit harsh, but you need to give them time to prove they are trustworthy around precious company data. Even then, good social engineers will understand how that works and wait until they've fully gained your trust before they strike.
4: The interview exploit
In a similar vein, important company information often escapes the safe during hiring interviews. There are social engineers who know this and will gain an interview just to squeeze all the information they can without having to bother showing up for a single day of work. Make sure the information handed out during an interview offers nothing in the way of proprietary secrets. Keep it superficial; keep it common.
5: The hostile exploit
This may sound a bit counterintuitive, but it works. Most people avoid hostile people. When you hear someone having an angry conversation on the phone or even mumbling to themselves (as if they've just had an argument), you will avoid them. In fact, a lot of people may avoid that person, clearing the way into the heart of the company—and to your data. Don't be fooled. As soon as you see something like this happening, call security.
6: The body language exploit
An experienced social engineer will be an expert at reading your body language and using it to get their way. Breathing in concert with you, smiling at all the right times, adapting to emotional changes—there are many ways a social engineer can use your body language to make a connection and earn your trust. Doing this forms a bond that enables the social engineer to manipulate you and eventually acquire your company secrets. If you notice a complete stranger in your company doing or saying all the right things, your first inclination should be suspicion (or at least curiosity).
7: The blind date exploit
This one should be obvious. We've actually watched it played out in movies and television to perfection. A handsome or beautiful stranger asks you out on a date. Things go perfectly. So perfectly, in fact, that second and third dates are imminent. The stranger woos you until they can ply secrets from you as if they were common knowledge. Far be it from me to prevent you from having a budding romantic life, but keep your guard up should that dreamy date start asking questions they shouldn't.
8: The consultant exploit
This has happened. A social engineer will pose as a consultant for hire, get the gig, and drain you of your information. This is especially true with IT consultants. You need to make sure you vet those consultants and never give them all the keys to the kingdom. Do not trust blindly. Just because someone has the skills to fix your servers or your network, that doesn't mean they won't take advantage of those skills and create a backdoor—or just blatantly copy your data. Again... vet, vet, vet.
9: The piggyback exploit
This one is easy and all too common. How it works is simple: The social engineer waits for someone to use their passcode to enter the building and walks in right behind them. Or the SE struggles with a heavy box and asks the legitimate employee to hold the door for them. Being kind, the employee waits and allows the SE entry into the building... to do what they will.
10: The tech talk exploit
You've seen the film Hackers, right? Remember the scene where Dade (aka Zero Cool) calls the company and convinces the hapless employee to give him the modem number? All he had to do was know what he was talking about and the hapless wonder handed him every bit of information he needed. This is a common hack. When those who don't know are confronted by those who do, most often their lack of knowledge will lead them to hand over whatever it is SE needs.
Have you experienced an SE hack?
The social engineering hack exists because it's easy. If you suspect your company is vulnerable to such exploits, make sure your employees are made aware that such possibilities exist.
Have you ever been a victim of social engineering? If so, how did they pull off the hack?
- Mitnick's tips to combat social engineering
- Stop wasting your IT budget on the wrong security threats
- 10 tips for spotting a phishing email
- How SMBs can stay ahead of new cybersecurity threats in 2016
- 5 biggest security failures of 2015 and who is still at risk
- Lock down your Facebook account with two-factor authentication
- IT Communication Plan: Raise security awareness with regular emails (Tech Pro Research)
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.