The Problem: You receive a call at your work phone from someone claiming to be the IT department. They give off a string of values that sound like gibberish and say that your account is acting oddly and would like you to run a few “simple tasks” in order for them to verify that everything is okay. You do the tasks as instructed and after the call don’t think that much more about it. Three days later, there is an email going out about a massive breach, and some grim looking people in suits would like to have a word with you.
“Social Engineering” is the art of getting information. Whether that is having someone hold open the door while you’ve got your hands full, buying a cup of coffee since your wallet got left at the office, or letting them know what your user name and IP address is to a friendly voice on the phone- it is a way to get things that the person would not normally have access to.
The Solution: There is no easy solution to stopping Social Engineering- most people are trusting by nature, and that is not necessarily a bad thing. There are however a few concepts that can help to not have that trust used against you.
Solution the First: Trust but Verify
There are a lot of people that say “Aww come on, don’t you trust me?” and when they say it you reeeeeeally want to believe them, but that doesn’t mean that you need to do so blindly. For instance, if you ask about how the boss’ daughter is doing and the person on the other end says they’re fine – but the boss doesn’t have a daughter, you have your answer.
Solution the Second: User Training
A user that knows to expect a particular type of attack is one that will be able to see it coming and react accordingly. A person in a UPS uniform with a box under their arm can seem invisible in some environments – which is not good at all.
Solution the Third: “Shred Everything”
When someone gains access to a facility that they are looking to scope out, there are particular details that they will pick up on. Notes on particular solutions, sticky notes with passwords attached to monitors, trash cans filled with crumpled up papers with information on something just rolled out last week. Trash in particular can be a gold mine for someone looking to discover what makes an environment tick, so destruction of all material that is no longer needed can make the organization much more secure.
Social Engineering is a difficult thing to completely iron out because of the way that organizations need to work. No one person can do everything, and in larger organizations there may be people that they have never met asking questions regarding their projects. It is therefore of the utmost importance that organizations let users know what to expect when dealing with company assets and access.