BreachExchange mailing list archives
10 social engineering exploits your users should be aware of
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Wed, 27 Jan 2016 18:26:41 -0600
http://www.techrepublic.com/blog/10-things/10-social-engineering-ploys-your-users-should-be-aware-of/ No matter how well you lock down network security, your company can still be compromised. How? Social engineering. Here are 10 ways social engineers can get to your data without touching a keyboard. Hackers know your network security might be their toughest route to getting at your data. So they turn to other means... such as social engineering (SE). SE is a nontechnical method of intrusion that relies on human interaction to trick users into handing over the keys to the kingdom. Unfortunately, it works—and it works well. In fact, SE is one of the biggest threats to your company security. What should you be on the lookout for? Here are 10 common SE ploys you and your users need to know about. 1: The familiarity exploit This exploit is one of the most widely used by those perpetrating SE hacks. It works like this. Hackers make themselves familiar to those around you. Slowly but surely they become known within the confines of the company. They come around a lot, and eventually they become trusted. At that point they can begin working their way inside the company, gaining access to areas of the company they shouldn't be, entering the building after hours, etc. 2: The information exploit When you are approached by someone with all the knowledge they should have, it's easy to believe they are part of the plan. So when that stranger enters the company building with an intimate knowledge of the building or of one or more employees, you might be inclined to give them a free pass. In today's world, it is incredibly easy to gather information about a person. Facebook, Twitter, Instagram, Pinterest... they make everyone an easy mark for an information exploit. If someone claims to have intimate knowledge of a fellow employee, summon the employee to the reception area and call the knower on their hack. *3: The new hire exploit * If someone really wants to gain access to company information (or servers or employees), they can apply for a job. This is one of the main reasons why every new employee must be thoroughly vetted. Of course, some social engineers will still fly under the radar. New employees should always be put on a rather short leash at first. It might sound a bit harsh, but you need to give them time to prove they are trustworthy around precious company data. Even then, good social engineers will understand how that works and wait until they've fully gained your trust before they strike. *4: The interview exploit * In a similar vein, important company information often escapes the safe during hiring interviews. There are social engineers who know this and will gain an interview just to squeeze all the information they can without having to bother showing up for a single day of work. Make sure the information handed out during an interview offers nothing in the way of proprietary secrets. Keep it superficial; keep it common. *5: The hostile exploit * This may sound a bit counterintuitive, but it works. Most people avoid hostile people. When you hear someone having an angry conversation on the phone or even mumbling to themselves (as if they've just had an argument), you will avoid them. In fact, a lot of people may avoid that person, clearing the way into the heart of the company—and to your data. Don't be fooled. As soon as you see something like this happening, call security. 6: The body language exploit An experienced social engineer will be an expert at reading your body language and using it to get their way. Breathing in concert with you, smiling at all the right times, adapting to emotional changes—there are many ways a social engineer can use your body language to make a connection and earn your trust. Doing this forms a bond that enables the social engineer to manipulate you and eventually acquire your company secrets. If you notice a complete stranger in your company doing or saying all the right things, your first inclination should be suspicion (or at least curiosity). *7: The blind date exploit * This one should be obvious. We've actually watched it played out in movies and television to perfection. A handsome or beautiful stranger asks you out on a date. Things go perfectly. So perfectly, in fact, that second and third dates are imminent. The stranger woos you until they can ply secrets from you as if they were common knowledge. Far be it from me to prevent you from having a budding romantic life, but keep your guard up should that dreamy date start asking questions they shouldn't. *8: The consultant exploit * This has happened. A social engineer will pose as a consultant for hire, get the gig, and drain you of your information. This is especially true with IT consultants. You need to make sure you vet those consultants and never give them all the keys to the kingdom. Do not trust blindly. Just because someone has the skills to fix your servers or your network, that doesn't mean they won't take advantage of those skills and create a backdoor—or just blatantly copy your data. Again... vet, vet, vet. *9: The piggyback exploit * This one is easy and all too common. How it works is simple: The social engineer waits for someone to use their passcode to enter the building and walks in right behind them. Or the SE struggles with a heavy box and asks the legitimate employee to hold the door for them. Being kind, the employee waits and allows the SE entry into the building... to do what they will. *10: The tech talk exploit * You've seen the film *Hackers*, right? Remember the scene where Dade (aka Zero Cool) calls the company and convinces the hapless employee to give him the modem number? All he had to do was know what he was talking about and the hapless wonder handed him every bit of information he needed. This is a common hack. When those who don't know are confronted by those who do, most often their lack of knowledge will lead them to hand over whatever it is SE needs. Have you experienced an SE hack? The social engineering hack exists because it's easy. If you suspect your company is vulnerable to such exploits, make sure your employees are made aware that such possibilities exist. Have you ever been a victim of social engineering? If so, how did they pull off the hack?
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which vendors to trust. Contact us today for a demo.
Current thread:
- 10 social engineering exploits your users should be aware of Inga Goddijn (Jan 28)