Great guest post by Gerard Joyce CTO of LinkResQ, makers of the Risk Management Information System solution CalQRisk who were on the long list for the Irish Tech News 2016 Fintech 20 Ireland awards.
— CalQRisk (@CalQRisk) December 19, 2016
Cyber criminals, hacktivists, corporate spies, rogue nations and other “hackers” all use social engineering methods to gain unauthorised access to confidential information and data. Consequently it is imperative that all personnel who have access to sensitive information are aware of the methods and techniques that are used and can avoid being a victim.
What is Social Engineering?
Social Engineering has come to mean a non-technical method hackers use to trick people into breaking normal security procedures or disclosing information to people who are pretending to be somebody they are not.
Social engineers take advantage of human weaknesses and human nature to get people to divulge information they would not normally give to a stranger or to do something that causes malware to be downloaded onto their computer. It could be a threat to go to their boss or it could be a fictitious story about some urgent issue that needs to be addressed. It could be the promise of a prize or encouragement to view something “interesting”.
What do the Social Engineers do?
There are many social engineering techniques that are employed, we’ll look at the most prevalent.
Spoofing is where the sender of an email changes the “From” address to make it look like it came from somebody else. Most of these are just a nuisance but there are also the insidious ones, where the sender is purporting to be somebody you regularly deal with and is looking for sensitive information or requesting you to carry out a particular task. (e.g. transfer money). The reply-to address may be close to the legitimate one and might not be obvious on first glance.
Phishing is using an email to entice the recipient to click on a link or fill out a form or open an attachment. In the past these were usually recognisable by their poor English, but nowadays they are more sophisticated. They look like they are coming from a legitimate source. Clicking on the link could cause malware to be downloaded onto your computer. Filling out a form that is asking for personal information / account details is likely to lead to your account being compromised.
Spear Phishing is a form of Phishing, just targeted at an individual or an organisation.
Whaling is a type of phishing that is aimed at high-profile individuals; C-level executives, politicians or celebrities. The difference is that the emails and websites are highly customised and personalised, often incorporating the target’s name, job title or other relevant information.
Vishing is using the telephone in an attempt to scam the victim into revealing private information that will be used for identity theft. The scammer usually pretends to be a legitimate business, and fools the victim into thinking he or she will profit or will lose something if they do not take action now.
Pretexting is where the fraudster pretends to need information in order to confirm the identity of the person he is talking to. After establishing trust with the targeted individual, the pretexter will ask a series of questions that are designed to gather key personal information such as date of birth, account No. etc.
Watering Hole is an attack method in which the victim is a particular organization or group. In this method of attack, the attacker observes or learns which websites the group often visits and infects one or more of them with malware. The next time the target visits the watering hole (website) and clicks on a legitimate-looking link they unwittingly download malware.
It’s not just logical access that is threatened, it’s also physical access. Tailgating is a common method for non-authorised people to gain access to a premises that requires an electronic access card. The really sophisticated social engineers will go so far as dressing up to look like a typical employee and observe the comings and goings beforehand so they can “blend in”.
Bogus Inspectors. Another method of gaining access used by social engineers and security consultants testing your defences is posing as fire or health and safety inspectors. Who is going to refuse entry to officials who have a right by law to enter your premises?
Shoulder surfing is when the social engineer is looking over your shoulder as you key in the “secret” access code to enter a restricted area.
Don’t be the Weakest Link
To avoid being the victim of a social engineering here are some reminders of things to do / not do
- Do not open emails from “banks”, they don’t send unsolicited emails.
- Don’t click on links in emails, instead enter trusted addresses manually in a browser and use bookmarks to access regularly visited trusted websites
- Never give out personal information on the phone or over the Internet unless you have initiated the contact.
- Ensure your business processes are robust and include an identity verification step before significant action is taken.
- Ensure that highly frequented websites are monitored by IT, checked for malware and blocked if deemed unsafe.
- Always verify the identity of unannounced visitors and never let them wander on their own
- Challenge strangers you find wandering around your premises.
Trust Nobody! Question Everything!
— CalQRisk (@CalQRisk) December 15, 2016
About the Author
Gerard Joyce is CTO of LinkResQ, makers of the Risk Management Information System solution CalQRisk. He is also the chairman of the National Risk Management Standards Consultative Committee (at the NSAI) and member of the ISO Risk Management Technical Committee. He can be contacted at [email protected]