Social Engineering: The Quick Facts
The purpose of social engineering is for an attacker to utilize numerous tactics and manipulating individuals to divulge information, potentially critical, that could cause serious damage to an organization. While there are many methods that can be utilized to gather material, it’s also important for workers and all organizations to be aware of their surroundings from a work perspective.
There are a variety of ways attackers can gain information. It could come from an interaction at a party or restaurant, a grocery or department store, or even from the individual’s workplace. Regardless of the venue, the social engineering techniques attackers utilize to gather data comes from a collection of methods including:
- Impersonating – “Hello, my name is Fred Childs, network technician working for Corporation X. I have been provided your name as someone who could provide me information to resolve your problem with your router. Can you provide me your login information and IP address so I can assist?”
- Shoulder Surfing – An attacker looks over your shoulder to gather passwords, passcodes, and/or information that could be detrimental to the individual or worker. This could occur in a variety of places such as at work, at an ATM, or to an individual using their smartphone for banking or online shopping.
- Hoax – The attacker sends an email to an individual identifying a virus or another type of security threat that causes concern. This spurs the individual to divulge information to the attacker. The attacker could cause significant damage to the individual’s computer, leading to other computers and critical data being exposed and eventually gathered.
- Tailgating – An attacker sneaks behind an individual without providing a badge displaying the authorization required.
- Dumpster Diving – It is very easy and fairly common for an individual to simply throw a piece of paper into the trashcan. In a lot of cases, a document could contain valuable data that could be of use for foreign countries or for an attacker to steal an identity.
Individuals must be aware of their environment at all time. The information they could divulge to an attacker could cause serious and possibly grave damage to the individual or an entire organization. There are strategies that an individual can follow to successfully defend against attackers.
- If someone calls and you are not familiar with the contacting person, actively listen and if you are not familiar with them, refer that person to your supervisor or security personnel to handle appropriately.
- Do not click on a link unless you thoroughly research.
- Secure your devices with strong passwords.
- Be aware of the environment you work or socialize in at all times. There are a variety of attackers who can deceive you into revealing important security information.
- Using burn bins and shredders reduces the threat.
- Following a clean desk policy that protects sensitive and personal data.
- Log off your computer if you step away from your desk.
- Do not write passwords on paper.
In conclusion, it is very easy for an individual to trust a source rather than taking the time to identify, examine, and determine what the cause and effect might be. It is the responsibility of the individual in the end to show diligence. They must use wise judgment while following enforced policies and procedures.
About the Guest Author
Paul Brickman is a Senior Project Manager at Northrop Grumman Corporation. He has earned his CompTIA Security+ certification.