What is Social Engineering? ( Free guide to SE 101 ).
What is social engineering?
Table of Contents
Social Engineering is the clever manipulation of natural human trust to obtain information that can be used to facilitate fraud, network intrusion, identity theft, or network/system disruption. Bruce Schneier’s definition of social engineering is also very appealing to me: “Amateurs hack systems, Professional hackers people”
Social Engineers use different tactics to gain trust from their victims.
– Pretending that you are someone important
– Appearing “just like you”
– We are trying to get you to share confidential information
Stay safe from social engineering attacks
Social engineering attacks can be frightening, but as the book explains, they can be greatly reduced if you take the right steps.
Social engineers are patient, methodical, and clever. They often begin by building a relationship with more accessible people within an organization, such as an administrative assistant or guard at the gate. This allows them to gain information about their ultimate target who may be up to ten steps higher in the corporate food chain.
The criminal may start by gathering information about the team members and other “social cues” in order to build trust or even masquerade as an employee. Some of their strategies can be very simple and insidious.
What should you share online?
Sharing is caring because it’s fun and can help others. But how much should you share? This is especially important when it comes to sharing your data online or working. You are likely to have posted information online through Social Media Websites. Perhaps you’ve even done it before. There are some tips to help you avoid “oversharing” in today’s busy world.
– Don’t share information online that you wouldn’t share in person
Ensure you are familiar with privacy settings
– Don’t add strangers to social media accounts
Social media is a place where you can keep confidential information out
– Always double-check what you share
Avoid public or unsecured WIFI connections
– Be aware of which third-party apps you allow to access your Social Media accounts
– Check your information regularly and delete any connections that are not right.
Bad example from Twitter
Phishing attacks are a serious problem
Phishing is an online form of identity theft. It uses email, phone calls and texts to steal your personal information, such as credit card numbers or passwords. Phishing can be dangerous because cybercriminals are skilled at obtaining your personal information. Here’s an example of a fake Facebook page that is cloned. It asks victims to enter their username and password in order to trick the hacker/s.
You can clearly see that the URL does not point to Facebook.
Here’s a screenshot of Facebook.com. It is secured by SSL connection.
Process
* Identify the most sensitive data and data that could be exposed to social engineering. To determine if there are security gaps, you can ask a third party to conduct a risk assessment. Make sure the executive level is informed about the results
. Establish policies or guidelines for the handling of critical data.
* Report to the executive or board about the results of your social engineering testing, both positive and negatively.
* Conduct random and scheduled tests on all employees using social engineering techniques
* Conduct periodic cyber security assessments