Social engineering or people hacking is a term used to describe the act of tricking a person by an act of deception. For example, someone could call a business and trick an employee into thinking they are from IT. Then, they could ask the individual to confirm their password so they can gain access to the network or visit a web page so they can steal information.
In his book, "Ghost in the Wires: My Adventures as the World's Most Wanted Hacker," Kevin Mitnick who is one of the most well known hackers described how he used social gain unauthorized access to networks and phone systems.
Social networking examples
Below is just a few examples of how someone could use social engineering to gain access to your network, steal confidential information, or get something for free.
- Fellow employee - Pretending to be a fellow employee who is having problems accessing his or her account and needs security, login, or other account details.
- Fake IT - Fake IT support requesting remote access to a computer because of a fake problem or security threat.
- Pretend Spouse - Pretend spouse calling a company about problems accessing his or her spouse's account and needing account details.
- Bogus student - Bogus student calling support staff indicating a website is not working. When staff member visits the supposed problem page, it gathers computer and network information or tries to infect that computer with a trojan or other malware.
- Fake customer - Fake disgruntled customer complaining about products they didn't purchase who demand a refund or compensation without proof of purchase.
- Pretend maintenance man - Someone prints a pretend badge that gives the appearance they are a repair man who is visiting to fix a computer, printer, phone, or another system. After gaining access to the building, they get access to confidential documents or computers that would allow them access to the network.
- Fake client - An e-mail from a fake client with a business proposal with an attachment that is really a trojan or other malware to infect a network and give remote access.
Preventing social networking attacks
All employees, staff, students, or family members on the same network need to know all of the potential threats they may face. It is also important that anyone else who may have remote access such as a third-party IT company or contractors also be educated.
Most companies have (or should have) security measure such as a code that is required to access account details. If a customer or someone calling saying they're the customer cannot provide that information the account details should not be given to them over the phone. It should also be made clear that providing the information to avoid conflict with the customer would result in the employee immediately losing his or her job.
Always be weary of what you cannot see
Most of the social engineering attacks are over the phone, e-mail, or other forms of communication that do not require face to face communication. If you cannot see who you are talking to you should always assume that it is possible that the person you are talking to is not who they say they are.
Security or front desk
Not all social engineering attacks happen over the phone or Internet. An attacker could also visit the company with a pretend badge or form of identification. Every business should have a front desk or security guard who is also aware of all security threats and knows no one can pass without proper authorization. They should also realize that if these precautions are ignored (e.g. someone says they forgot their badge) that it would result in them losing their job.
It is also a good idea to have more sensitive areas like a server room require additional security such as a badge reader that only allows authorized employees to access the room. Also, employees that access a building or room using a badge should realize they too should not allow anyone to come through the door at the same time as them.
Some people are not afraid to dumpster dive to find confidential company information or other information that would allow them access to a network. Any papers your employees throw away should be shredded.
Properly discard company equipment
Make sure any equipment is properly destroyed or discarded. Most people may realize that a computer hard drive (even when erased) may have sensitive data that can be recovered. However, not a lot of people know that devices like copiers, printers, and fax machines also contain a storage and that sensitive data can also be recovered from these devices. Unless you feel it is safe that someone reads everything you've ever printed, scanned, or faxed (not likely) make sure to discard the device.