Saturday, May 15, 2021

Beware Being Tricked by the Social Engineer

It is just about summer — the weather is gorgeous and everyone is in a

good mood.

A pretty — not beautiful — girl comes into the lobby of a local company

and glances around. She walks up to the receptionist and explains she has

a meeting with the Information Technology director and is running late.

She says she is very embarrassed and would the receptionist tell her the

conference room number and she’ll just sneak into the meeting. Feeling

sorry for the young lady, the receptionist tells her the main conference

room is on the third floor and lets her into that part of the building.

Once in the elevator, the woman gets off on the fourth floor — not the

third. She wanders the halls. A gentleman stops her because she doesnt’

have a badge. But she smiles sweetly, asks him about his day and pretty

soon they are chatting about this and that. He forgets why he stopped her

and goes back to his office.

She continues down the hall. This time she sees someone going into the

computer lab and he allows her to follow him through the door. She has

one of those smiles that lights up her entire face, and it doesn’t go

unnoticed. She explains that she is a student at the local university and

she’s going to be a summer intern in the IT department… part of her

internship is to see how the computer lab works.

She spends the next hour looking around, chatting with the network

administrators and lighting up a usually boring environment.

The girl leaves the building, waving good-bye to the receptionist on her

way out and thanking her again.

After all, she should thank her and all the others she spoke to during

her visit.

The woman leaves with Post-it notes that had been stuck onto monitors

with passwords and user identifications (usually ‘admin’). She has a

wealth of knowledge on how the network is set-up, what kinds of

protection mechanisms are in place and even how to get around the

protection — thanks to a young techie who was more than pleased to show

her how ‘smart’ he was.

She now owns their network, their industry secrets and their

systems.

This is a classic case of social engineering.

According to sbc.webopedia, social engineering is defined as: ”In the

realm of computers, the act of obtaining or attempting to obtain

otherwise secure data by conning an individual into revealing secure

information. Social engineering is successful because its victims

innately want to trust other people and are naturally helpful. The

victims of social engineering are tricked into releasing information that

they do not realize will be used to attack a computer network.”

Whatitis.com states: ”In computer security, social engineering is a term

that describes a non-technical kind of intrusion that relies heavily on

human interaction and often involves tricking other people to break

normal security procedures. A social engineer runs what used to be called

a ‘con game’.”

Either definition makes it clear that social engineering involves human

interraction. That is the major factor that makes protection against

social engineering difficult. All the firewalls, and identification and

authentication mechanisms are ineffective against a seasoned social

engineer.

So, how do you protect your network from these types of people?

The best protection against social engineering tactic is a well-trained

employee, who is aware of this kind of scam. The employee is the target

of social engineering. Employees need to be made aware that even though

they need to be helpful on the job, they need to be cautious and

inquisitive.

Security training that reinforces the requirement to protect user

identifications, passwords, and other such information is a valid

protection against social engineering. Employees also need to be aware of

their surroundings to ensure that people without proper identification

are confronted and escorted to security personnel. They also need to be

aware of unauthorized people trying to follow them into secured areas.

This awareness training isn’t just for computer users and network

administrators. It’s for every employee — the receptionist, secretaries,

file clerks, etc. Training should be a yearly event.

Anything that looks suspicious should be reported. Be suspicious of that

person you have never seen before, or someone asking questions that raise

a little red flag in the back of your head. You never know when it’s a

person on a mission to obtain information that can, and will, be used

against you.

The next time a friendly individual approaches you with a request for

assistance in getting information that you know should be protected, be

prepared. Check it out before you give out any information. Beware the

social engineer!

Similar articles

Latest Articles

How IBM has Changed...

Think is IBM’s big annual conference, and again this year, it was digital. I’m noticing a sharp quality difference in shows like this where...

Database-Tuning Platform Launches and...

PITTSBURGH — A team out of Carnegie Mellon University is launching its automatic database-tuning product today with the help of $2.5 million in funding.   OtterTune,...

Top 10 Professional Services...

Professional services automation (PSA) software aims to offer service-based companies most of the software they will need to run their businesses in one package....

What is Data Aggregation?

Data aggregation is the process where raw data is gathered and presented in a summarized format for statistical analysis. The data may be gathered...