The rise of 21st century marked the transition phase of the most global businesses towards a paperless office environment, where the focus shifted the manual to the computerized form of work culture. But at the same time, change brought a number of threats and menace in terms of one of the biggest issues of the current businesses, the social engineering used among the hackers for cracking techniques that rely more on human weaknesses rather than technology itself. The aim or motive of such attacks was getting access to passwords or other relevant information by tricking people for carrying out illegal or criminal activities. FBI and other security experts hold a firm view that majority of threats originate from the internal working environment or employees who have been granted additional privileges or authorities to company’s information. People who have an urge for power and control over other individuals exhibit the social engineering skills. Computer hacking is the modern form of social engineering and the most hi tech of all. The fundamental problem with online social networking services especially is that there are no criteria or authentication for evidence or proof of an individuals identity, which keeps at stake both our privacy and information.
Social engineering attacks are driven by financial needs where hackers try to obtain confidential information about the users to access accounts. Social engineering is the root cause to ideas behind phishing and pretexting where hackers gain confidence of people who are careless or blindly trust others helping them to take undue advantage. Hackers know the weak point which can be trashed, none other than the human element itself. No matter how advanced the technology may get, the human element opens up all the loop holes to make the social engineering attacks more easier. Destruction of personal information is too less a crime, now a well formulated and planned social engineering attack could destroy companies on the whole.
To make it more prominent, a case study was circulated on the net, where a credit union employed a ethical hacking company to test the company security practices. The security consultants intentionally dropped few thumb drives, in utter curiousness people plugged in the devices to inject the Trojan viruses affecting the entire system. In this situation one could clearly differentiate the weaknesses and unprofessional attitude of the people towards the security and safety aspects and technologies.
Human Element in Social Engineering
Social engineering is the human side of cracking into a corporate network. To launch an attack, human interaction is preferred because they are the easy targets. Social Engineering, is generally referred to as people hacking, to gain information about usernames, passwords, personal identification codes (PINS), credit card numbers and expiration dates etc. It’s an attack against the people as hackers are more inclined towards extracting information for personal advantage rather than system failures. Web spoofing is an eminent problem involving e-mail frauds and web sites to grab the private information of the users. To safeguard people, social engineering tactics could be introduced to increase internal awareness and reduce future threats. Education and supervision are the only modes to mitigate the internal security risks. The best protection against social engineering attack is creating awareness by users through education.
People reveal information to social engineers on account of trust, faith and social relations unrealizing the fact that they have been victimized, even after the hacker uses the information given them for illegal and harmful reasons.
Internal Assessment Procedure
A small case study would reflect the importance of incorporating an internal assessment procedure for safeguarding oneself from the social engineering attacks. A woman calls a company’s help desk to get her password because she’s forgotten it and needs it urgently to fix up her deadlines on a big advertising project. The help desk worker feels sorry for her and quickly resets the password — unwittingly giving a hacker clear entrance into the corporate network. Meanwhile, a man is in back of the building loading the company’s paper recycling bins into the back of a truck. Inside the bins are lists of employee titles and phone numbers, marketing plans and the latest company financials. This example reveals the fact of human weakness overpowering the technological loopholes. To overcome such issues, all companies need to set up an internal assessment procedure, whereby people could be properly directed, trained and educated to handle the security and information safety issues.
To accomplish the task a complete internal assessment procedure could be undertaken whereby the future projects are identified and a social engineer is appointed for overall supervision of the project and handling of all security issues and aspects related to the project including the employee and the systems as well. The project engineer must be represented as a significant project resource that can perform all social engineering tactics to safeguard the information and providing solutions to remediate the problems. The report complied by the engineer at the end of the process must be forwarded to the management for further consideration.
The most common online attacks featured in the current issues creep up from the e-mails, pop up applications, instant messages that flash on the screen and subvert computer resources. The most common flaws noticed in the usage of the system which helps in information hacking are firstly the presence of active links and excessive information about the company profile, details of the employees etc which facilitates the hacking process. Phone scamming is very common now days where caller’s information could be hacked through phones. Dumpster diving is the easiest mode to retrieve information stored in trash. Phishing is a form of social engineering attack that uses email and web sites for extracting personal information. Attackers may send email representing a renowned company requesting for information to gain access to the accounts. For instance, several cases have happened in the past where the hacker was successful in obtaining information by conveniently misguiding the other person. Once, using a “war dialer” together with a call to the company’s computer help desk, the hackers extracted the phone numbers of the company modems and were able to gain access to the systems.
Prevention of Social Engineering Attacks
Installation of strong anti virus programs in the system is not enough to combat the threat of attacks. A complete and through security solution is required to provide total digital immunity for protection and security of the systems which includes a pro-active approach to prevent any loss of information from the anticipated perils. Use of features such as e-scan, content security, firewall software’s, advanced anti virus programs with regular updates, e-conceal and many more to name have been undertaken as solutions to prevent the social engineering attacks. Use of spoof guards against the identity theft could be used to examine web pages and generate alarms in suspect to any attack. Assessment of threats is must for any organization, they must know and where the information could travel in and out of the organization and must ensure that people are adequately trained and aware about all the potential threats possible and try to cooperate in reducing and eliminating the negative impact of anticipated as well unanticipated risks.
Apart from this companies should take care to put limited information on the web sites and avoid creating active links to email addresses. Being cautious and alert when answering IT related questions on phone could help in avoiding phone scamming. Shredding services should be used to prevent dumpster diving. Proper logging off the individual workstation lessens up the chances of hacking though not completely eradicating them. One can prepare a strong defense system against the social engineering attacks by including instructions and alerts in the security policy of the company.
Many of the people consider social engineering attacks as an attack to their proficiency or intelligence , what needs to be done at this stage is creating awareness about security and sensitivity to information.