If you are working as a security engineer or analyst in a large enterprise, you probably have to constantly deal with a large number of different attacks always threatening the network. One of those types of attacks is social engineering which has gotten a new shape these days due to the complexity of relationships and with the vast growth of social networking websites such as Facebook.
Social engineering, in its easiest definition, refers to the act of talking people into doing something without them even knowing that it harms the company or themselves even. It’s usually planned and done by hackers in order to find a way inside the big organizations’ networks at the early stages of hacking. Even right now penetration tests performed by security engineers check the social vulnerability of the employees working in that organization.
With this rapid increase in this type of attacks which is really difficult to handle by the security people, as I mentioned above we can see new types of social engineering attacks taking place. Hackers reach employees through social networking websites to achieve what they cannot achieve using the old methods of cracking. This is pretty much the easiest way an attacker can penetrate into the network. For instance Phishing attacks by using social networking websites which could be called a kind of social engineering technique has jumped significantly from 8.3% in January 2010 to 84.5% in December which pretty much shows its popularity among internet criminals.
But seriously what could be done to stop these attacks from happening?
This really depends on the level of awareness against these types of attacks among the employees. Before I go any further into this discussion, let me ask a question…
Which one would you prefer? Buying the latest and the most expensive Firewall appliances for your network or having regular seminars among the employees?
I am sure more than half would go for firewalls. No one would ever think that security starts from that very employee working inside the organization or company. Even a janitor can reveal so much information about a network. You might think it’s silly but it’s true. Have you ever asked yourself this question that who is the person knowing exactly who is on shift at work or who is the one that knows exactly the person always checking the server room or what time do employees leave their rooms for a break or … ? Yes, that’s the janitor who sees and knows all these… How easy do you think it is to get all this information from a janitor? 1 minute? 2 minutes? 15 minutes? or maybe 1 hour when you treat him for a coffee…
Again I say that might seem funny but these are the real world threats even nowadays… Nowadays that devices are that strong and sometimes unbreakable, hackers would think of human mistakes and vulnerabilities. Yes that’s true… Here is a link to a roundtable video with two guests from Microsoft talking about social engineering threats.
Trust me guys… Hacking and penetration is as simple as this… Go and think of the culture you need to create among the people in your company and try to create an awareness about any possible attacks…