Dara Security

Social Engineering: The Art of The Con

January 19, 2015

When securing critical systems and sensitive data, companies immediately think of firewalls, intrusion prevention systems, anti-virus software, and other similar protections. Although these safeguards are essential to overall information security, companies tend to overlook what has evolved into the weakest link in the security chain: the company employees. By neglecting to include employees when considering a company’s information security posture, a company leaves itself open to a security threat known as “social engineering.”

Social engineering is a non-technical way of infiltrating a company by manipulating employees into breaking company procedures. At its core, social engineering is pure deception where employees are targeted because they have been encouraged to have a helpful attitude within the workplace and oftentimes lack training in social engineering tactics. The end result is that a company’s sensitive information is revealed and/or malware is unknowingly installed.

Preying on an employee’s willingness to help, a social engineer knows that simply asking for a favor will prompt an employee to do whatever is asked. Oftentimes, social engineers pose as someone in authority requesting immediate network access. Giving the “keys to the kingdom” is obviously breaking company security protocol, but an untrained employee or one who has been skillfully targeted using guilt, vanity, or greed will readily grant this access, unintentionally compromising the company’s security.

In equally deceptive methods, social engineers can manipulate employees to click on an enticing link within an email or to insert that free USB that was mailed to all company employees. These seemingly benign actions can actually have harmful consequences as malware is installed onto company networks by such employee practices.

There are many types of social engineering, and hackers are using technology to develop and launch more creative, sophisticated, and destructive attacks. With ever-changing technology, this list of social engineering types will likely grow:

Baiting
is a method where a USB or DVD is left in a conspicuous place, often with intriguing labels like "Important" or “accounting staff only” so that an employee will be enticed to insert the device into a company computer. Doing so would infect the company computer with malware and fulfill the social engineer’s baiting scheme.

Phishing
is a technique where the victim receives an email from a seemingly legitimate website. These emails can trick the victim into divulging sensitive information or clicking on a harmless-looking link that would install malware. A subset of phishing, known as spearphishing, is specific to the organization or individual. The email may often include personally relatable information like names, company logos, or dates to make the email more believable. Spearphishing attacks can pursue more specific information than general phishing attacks.

Pretexting
occurs when a social engineer tells a fabricated story to an employee to obtain sensitive company data. Using this technique, a social engineer creates and convincingly delivers an invented scenario (the pretext) so that the employee reveals confidential information.

Quid pro quo
is a method where the social engineer offers a reward or gift in exchange for important information. The idea of a reward or gift is so gratifying that the employee readily reveals information that would not have otherwise been divulged.

Tailgating
is a technique where the social engineer, seeking physical access to a company’s restricted area, follows an employee entering the restricted area using his key card. It is as simple as catching the door immediately after the employee opens it, or the employee may even hold the door open out of common courtesy. With physical access to a company’s restricted interior, the social engineer has successfully made it into the kingdom! Company information can be gathered freely.

Pharming
is a method where a user is redirected to a malicious website when attempting to reach a legitimate site. This can be achieved with a virus on the user's machine or a poisoned DNS directory. A DNS directory converts human-readable addresses to computer-readable ones, ensuring the user arrives at the website requested. However, a poisoned DNS will have had its conversions altered so that a user will be sent to a malicious website, much to the delight of the social engineer.

Although each method of social engineering is combated in different ways, the first step is to create a security-aware culture within the company. A company that is security-aware will have every employee, from the newest hire to the CEO, committed to upholding company security as a critical part of doing business. Each employee will view security as an integral part of his or her key job responsibilities. Specific to social engineering, employees must be trained to identify the many types of social engineering attacks as well as which actions to take against these attacks.

Dara Security’s employee security training program can help strengthen your company defenses from the inside by informing and preparing your employees for potential attacks. In addition, our team’s extensive experience in social engineering exercises can verify whether your employees’ actions put your company information at risk. By engaging with our seasoned team, you can strengthen your company’s security posture through your employees and be confident that your team has the necessary tools to effectively protect your company’s information.