As a follow-up to our recent blogpost on social engineering, this article explains more about baiting, the specific type of social engineering where criminals use malware-laden devices to manipulate employees into providing access to a company's sensitive information. Similar to other types of social engineering, baiting relies on an employee's lapse of judgment to create a weakness in a company's network. When the desire to satisfy curiosity or fulfill temptation overrides an employee's knowledge of the company's security protocols, the social engineer's baiting scheme is a success.
How is Baiting done?With the end goal of infiltrating a company's network, the social engineer may distribute malware-infected flash drives or similar devices to employees, hoping that this hardware will be inserted into network-connected computers as the means to spread malicious code. Infected flash drives may be presented to employees as promotional gifts or as a reward for participating in a survey. Perhaps the innocent-looking devices are in a basket of freebies placed in the company lobby for employees to simply grab on their way back to their work area. Also possible would be the strategic placement of tainted devices for targeted employees to take. When marked with intriguing labels like "Confidential" or "Salary Info," the devices may be too tempting for some workers. These employees may just take the bait and insert the infected device into their company computers.
How to Recognize the Baiting SchemeOne of the keys to preventing baiting is to recognize it. However, baiting is not always simple to identify as this type of social engineering can take on a variety of forms and is ultimately designed to cloud an employee's judgment with temptation. The bait could be a CD, DVD, flash drive, or even a phone or mp3 player. These tainted devices could be presented to the employee in a myriad of seemingly legitimate ways, such as a free gift or as a software update. The more enticing the device or the more believable the scenario under which the employee obtains the device, the more difficult it is for the employee to recognize the situation as a potential baiting scheme.
Employees are on the "front lines" of baiting schemes and must be trained on what this specific social engineering looks like. The scenarios are many, and the creativity of criminals ensures that baiting schemes will constantly change. Employees must also be trained to exercise caution when (or if) foreign devices are introduced into company computers. Awareness of baiting scenarios and vigilance in their prevention should be a part of every employee's mindset.
How to Secure Your System Against BaitingThe strongest defense against baiting and any other social engineering scheme is employee education and training. A company must strive to have a strong security culture where all employees consider company security as an integral part of their individual work tasks. Specifically for baiting, companies would do well to conduct open discussions with employees about this social engineering scheme and its many evolving variants.
Case studies in baiting, what-if scenarios, and exercises where employees are encouraged to think like a baiter could be incorporated in regular team meetings and/or via periodic internal communications. Also effective could be implementing a policy where employees must stop and think before inserting any hardware into network-connected devices. Companies could also go so far as to adopt a "no foreign device" policy where employees are restricted from introducing any foreign devices to company computers. If it seems an exception should be made, such as a disk containing an updated version of a critical antivirus program, the employee should confirm the program's legitimacy with an established authority within the company.
Whatever the specific approach, companies must aim to continually educate employees on possible baiting schemes and train workers on the appropriate protocol to recognize, prevent, and respond to these security situations. When the entire workforce is well-aware of potential baiting scenarios and well-trained in the company's security protocols, then the company is prepared against baiting and other information security incidents.