I recently learned about a new kind of computer hacking from Kevin Mitnick, a speaker at the recent 2017 AmeriQuest Symposium in Orlando who addressed a topic known as “social engineering.” Not so long ago, Mitnick was one of the world’s Most Wanted hackers.
He defined social engineering as “a form of hacking that relies on influence, deception and manipulation to convince another person to comply with a request in order to compromise their computer network.”
Hackers use social engineering for a variety of reasons:
- It’s easier than doing software or technology hacks
- It is nearly 99.5% effective
- It leaves no audit trail
The real problem with social engineering is that your employees are unwittingly revealing information that the hacker then uses against you or your company.
Hackers start by doing information reconnaissance looking for organization charts, names and titles of employees so they can determine the type of information the employee may have access to. They can go to places like LinkedIn, enter your company’s name, get the names of key employees and find everything they need to determine who is in the “circle of trust” for those employees.
When hackers launch these social engineering hacks, they prepare in advance by adopting a role or identity and developing reasons to call your employees.
Another favorite trick is to send via snail mail a thumb drive specialty gift that looks like it comes from someone who is in that employee’s circle of trust. They go so far as to imprint the company logo on the drive and package it from the company they are impersonating. Since the recipient thinks the drive is coming from someone they trust, they insert it in their USB port. This allows the hackers to unleash a Trojan horse (virus) onto that computer or to steal passwords and other important data.
Mitnick advised meeting attendees to be careful when connecting to free wireless networks because hackers are setting up fake wireless networks which allow them to access information. He also said to be wary of software update notices; they could also be fake. Once a fake update is downloaded, the hackers have access to that computer and the all information it contains.
More sophisticated attacks are launched via browsers, media players, document readers and booby-trapped PDFs.
Why are these social engineering hackers successful? Mitnick says it’s because “there is a hole in the human firewall. People think it can’t happen to them.” Another reason is because of people’s natural desire to help.
So how do you prevent your employees from falling victim to these tactics? First inform them about the sophisticated tactics hackers are using today. You can also do mock attacks to test how your employees respond and then educate them on the right way to deal with these situations. You also need to establish a social engineering incident response program as well as modifying what Mitnick calls “your company politeness policy.”
He strongly recommends telling your employees, “It is okay to say no to information request.”
When building your human firewall, keep it simple. Set up a protocol that is easy to understand and follow. Develop interactive social engineering resistance training and whenever possible, use technology to take decision making out of the hands of your employees.