Social engineering is a skillfully crafted art form honed for malicious intent. Can you identify and stop the attempts? What should you do when you see it? We share our tips.
Social engineering is a category of Cybersecurity that does not always include digital codes or sophisticated technology. As defined, it is a technique that manipulates human emotion and human error to gain access to information, valuables, intellectual and proprietary property, or secured areas of an organization.
While the techniques seem to be harmless, with the information requested seeming trivial at best to you, every attempt at gaining such info is valuable to a social engineer. To them, this is a treat.
To understand what this is, Jeremy Ferguson, Capture Manager for Strategic Growth at PAR Government, explained simple scenarios where human nature can be manipulated into revealing information or gaining unauthorized access.
“Imagine this everyday scenario. You are walking to a secure building requiring access via a badge or a memorized PIN code and you see a person at the door holding boxes, or flowers, or a stack of unstable paperwork. This person sees that you have access to the door and politely asks you to open it for them because they cannot satisfy the access requirements with their hands full. Evolution has trained our brains into helping or assisting people in a time of need and, often, that access is given out of empathy or compassion without regard to security protocols.”
Now, he said, take this scenario and apply it to today’s modern tech. Phone calls, mobile device messages, and spoofed email addresses have been widely utilized to deceive people into giving information that would not normally be published.
“Sometimes, what you’ll see, is a random text message on your personal device claiming to be your CEO or company president asking for favors or information. Usually these are immediate needs,” he said. “These situations seem to be innocent and within the common practice of corporate design, however, they are specifically crafted techniques used to exploit human nature.”
Thwarting social engineering techniques results in a higher personal contribution toward corporate security. Here are some ways that can help you combat threats:
Maintain conscious Situational Awareness: With busy schedules and technology offerings and obligations, it is easy to tune everything out and focus on personal commitments. These distractions force a person to lose cognizance of surrounding situations allowing a person to manipulate those distractions for personal gain. By maintaining a vigilant sensitivity of surrounding activities, social engineering techniques have a drastically reduced success rate.
Identification Verification: Always, especially when there are identification requirements such as badges, PIN codes, or RFID keys, it is important to ensure positive identification is confirmed before allowing a person access to controlled space. The verification can be as simple as ensuring the badge matches the name and face of the individual holding it or as intrusive as verifying the person is on the Access List for the space. If they are not on the list, if there are discrepancies with the identification, or if they refuse to comply, alert security offices.
Personal Verification: Regarding phone calls and device messages, request the caller physically present authorization and identification, then verify the information. Never give sensitive information over the phone, ensure extreme awareness of the information being requested, and question why it is being requested.
Social Engineering tactics and techniques have been proven to be highly successful in information gathering and unauthorized facility access. PAR Government places an extreme importance on ensuring that employees are aware of malicious techniques and continue to train all employees on proper security protocols and procedures.
PAR Government, through its subsidiary Rome Research Corporation, provides information technology services to several DoD clients. This includes helpdesk support, system administration, network administration, information assurance/systems security, database administration, telephone systems management, testing and testbed management, information technology infrastructure library (ITIL)-based service management, and engineering and installation services. For more information visit: PAR Government | RRC Mission Operations