We all do whatever we can to stay safe, especially on the internet. We invest in anti-virus protection, we require multi-factor authentication for access to sensitive information, and we force ourselves to remember annoying passwords that are 14 characters long. No one is going to breach our defenses! But what if we were letting people past our security because of our human nature? That’s where Social Engineering comes into play.
What is Social Engineering?
In short, social engineering is the tactics employed to get a person to reveal confidential information or compromise their own security. Typically, these tactics are employed by malicious individuals who want access to passwords, bank information, and/or the network in order to install malware. These social engineering tactics exploit human behavior to breach security.
Brent Stallworth is a social engineering expert at Ingram Micro. Speaking as someone who performs social engineering test assessments, Brent explains that, “Social engineering is where we use tools and technology…anything that a security guy has in his tool belt to go after the actual individual user.”
A common example of social engineering that Brent cites and employs is fake or malicious email. These emails are designed to get recipients to click on a link or download a file. Ever receive an unexpected email from someone you don’t know asking you to review an attached PDF or reset your password? That’s probably social engineering.
Stallworth also talks about how he uses phone calls to breach organizations. “We do a lot of phone social engineering,” he says. “Where we represent somebody. We represent an entity they know and trust to give us access to their PC, to give us access to their network. So, it’s really past that perimeter security person of an enterprise. It’s really dealing one-on-one to get access through the customer client.”
Manipulating Human Nature
“People like to be helpful,” Stallworth explains. “So, somebody call’s in, somebody gets an email, they’re trying to come up with a solution. That’s, in itself, the weakest link. That’s what somebody who’s malicious is going after – somebody who tries to be helpful.”
Of course, helpfulness isn’t the only reason a person might indulge a potential social engineer. Sometimes these malicious actors have done their research and represent themselves very convincingly. Recently, the Hollywood film industry was attacked by a social engineer who assumed the identity of various powerful women in film. Using her intimate knowledge of these well-known women, the engineer convinced her targets that they were communicating – sometimes over the phone – with the real person she was impersonating. By doing so, the engineer was able to scam several thousands of dollars from her victims who were expecting lucrative jobs in the industry.
How to Defend Against Social Engineering
While there is no perfect answer, Stallworth explains that the best solution is to have end-user security awareness training in place. “It does a lot in preparing individual users to look for those telltale signs that something could be malicious,” he says. Some telltale signs of a social engineer are:
- Misspellings in emails
- Callers who are reluctant to give identifying credentials
- Callers who want to end calls quickly
- Emails or calls that direct you to a website or links to click
Social Engineering Test Assessments as Cybersecurity
Any organization should look at social engineering test assessments as part of a comprehensive cybersecurity apparatus. Stallworth agrees. “You have so many different aspects to protect your assets at a corporation or enterprise, and one of those is the protection against the user. [Social Engineering Test Assessments] can be just as important as having protection and knowledge from a network device, a server or PC, or whatever.”
Internal staff should be considered just as vulnerable as any other entry point into a perimeter network. When attackers can’t penetrate devices directly, they will attempt to penetrate via existing users. “Just another step…when you look at security,” Stallworth concludes.
Are you ready to complete your cybersecurity offerings and protection? Ingram Micro offers Social Engineering Test Assessments to ensure IT resellers, managed service providers, and their end users have a comprehensive solution for evolving network threats. These assessments can help identify the potential holes in the “human network” to prevent information breaches and to strengthen the company’s security and compliance posture.
Learn more about Ingram Micro Social Engineering Test Assessments at: https://ingrammicrolink.com/service/social-engineering-test-assessment