The majority of focus within the information security field is on technical attacks and the corresponding technical defenses. Nonetheless, numerous successful information security attacks are non-technical in nature and pose a substantial threat to organizations worldwide.
Security is only as strong as the weakest link: a non-technical attack on the weakest link –human nature – is normally referred to as social engineering. (In one of our previous posts you can find an overview of what social engineering is and why it is successful). In a few words, social engineering is the ability to manipulate other people to aid your goals.
Common Non-Technical Threats
Non-technical attacks are diverse and differ in their level of complexity. The following contemporary examples illustrate how social engineers manage to bypass security without raising the alarm.
1. Impersonation over the phone
The telephone, a widely accepted means of communication, is one of the most used vectors for carrying out social engineering attacks. Business is regularly conducted over the telephone, and people have become accustomed to asking for and granting requests through this communication medium. Consequently, it has become increasingly difficult for a target to decipher which requests are legitimate and which may be social engineering attacks.
A common social engineering attack over the phone involves impersonation. The organization’s management structure, including specific names and titles of important individuals, current and pending projects, and other detailed but not strictly confidential information may help an attacker seem as though he or she is making a legitimate request.
2. Dumpster diving
Essentially, the key to being a successful social engineer is information gathering. Dumpster diving is the practice of searching through a company’s trash so as to try to obtain useful information. Dumpster diving provides potential attackers with important information about the company. This practice may reveal confidential business information, such as company phone lists or phone books, memos, company policy manuals, outdated hardware, disks and tapes and printouts of source code.
3. Tailgating to get physical access to the organization’s building
Attackers may take their time to familiarize themselves with the building and its surroundings. They do this while making it appear perfectly normal to everyone that he or she should be there, so that workers can lower their guard. A social engineer may gain access by simply walking in behind a person who has legitimate access to the secure area. This practice is called tailgating. By exploiting the human psychology, the worker will follow common courtesy, generally holding the door open for the attacker. The legitimate person may refrain from asking for identification for several reasons, or else may accept the assertion that the attacker has lost or forgotten the allocated identity token. Sometimes the attacker may also present a fake form of identification. Once inside the facility, they pose as an employee and have the potential to steal data, hack a network, or commit some other crime.
Presently, non-technical attacks are the hardest form of attack to defend against because neither hardware nor software components alone can prevent them. More worryingly however, is that organizations frequently neglect the non-technical aspects of information security.
There are different methods to cope with social engineering, however the best method is by educating employees to be aware of the risks and remain vigilant against any new threats that can appear from inside or outside the organization. Without the appropriate education, the majority of people will not recognize a social engineer’s tricks because they may be highly sophisticated. Many non-technical attacks can be easily avoided; for instance, a dumpster diving attack can be prevented by shredding old or unwanted documents; this practice may sound trivial at first glance, but it is a simple way to prevent identity theft and safely dispose of confidential information.
You must be registered in order to write comments. To register as a new user click here.
If you're already registered, please leave a comment here