Data stored on secure IT platforms such as data rooms is sensitive, and if the wrong people access it there could be significant consequences for your company. The weakest link in the IT security chain is the human element. No matter how secure and robust your security protocols are, there always exists a genuine gap that can be breached. "Trust" and "ignorance" are the two most common human behaviours that add to this gap. People are either too trusting of others (or) they are ignorant of the consequences being careless with information. Those who wish to will do just about anything to gain access to confidential information and mostly rely on people's inability to keep up with a culture that heavily relies on information. In this post we will have a look at the various social engineering tactics that take adantage of the human behaviour and how we can effecively have a control over it .
Social Engineering can be broadly categorized into two types -
Technology based deception
Human based deception
We will have a look at some of the most common tactics that exploits human behaviour and how these can be related to a Virtual Data room.
- Support staff: Workers such as janitorial staff often have unlimited access to office areas. Dressed as part of the crew and carrying cleaning equipment, they can snoop around desks for passwords under the pretext of cleaning. They can also use your office telephone to call the service provider, impersonating you to get your password to the virtual data room.
- Dumpster diving: Yes, people actually do this, and any documents that are dumped without shredding can provide a dumpster diver with a break. Even if they don’t contain any sensitive data, procedure documents and policy manuals can help an attacker learn enough about the company’s processes to convince their victim about their identity and obtain confidential information.
- Impersonating authority: How often have you seen it in the movies – someone convinces a clerk to provide confidential information by pretending to be someone else? Remember point 1 and 2? Well, if the attacker is able to get enough details about how things work using those methods, he could call up your virtual data room provider and convincingly demand to know his password over the telephone.
- Sharing passwords: There’s usually no way to avoid granting confidential data access to some of your personnel. The critical part is knowing who to give what access to and ensuring they understand the importance of keeping their login credentials secure. Tailgating means unauthorized access by following an authorized user through the "door". This can be done virtually as well as physically.
- Shoulder surfing: When people work in open plan environments it's easy for spies to eavesdrop or look over others' shoulders to view confidential data or access information.
All these social engineering techniques target real human attributes such as the desire to be helpful, and overcoming them requires the right type of staff training.
Measures to Overcome Risks
To protect sensitive data, implement a variety of measures to overcome the risks of social engineering:
- Educate and train your employees in the security policies of your company and the virtual data room, as well as the risks of social engineering and the damage of this type of espionage. This will increase their alertness regarding potential risks.
- Ensure all staff know that they should never write down their passwords.
- Review the virtual data room access of your employees regularly and remove any staff who no longer require it. Monitor access points such as entry doors and randomly inspect employee workspaces to ensure that confidential material is secure. Check that your staff workstations are locked down and password-protected screensavers are used.
- Implement call-backs in standard operating procedures to verify requests. If someone is impersonating an employee from their office phone, a short lag-time between receiving the request and calling back to verify should take care of any imposters using the telephone.
- Check that your virtual data room provider has a well-documented and accessible security policy implemented without exception. Most providers ask users to route password and other access requests through their corporate email address, and follow it up with a call to verify the person’s identity.
Behaviors are very vulnerable as the techniques used in social engineering are very manipulative. The only way to combat and reduce the impact of social engineering is by constantly educating your employess and creating awareness along the lines of well written security policy, auditing programs to monitor policy compliance and using proper surveillance to prevent unauthorized access.