Virtual Data Room Blog

Social engineering, the weakest link

Oct 29, 2013 4:11:00 PM / by Harsh Batra

Social Engineering Dataroom adviceSocial engineering is probably the biggest threat for your confidential information.  We as dataroom providers spend a very significant amount of time making sure that our professionals are well versed in the tricks that can take down the most secure systems.   

Social engineering is the art of manipulating people into giving up confidential information. And the worst part is, it’s horribly effective in these days when information technology impacts absolutely every aspect of our lives. 

#1: Manipulates Legitimate Users

Social engineering is a con game, and perpetrators exploit legitimate users by getting them to undermine their own security systems out of the desire to be helpful. This is what makes it so difficult to control, because it’s necessary to educate anyone with access to information stored in your virtual data rooms not to fall for their wiles. A social engineer calls up your employee with a convincing reason for requiring access to your network. The employee falls for the argument and voila! the perpetrator is in.

A current favourite trick doing the rounds is that the caller presented to be a technician from Microsoft, who has been receiving notifications that there is a problem with the computer or network. The caller persuades the employee to run software that either installs malware or a virus or provides immediate access to the network.

#2: Abuses Professional Trust

Criminals who practice social engineering abuse the trust between employees. This can take the form of a phone call or other communication, such as an email from a ‘spoofed’ or hacked address. The contact comes from someone pretending to be a co-worker or calling on behalf of one, with a story such as having forgotten a vital password or login details for the virtual data rooms where critical information is stored. Assuming that the request is legitimate, the innocent employee divulges the details requested without a thought and the perpetrator gets access to all your confidential documents.

#3: Needs No Special Equipment or Skills

We tend to think of hacking and other IT security risks as advanced skills learned over time, but the truth about social engineering is that it takes nothing but the ability to be convincing to carry it out. This is one of the reasons why the practice is so effective—because perpetrators don’t need a degree from Oxford or MIT to implement it. It could be a corrupt employee who is known to trusted staff that makes the approach, or a stranger pretending to be a figure of authority.

A small Wal-Mart store in Canada was recently targeted during a demonstration at Defcon, an underground hacking conference held each year in Las Vegas. During a 20-minute phone call from someone pretending to be a manager of government logistics, the store manager gave up enough information about company logistics, the IT department and his computer to enable the caller to convince the help desk to unblock the installation of malware. A program could then be installed that provides access to the network as well as any information stored in secure virtual data rooms.

#4: It’s Inexpensive to Implement

You’d think expensive security in virtual data rooms would provide a challenge for social engineers, but the truth is that it makes no difference. Because the practice relies on manipulating humans, there’s little to no cost involved in cracking those fancy security measures. All it takes is imagination and gullible employees, so it’s vital to train your staff not to fall for convincing arguments or to leave confidential information such as passwords anywhere they can be found.

                                         Virtual Data Room Whitepaper

Topics: Data Room, Data Security, security