In past posts, we have covered our perspective as a data room provider about the risks of social engineering. The term has become more familiar to all of us thanks to the increased recurrence of high profile breaches that are occurring in the corporate world as well as in government organizations. While a number of the breaches happen due to poor technology, many more happen because of the manipulation of people to give up confidential information. Here are some of the recent tricks and strategies used by social engineers and some ideas to protect yourself and your company against such attacks.
We put a lot of effort making sure that our virtual data room service is secure and confidential. What surprises a lot of outsiders is the amount of effort that goes into training our data room professionals to be ready and alert for social engineering attacks.
The best defence against social engineers is to be aware of what methods they might use to attack you. The more aware you are of them the less prone you are to fall victim to them. Here are 6 approaches through which they can come at you:
The USB drive
The USB is the most common portable data source in the planet at this point. The ease with which it allows us to plugin to a computer to transfer data is unmatched but this is exactly why it is such a dangerous source. Social engineers can easily add a program to a USB that launches as soon as you plugin to the computer. Even if it does not auto launch, our inherent curiosity to open a file on the USB drive puts us in harms way. This is why it is best to never plug an unknown flash drive to your computer and always be wary if someone else does so in the pretext of wanting to copy something harmless. At a company level it is actually a good idea to disable USB ports altogether to protect yourself.
In the recent past, banks started sending an email alert to their clients to make them aware that their bank would never email them to ask for their personal information. This was because social engineers send out a number of emails pretending to be banks. These emails are well formatted, well edited and very persuasive. Always check the email address of the sender, never click on the link provided, never open an email attachment of a sender you do not know and when unsure it’s best to pick up the phone to call customer support, if the email is from one of the company’s that you are a customer of.
Social engineers have innate persuasion skills. They know how to engage you, make you feel comfortable, get you to commit and then eventually divulge confidential information. If you ever get a call from a stranger who you relate to easily, no matter how likeable he or she might be, never give out personal information on the phone. Instead ask them for their direct phone number and offer to call them back on it. You will notice that they will never disclose where they are calling from!
What Is Your Secret Question?
Almost all email providers will allow you to reset your password by providing an answer to a secret question that you created. Make sure that the answer to this question is not predictable. Also a number of email providers allow you to get a message on your phone with a code. This is an additional layer of security that a social engineer would not have access to so its best to activate this feature or host your email accounts with providers who have this technology.
When your company is large and each employee might not know every other person who works in your company, its best to make employees responsible for their work stations. It might be easy to gain access to a company premises by tailgating but it should not be easy for the gatecrasher to gain access to a computer system.
The majority of businesses still use Microsoft. If you ever get a call from Microsoft Help Center to resolve a malware issue then you are getting fooled. Microsoft never directly calls end users so be aware of such attempts to gain remote access to your system! The same is true of your IT department as well. Make sure that you do not give remote access to anyone, even if they are within your own company.
There are a lot of source of information that are worth keeping track of to be informed and protected. Among others, we recommend Intel/McAfee´s report “Hacking the human OS” and the US-CERT´s “Avoiding Social Engineering and Phishing Attacks”.
Cyber crime is a very real threat. You can eliminate more than half your risk by using the right technology to share confidential information; virtual data rooms are created just for this purpose. To other half of the risk comes from the human element. By being aware of the various ways that social engineers can gain access to your sensitive information who can mitigate such threats. Always be suspicious, do not reveal your personal information, pay attention to the URLs and do not be ashamed of questioning a perceived authority, irrespective of who it is.