An example of social engineering
One story of social engineering happened a couple of years ago. ".. group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network". And how easily was that done! They managed to obtain small amounts of access, one bit here, other there, from different employees. They used some detective work to find out things about the firm; a call to the HR (Human Resources) and they had the names of the employees which were important for their cause.
They got in from the front door by pretending they´ve lost the key and to the security area they got in again by pretending, this time to have lost their identity badges. In both places a employee opened the door for them. The strangers planned their attack so that the CFO was out of town so they entered his office and since his computer was unlocked they got financial data off it. They also dug through the trashes and found different useful documents. The friendly janitor gave them a garbage pail - it was easy to carry all this material out of the building in it.
These strangers also knew how to imitate the voice of the CFO and got his network password by phone, pretending to be in a hurry (from the ADP-support I guess). And after this they just used some hacking tools and managed to get super-user access into the system.
Sounds really way too easy! Well, there were some obvious mistakes from the firm´s behalf, for example you should never let a stranger inside the firm.. Always ask something you can double-check from some other. And hey, who leaves his/her computer unlocked?
Source
How to fight against social engineering
As I wrote before, never let strangers inside the firm. There should be a certain protocol for the employees what to do if they have lost their key; some direction has to be around to let them in, someone who can make sure who they are. And that double-checking is also effective, to ask who he/she comes to meet, maybe even offer to show the way.. At least to call to this mentioed person and ask if the guest has arrived.
Yes, people want to believe that others have good intentions and feel themselves intruders if they need to ask something from a stranger. A janitor is good in this case, all the strangers trying into the building should go to him/her, introduce themselves, fill a form of some information themselves and the cause of the visit, and so on. This happens in some companies and it´s effective.
Doors to employees rooms should always be locked and so should their computers be also. And no notes on the table considering the password..
And of course the systems needs to be as secure as possible, at least passwords and different levels of access to information.
What is social engineering? Wikipedia´s definition
One story of social engineering happened a couple of years ago. ".. group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network". And how easily was that done! They managed to obtain small amounts of access, one bit here, other there, from different employees. They used some detective work to find out things about the firm; a call to the HR (Human Resources) and they had the names of the employees which were important for their cause.
They got in from the front door by pretending they´ve lost the key and to the security area they got in again by pretending, this time to have lost their identity badges. In both places a employee opened the door for them. The strangers planned their attack so that the CFO was out of town so they entered his office and since his computer was unlocked they got financial data off it. They also dug through the trashes and found different useful documents. The friendly janitor gave them a garbage pail - it was easy to carry all this material out of the building in it.
These strangers also knew how to imitate the voice of the CFO and got his network password by phone, pretending to be in a hurry (from the ADP-support I guess). And after this they just used some hacking tools and managed to get super-user access into the system.
Sounds really way too easy! Well, there were some obvious mistakes from the firm´s behalf, for example you should never let a stranger inside the firm.. Always ask something you can double-check from some other. And hey, who leaves his/her computer unlocked?
Source
How to fight against social engineering
As I wrote before, never let strangers inside the firm. There should be a certain protocol for the employees what to do if they have lost their key; some direction has to be around to let them in, someone who can make sure who they are. And that double-checking is also effective, to ask who he/she comes to meet, maybe even offer to show the way.. At least to call to this mentioed person and ask if the guest has arrived.
Yes, people want to believe that others have good intentions and feel themselves intruders if they need to ask something from a stranger. A janitor is good in this case, all the strangers trying into the building should go to him/her, introduce themselves, fill a form of some information themselves and the cause of the visit, and so on. This happens in some companies and it´s effective.
Doors to employees rooms should always be locked and so should their computers be also. And no notes on the table considering the password..
And of course the systems needs to be as secure as possible, at least passwords and different levels of access to information.
What is social engineering? Wikipedia´s definition
No comments:
Post a Comment