What is it? — Social Engineering in Network Security
Think of social engineering as analogous to how the Greeks conquered the walled-city of Troy. Troy to the siege technology of the day, so the Greeks used subterfuge–social engineering, really–and built their hollow Trojan Horse. They packed their giant, hollow-wheeled “gift” with soldiers and conned the citizens of Troy to haul it into the city.
Network security managers know all about the modern Trojan Horse. It is malware that can infect networks, computers and the data that is the business’s lifeblood. It can get into the network through the front gates of unwary users, who aren’t necessarily trained to guard. There are its insidious partners–bots, worms, and the latest threat of ransomware.
Firewalls, virus detection software, and vigilance on the part of very smart technicians, like the warriors of ancient Troy, man the ramparts in the leapfrog battle against malware. Unfortunately, with social engineering, network security can fail–often with catastrophic consequences.
What, exactly, is Social Engineering in Network Security? Webfoot.com defines the term as “the art of manipulating people so they give up confidential information.” The people are those at an organization’s network entry point. Hackers focus their tactics and attacks on the weak points of human curiosity, trust and gullibility.
How Social Scammers Work
According to a piece on Norton.com, social scams target our increasingly networked populace. That would also include employees who are the gatekeepers of networks and potentially entry points for security breaches. Here are Norton’s top 2 social engineering threats:
1. The Booby-Trapped URL
Blindly clicking on shortened URLs either in emails or social sites can lead the unwary clicker to downloading all kinds of malicious code. Shortened URLs mask the full location of the originator, who could be an overseas hacker anywhere from Nigeria to China.
Scammers are becoming far more sophisticated and are moving past those quaintly worded emails with bad English alluding to relatives of deceased millionaires. They now send fake emails guiding the victim to a bogus landing page. The page looks like a Twitter or Facebook page–or maybe a faked PayPal sign-in page asking for passwords.
Then there’s the insidious Ransomware
Ransomware, as the term implies, can hold all your data for ransom until you pay hundreds or thousands of dollars in untraceable bitcoins. The object is not to steal data. Rather, ransomware strongly encrypts files on the network. The victim must pay the hacker, who has the encryption key. The FBI reports that ransomware incidents are “on the rise.”
Sadly, the encryption is usually so strong that the victim has but two choices: scrub the system and start over, or pay up. One California hospital opted to pay a ransom of $17,000 rather than lose all its patient and treatment records.
(Note: Always backup your data and keep it outside your network. Ransomware also detects and encrypts backups on the system.)
Junior employees not always the victim of social engineering
Social engineering doesn’t always victimize the junior employee. One executive in a Nebraska 800-employee company was taken for $17.2 million in an international email swindle, which led to a Chinese bank. The executive was a victim of identity theft. The swindle was clever and the loss represented almost three years’ of the company’s income.
Safeguarding against social engineering
Educating employees and establishing a policy for using social media on the job are the keys. That means setting up a program where employees understand what to look for and why they may be a target. Employees also need to know the many ways social engineering could victimize them.