How Social Engineering Can Steal Your Company Secrets

September 22, 2008

Companies may install the newest security system to protect their trade secrets, but they will always remain vulnerable when it comes to the person behind the keyboard, manning the phone, or holding the keys.

Hackers have known this for years, and along with their programming savvy, the best ones have honed their psychological tools as well. This is called social engineering.

What is social engineering?
There is no textbook definition for social engineering. It has been described as a confidence game played upon unsuspecting employees by hackers intent on breaking into a company’s computer network.

In a broader sense, social engineering employs any number of non-technical methods to gain information that will allow hackers to access a company’s network. This can be as simple as dumpster diving, or going through a company’s refuse to look for office paperwork that contain bits of information that reveal information about the company and its employees. But more often than not, social engineering usually involves some form of person-to-person contact between the hackers and one or more employees of the company.

Analog methods
Some social engineering attack methods employed by hackers include picking up the phone and calling up a secretary or help desk employee, or approaching or communicating with anyone else with a password to the system. They will either misrepresent themselves as someone who has been asked to look into the company’s systems or they will impersonate an authority figure within the company. The latter can be someone who is supposed to be close to the boss or someone who actually runs the system, like a manager or system administrator.

Psyche out!
Social engineering involves psychological tactics. Hackers will try to assure the target employee that the information being asked is part of procedure. Employees don’t want to get into trouble with their bosses.

They can be convinced by someone who’s pretending to be their boss or who works with their superior. Finally, simply being friendly with employees builds trust. Befriended targets are easily won over to give access to the network. Even physical access to company grounds and building facilities can be gained with a fake ID and a smile.

The price of security
Any security system put into place to protect company secrets is only as effective as the people who are actually using the system. Vigilance and proper implementation of company policy are key. Everyone in the company, from the top down, must be aware of the danger signs of social engineering attacks. These include:

  • requests for sensitive information;
  • persistent requests over the phone;
  • name-dropping by unknown people; and
  • refusal to give contact information.

Employees should also learn to follow strictly company security policies that address social engineering attacks. These should include, among others:

  • proper waste disposal of paper and digital media;
  • strict ID checks and security at physical locations;
  • control of release of sensitive information, especially over the phone or network; and
  • training and constant reminder of personnel with regard to security-related issues.

Like most things, avoiding getting caught out by social engineering techniques is the use of common sense, if something does not sound right, then usually its not, so employees and bosses be aware that there are people out there who want your sensitive data.