Social engineering is about intruders trying to get sensitive information trough humans instead of hacking computers. It is probably more common than hacking as such, since it is more easy to manipulate people compared to computers which has strict security measures. This is since most humans think good about other humans, and thinking bad thoughts about one and other and being suspicious often handles about bad experiences.
For an intruder, this is about exploiting people that are good-willing, helpful or just sloppy. The definition of social engineering could mean anything from phising to taking him/herself to physical places where he/she normally would not be granted access.
One force that intruders may have, is the desire to take oneself to places where the intruder does not have access. Even though there are stories about false uniforms and fake ID:s and unorderd maintenances, those kind of attacks are rare and hard to preform. To only focus in one group of people with fake mustaches is one danger, if the intruder has studied the victim he/she will use more subtle ways to gain access.
A good intruder will be unnoticed. You would be unaware of the security breach. And – if noticed – it would often be noticed a long time after the attack occured.
As previously mentioned, information security is much more than a new tech gadget. The biggest security vulnerability is the human. That is because the main focus is often on the technology, without accounting for social engineering.
What can be done for minimizing the risk of being exploited of these kind of attacks? There are two important key factors here: education and information. Even though there may be people that would say something like “it’s pointless to educate those guys,” you would be missing out on an important point, namely the pedagogy. To educate people is not about only giving a buch of paper which must read trough. Rather, it is better to lap between dialouge and demonstrating how easy an intruder may compromize a computer. To really catch interest, maybe also show how easy an intruder may fetch personal information. It is about making an impact and making people want to take the security measures needed.
When it comes to physical security, in an organization it boils down about educating the users about security threats, and building zones to keep the really valuable data private and secured.
Three pointers that can increase the security level in an organization:
- Sign that tells that unauthorized people will be reported to the police
This measure should send a message to eventual intruders that unauthorized access is not dealt with lightly.
- Using CCTV
As an intruder, you would be very reluctant to
- Correct handling of visitor access cards
The intruders would not stop by where they are now. They are constatly improving their skills and finding new ways to intrude. Therefore, education should not stop where it is now. Instead, constantly getting education, for example once or twice a year should keep the information fresh and up-to-date about how to be more secure.
Update (Jan 22nd, 2015)
As I mentioned before, there are times when people are imposters when they try to get into closed areas where they should not have access to. I found out today that a 17-year-old teenager has been around in an hospital imposing as a doctor/gynecologist. The teenager has an illness and had not taken his medication, the teenagers mother stated according to fox13now.com. The police and hospital chose not to charge the teen, fox13now.com writes.