Social Engineering – A Constant Threat

Social engineering is about intruders trying to get sensitive information trough humans instead of hacking computers. It is probably more common than hacking as such, since it is more easy to manipulate people compared to computers which has strict security measures. This is since most humans think good about other humans, and thinking bad thoughts about one and other and being suspicious often handles about bad experiences.

For an intruder, this is about exploiting people that are good-willing, helpful or just sloppy. The definition of social engineering could mean anything from phising to taking him/herself to physical places where he/she normally would not be granted access.

One force that intruders may have, is the desire to take oneself to places where the intruder does not have access. Even though there are stories about false uniforms and fake ID:s and unorderd maintenances, those kind of attacks are rare and hard to preform. To only focus in one group of people with fake mustaches is one danger, if the intruder has studied the victim he/she will use more subtle ways to gain access.

A good intruder will be unnoticed. You would be unaware of the security breach. And – if noticed – it would often be noticed a long time after the attack occured.

As previously mentioned, information security is much more than a new tech gadget. The biggest security vulnerability is the human. That is because the main focus is often on the technology, without accounting for social engineering.

What can be done for minimizing the risk of being exploited of these kind of attacks? There are two important key factors here: education and information. Even though there may be people that would say something like “it’s pointless to educate those guys,” you would be missing out on an important point, namely the pedagogy. To educate people is not about only giving a buch of paper which must read trough. Rather, it is better to lap between dialouge and demonstrating how easy an intruder may compromize a computer. To really catch interest, maybe also show how easy an intruder may fetch personal information. It is about making an impact and making people want to take the security measures needed.

When it comes to physical security, in an organization it boils down about educating the users about security threats, and building zones to keep the really valuable data private and secured.

Three pointers that can increase the security level in an organization:

  • Sign that tells that unauthorized people will be reported to the police
    This measure should send a message to eventual intruders that unauthorized access is not dealt with lightly.
  • Using CCTV
    As an intruder, you would be very reluctant to
  • Correct handling of visitor access cards

The intruders would not stop by where they are now. They are constatly improving their skills and finding new ways to intrude. Therefore, education should not stop where it is now. Instead, constantly getting education, for example once or twice a year should keep the information fresh and up-to-date about how to be more secure.

Update (Jan 22nd, 2015)
As I mentioned before, there are times when people are imposters when they try to get into closed areas where they should not have access to. I found out today that a 17-year-old teenager has been around in an hospital imposing as a doctor/gynecologist. The teenager has an illness and had not taken his medication, the teenagers mother stated according to The police and hospital chose not to charge the teen, writes.


2 thoughts on “Social Engineering – A Constant Threat

  1. I must say that this bit of computer security often is overlooked. We often talk about how we secure servers, encryption and strong passwords. But we seldom discuss the human. A person is the weakest link, if we don´t educate them. For example; The IT-specialist have installed a strong encryption and also gave every worker a strong password; But the workers just write down the passwords on a piece of paper and stick it on their desktop. That isn´t secure at all. And you can have a strong password, but if you just give it away when someones asking for it, then it´s not secure either. And social engineering is very serious threat, which many dosen´t even try to prevent. The whole companys security have the potential to be compromised, but people still ignore it. It´s mindboggling.
    It´s good to see a article like this.

    • Indeed it is. It is sad that humans think that tech gadgets may secure you, or software itself. It does not. You must see the full picture. It is easy to think like this by yourself, too. But the more you know, the better the improvents may get. It is also important to know a good balance, so that the users does not feel that the increased level of security is too hard, and therefore bypass important steps to “make it more simple.”

      In organizations, according to my teacher in information security, the “general” board of leaders are not that interested in the security aspect. If i remember correctly, they talk about security for about 20 minutes per year – which is quite little and a bit scary. To catch their attention you could scare them by threatning them by jail scentences if something would happen – they have the full responsibility of that organization. Or, as I mentioned in the post, show how easy an intruder may gain access to a corporate computer and get some personal details about a board member.

      I think that information security actually is something interesting – if we talk about the full spectrum of it. To get others interested too, I guess that it depends on how you can get other people interested too. May it be trough telling interesting stories or trough other ways.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s