Code hacking gets a lot of media attention. But a different kind of hack—social engineering—is easier to carry out and may be harder to defend against, because it plays on human nature. Essentially, social engineering is tricking someone into giving out information, such as a password, that will allow the recipient to break into a system.
“Why hack into someone’s network when you can ask for a password,” says independent IT security consultant John Palumbo.
Social engineering is one of the most effective routes to stealing confidential data from organizations, according to Siemens Enterprise Communications, based in Germany. In a recent Siemens test, 85 percent of office workers were duped by engineering. “Most employees are utterly unaware that they are being manipulated,” says Colin Greenlees, security and counter-fraud consultant at Siemens.
Some tricks are fairly common, he says, such as asking for bits of innocuous information that can later be used in combination to great effect. Other ploys play on our ingrained training to be polite. They include “tailgating” people through secured doors or carrying two cups of coffee and “waiting for people to open doors for you,” says Greenlees.
Larger organizations may be at greater risk, he says. He advises staff awareness training, teaching them the possibility, for example, of being contacted by a fake IT employee. Employees should be told to call the IT department to confirm (using a number provided to them beforehand, not provided by the visitor). If physically present, the IT employee should be asked for identification. It is also important to have strong physical security controls in a main data center, he says.
Siemens recently ran a social engineering exercise at a large financial services firm. In one week, a Siemens security consultant was able to: enter the company’s office without being challenged by security staff; work in a corporate meeting room for several days; freely access different floors and store rooms containing large amounts of confidential information; and enter the company’s IT data and telecommunication centers.
The consultant also called employees from internal phones, claiming to be from IT and requesting information. Of 20 users targeted, 17 supplied their usernames and passwords, giving the caller easy access to the company’s confidential electronic data.
Greenlees says the manipulation was surprisingly easy. Success stemmed mainly from basic tricks combined with confidence.