Avoid Becoming a Human Hack.
I’ve become a fan of the show Impractical Jokers. If you haven’t seen it, three friends play jokes on the fourth, and he has to repeat whatever line is fed to him. The goal is to successfully convince random strangers to say or do a certain thing that they would not normally do. At the beginning of every challenge I think there is no possible way that these guys are going to succeed, yet one of them always does. It got me thinking about Social Engineering which is also known as Human Hacking, the manipulation of people so that they give up confidential information.
According to Gartner, “Many of the most damaging security penetrations are, and will continue to be, due to Social Engineering, not electronic hacking or cracking. . . Social Engineering is the single greatest security risk in the decade ahead.” Users are generally the “weakest link” in an organization’s security. Social Engineering exploits users’ innate curiosity or natural desire to help. It can also try to appeal to vanity or authority and other psychological triggers such as greed, fear, anger or moral duty and often gets the victim to break security procedures or to ignore common sense.
Well what can you do to prevent these attacks? The following are some suggestions to keep your organization and you from being a victim:
- Educate Your Employees. A company is only as strong as its weakest link and, often, those weak links are employees who fall prey to non-technical hacking techniques performed by social engineers. The best defense you have is personnel training and awareness programs.
- Beware of Hijacked Email. Hacked email accounts and other communication accounts are as common as a cold. Once compromised, they prey on the trust of all the victim’s contacts. Always check with your friend/colleague before opening links or downloading if you aren’t expecting an email with a link or attachment from them.
- Secure Your Computing Devices. This sounds really basic but this is where many organizations fail. Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so.
- Slow Down. Spammers want you to act first and think later. If the message conveys a sense of urgency or uses high-pressure sales tactics be skeptical. Never let their urgency influence your careful review.
- Research the Facts. Hackers are notoriously good at copying graphics and logos so be suspicious of any unsolicited messages. If the email appears like it is from a company you use but it looks slightly off, do your own research. Often times, hovering over a link will show a suspicious domain name.
- Reject Requests for Help. Legitimate companies and organizations do not contact you to provide them with assistance. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam.
- Beware of any Download. If you don’t know the sender personally and don’t expect a file from them then downloading anything is a mistake.
- Set your Spam Filters to High. Every email program has spam filters. To find yours, look under your settings options, and set these high – just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there.
And the next time someone asks you to say or do something you normally would not, use common sense. You could be on TV, or even worse, you could be the victim of social engineering. Set up friendly reminders for your team on security awareness – here are a few fun designs for your team: Security Awareness Posters. Have you ever been a victim of social engineering? Feel free to share your stories or other tips in the comments section.