I made a mistake when I first started this blog. I introduced myself, my degree, work background and certifications. Probably, no harm in that, but a famous hacker by the name of Kevin Mitnick used someone's alias to land a job in IT. That individual that he impersonated graduated with a certain degree in a computer related field and had some certifications. Very small chance that could happen, but nonetheless I will keep that info to myself, but if you are smart it will not be hard to figure out. Which brings us to our first topic of IT Security (probably the most important one).
I would like to first start out with the topic of Social Engineering. This falls under the human element of security. This can have nothing to do with computer hardware or software. You can think of Social Engineering as "someone trying to scam another person out of information or to cause harm in one way or another."
A non-computer related example would be the recent stories in the news talking about hotel employees and guests being duped by someone to break windows and pull fire alarms. In a nutshell the caller (social engineer or scammer or in this case jokester) would call up the front desk of a hotel and say that there is a gas leak in the building and to keep everyone safe they should pull the fire alarm and break the nearest window. Fun stuff huh? Not really for the victims of the joke.
Okay so that was not the best example, but a good social engineer would be cool, calm, smooth, and ready for anything. The moral of this story is... Don't give out any sensitive information to anyone over the phone, in person, in an email, etc. Many times these attackers will act like they are in a hurry or say that they are an important person in your company that needs the information right away. Never give out sensitive information even if the other person is pressuring you on the other line for the info!
Social Engineering happens more often than computer hacking because it does not require any technical skills only people skills. This first lesson may help you with anything from telemarketers, people calling and claiming that they are your relative, all the way down to protecting sensitive corporate or personal data.
Good Luck and Stay Safe!
I would like to first start out with the topic of Social Engineering. This falls under the human element of security. This can have nothing to do with computer hardware or software. You can think of Social Engineering as "someone trying to scam another person out of information or to cause harm in one way or another."
A non-computer related example would be the recent stories in the news talking about hotel employees and guests being duped by someone to break windows and pull fire alarms. In a nutshell the caller (social engineer or scammer or in this case jokester) would call up the front desk of a hotel and say that there is a gas leak in the building and to keep everyone safe they should pull the fire alarm and break the nearest window. Fun stuff huh? Not really for the victims of the joke.
A computer related example of social engineering that could
put a company in danger would be someone impersonating a help desk employee
calling to help employees change their password to a more secure password to
better protect the company from hackers.
The example may go as follows. A
social engineer calls someone that they have targeted within the company and
says, "Hey, this is James at the help desk and we are requiring all
employees to change their passwords to more complex passwords that will help
protect company documents. You know we
had a recent hacking attempt and we want to be sure that everyone is using a
strong password. It's important that you
don't tell me your password while we do this change. Ready?
Okay! I need you to get into your computer with your current user name
and password. I see here that your
username is lindaf correct?"
The social engineer would have to have done some homework to
know who they are dealing with, but the engineer must first figure out the
username of the target. For this example
let us use Linda Jackson as the target in this scenario. The social engineer would say, “Your username
is LindaH right?” Linda would probably
correct this social engineer and say, "No, it’s Lhardy." The engineer would say, "Great now don't
tell me your password and I want you to login to your account. Great, now that you’re in your account I need
you to change the password to abc123 and restart the computer so we can refresh
your connection to the domain." As the
person restarts the computer the hacker is now able to login to the account of the
individual, do any number of things that could be malicious (Trojans,
backdoors, steal files, etc), and then log out as soon as the targets computer
is done restarting.
The social engineer would say, "Okay, now that the
computer has restarted I need you to get back into your account with your
username and abc123 as the password. Now
you need to change your password again to something that meets the following
criteria (criteria given). The engineer
would then say something to the effect of don't tell me your password, don’t
write down your password, etc. and then thank the target for their cooperation.
Okay so that was not the best example, but a good social engineer would be cool, calm, smooth, and ready for anything. The moral of this story is... Don't give out any sensitive information to anyone over the phone, in person, in an email, etc. Many times these attackers will act like they are in a hurry or say that they are an important person in your company that needs the information right away. Never give out sensitive information even if the other person is pressuring you on the other line for the info!
Social Engineering happens more often than computer hacking because it does not require any technical skills only people skills. This first lesson may help you with anything from telemarketers, people calling and claiming that they are your relative, all the way down to protecting sensitive corporate or personal data.
I read this book and I suggest you read it too. It will tell you all about social engineering and ways to prevent it.
Good Luck and Stay Safe!
No comments:
Post a Comment