Social Engineering….Your IT’s biggest threat?

 

Social engineering has slipped to the way side a bit when people think of IT security.   A focus on patch management, packet inspecting, IDS/IPS, and the like taking the main stage, leaving social engineering as a back burner project.

Social engineering has evolved from the old movie staples of “dumpster diving” to flashy websites and emails designed to “spoof” people in to entering their real logon and password on a fake site via methods like spear phishing and similar domain names.  Even with these new methodologies some of the tried and true methods still work.

Many times, it is the simple things that can be the biggest risk to your network and data.  A simple stroll around most office areas will reveal things like username/passwords taped to monitors or “hidden” in places like under a mouse pad or keyboard or in a desk draw.   Even access methods such as “shoulder surfing” and unattended and logged in systems will be routinely found within most office environments.

The company’s own Storage Area Network or SAN can be a social engineer’s playground.  Simple searches of a company “share drive” will often reveal several files with titles like “password.txt” or MS Word Documents that contain usernames/password for various systems/sites.   Confidential communications compromise can occur by storing a Microsoft PST file on an improperly secured “share drive”.*

Thinking this kind of accessibility on a simple walk around can lead to the next eventual question of how are we controlling access to our buildings?   A person shows up in a “uniform” with an ID badge stating they need access to your communications closet to “check something out”.  Are the front desk personnel verifying that someone within the company actually requested service?  Are they calling the company and verifying the employee presenting him or herself?    Un-supervised access to a communications closet can potentially harm the entire company’s network.   Anything from simple wiretaps to full network access, especially if port security is not used, can be had depending on the assets within a given communications closet. 

These are truly simple examples, but the hard truth is, without an IT policy and methods to check and enforce compliance, they exist almost universally in any type of corporate environment.   

As you read this, you might think I do not work for company and just have my home computer.   Social engineering still affects you as well.  Many home users do not even have a password set for their computer and often are using a full administrative account.  This, simply put, means anyone with physical access to your system, has full control of it.  When you take in to account connectivity options like WiFi, if someone can connect to your access point, they likely can access your whole computer without ever stepping a foot in your home.  Home users are just as susceptible to spear phishing attacks as well via their personal email accounts with spoofs of their banking intuitions or online payment sites being very common.

The bottom line is that often no matter how hardened a network or IT system is, your weakest link is the “people” that use those systems.  Time spent on training and compliance will be worth the efforts.

 

*Note: Use of PST’s located on network storage and connected to a local MS Outlook client   is not a supported configuration.

Tags: security, social engineering, spear phishing, spoof, WiFi