Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security threats explained: Social engineering

Hamish Barwick | June 22, 2012
Social engineering, according to Quest Software, can be defined as the technique of using deception and manipulation to gain sufficient knowledge to dupe an unwary individual, employee or company.

"In the case of the Sony PlayStation Network hacking, the loss of customer data resulted in a fall in market capitalisation of US$2 billion," he says. "It took almost 70 years to establish the brand value of Sony, but in a matter of days this value was destroyed simply by careless data keeping."

Social engineering attacks can go undetected when downloading malware and when attackers gain access to a system, warns Check Point's McKinnel. From there, a system can be compromised by releasing critical passwords, or using an organisation's resources as part of a botnet to send spam.

"The cost of such security breaches can be enormous for an organisation," McKinnel says. "Not only can valuable intellectual property be stolen, but there is the danger of breaching regulatory and compliance issues, the risk of immeasurable damage to a brand/customer confidence and the fall out of auditing and legal costs."

Bitdefender's Cosoi says social media is a very important vector for targeted attacks against companies. "The future of such attacks lies in social malware and social engineering-- convincing people to infect themselves by installing applications that have a background agenda."

Addressing social engineering

Check Point's McKinnel says the best way to mitigate the risk of social engineering is a mix of technology, simple security policies and user awareness.

"Having a simply-written security policy that staff and users can understand is key, and that policy needs to be supported by regularly repeated education focusing on the implications of security issues rather than just the rules," he says.

In addition, companies should make the security policy accessible to staff and users by avoiding technical jargon and sharing posters around the office.

"Technology can also assist in user awareness," adds McKinnel. "Employ technology that places the onus back on individuals and reinforces user education."

For instance, pop up click boxes can be deployed before users download anything that looks high risk, send sensitive information or use media websites. "This technology embeds security practices into business processes without slowing down regular work activity," he says.

Sophos' Forsyth agreed that education is the key to rebutting attacks. "If staff are made aware of their part in protecting customer data [and trust] they will appreciate the need for vigilance," he says.

"This training should be a joint responsibility of the information technology [IT] and human resources [HR] departments. It should also be a core component of staff induction and staff should receive regular updates on the latest threats."

Social networks and instant messaging services should also be closely monitored to lessen the risk of social engineering, according to Bitdefender's Cosoi.

"Sometimes, classified information can be leaked by employees through social network profiles or even personal blogs," he says. "Some of the most frequent details that go public ahead of time are product-launch dates, product screenshots or other branding elements such as logos and boxes."



Previous Page  1  2 

Sign up for CIO Asia eNewsletters.