Three Common Attacks of Social Engineers
Guest Blogger: Ray Balut, MedStar Chief Information Security Officer
Through the media we’ve all become familiar with the type of
hackers who use their technical expertise to break into computer systems and
compromise sensitive data.
However,
there is another type of hacker who can use a different set of skills to get
what they want often with just a smile and a few well scripted lines. They are the social engineers, hackers who
specialize in the art of “Hacking People” instead of systems.
BAITING
“The
Misplaced flash Drive”. One
tried-and-true trick is “accidentally” dropping a flash drive in a company’s
parking lot or inside a building (if publically accessible) and hoping that a
curious employee picks it up and plugs it into a company computer — In this
case, the bad guy is letting you do the work for them without them ever having
to touch a system.
These flash-drives may include more
than the files you can see if you install them, they often contain malicious
software that the hacker can use to capture passwords or even establish a
connection directly back to their computer.
Safeguard:
If you find a
flash drive, turn it into the IT department; do not plug it into your computer
and launch any files.
PHISHING
Phishing scams are probably the most
common types of social engineering attacks used today. Most phishing emails look like legitimate emails
but in fact trick you into providing important information and or downloading
malicious software all by simply clicking on a link in the email. Some common types
of phishing email include:
· Email from the
Help Desk or Email team notifying you that your “email quota has been reached”
or “your email account has been disabled” and including a link for you to
click. MedStar’s help desk and MedStar
IT will never ask for your password in an email or over the phone!
· Email seeking to
obtain personal information, such as username/password, real names, addresses
and social security numbers.
·
Phony security
alerts – via email, pop-ups or social media (Facebook, etc…) warning you that
your computer is at risk of being infected, typically with a link to click
· Requests for
money or bank/credit card account information. Often the bad guy poses as
someone from another country who needs assistance accessing a large sum of
money or even a friend or family member stuck in another country without any
money.
Safeguard:
To defend against phishing emails, you need to understand that they are
typically designed to persuade you to click on a link or submit personal
information. As such, be wary of providing
any information based on an email. To learn more, you might want to try this
online quiz to test your phish spotting skills:
https://www.opendns.com/phishing-quiz/
PHYSICAL OFFICE SECURITY
Sometimes the Social
engineer will simply use tried and true old fashioned con-man approaches including:
· Impersonating
repairmen, IT support personnel, managers, etc., either by phone or in person
and simply asking for the information they want.
Safeguard:
Challenge the authority or identity of persons unknown to you – ask them to
identify themselves.
· Collecting and
analyzing information from discarded trash, aka “dumpster diving”.
Safeguard: Any confidential, sensitive or personally identifiable information (PII) for patient should be shredded or placed into a designated secure shredding bin for pickup. Remember, your trash can be a goldmine for a bad guy.
Safeguard: Any confidential, sensitive or personally identifiable information (PII) for patient should be shredded or placed into a designated secure shredding bin for pickup. Remember, your trash can be a goldmine for a bad guy.
· “Shoulder
surfing”, which is watching to see employees type their passwords. Safeguard: Don’t type passwords with
anyone else present (and be courteous by not watching other typing in theirs).
· Searching a work
area for passwords or other sensitive information that has been written down.
Safeguard: Never write down passwords.
Safeguard: Never write down passwords.
· Using unattended
computers that are already logged-in. Safeguard: Lock offices and lock
computers when not in use.
While it’s not the “Hi-Tech” approach we might see on an
episode of CSI Cyber, Social engineering is one of the most effective ways for
the bad guys to get the access and information they need. This was perhaps best
stated by a very prominent security expert, Bruce Schneier, who said “Amateurs hack systems, professionals hack
people”
Comments
Post a Comment