Tuesday, September 29, 2015

Three Common Attacks of Social Engineers

Guest Blogger: Ray Balut, MedStar Chief Information Security Officer

Through the media we’ve all become familiar with the type of hackers who use their technical expertise to break into computer systems and compromise sensitive data. 

However, there is another type of hacker who can use a different set of skills to get what they want often with just a smile and a few well scripted lines.  They are the social engineers, hackers who specialize in the art of “Hacking People” instead of systems.

BAITING 
The Misplaced flash Drive”.  One tried-and-true trick is “accidentally” dropping a flash drive in a company’s parking lot or inside a building (if publically accessible) and hoping that a curious employee picks it up and plugs it into a company computer — In this case, the bad guy is letting you do the work for them without them ever having to touch a system.

These flash-drives may include more than the files you can see if you install them, they often contain malicious software that the hacker can use to capture passwords or even establish a connection directly back to their computer.
Safeguard: If you find a flash drive, turn it into the IT department; do not plug it into your computer and launch any files.

PHISHING
Phishing scams are probably the most common types of social engineering attacks used today.  Most phishing emails look like legitimate emails but in fact trick you into providing important information and or downloading malicious software all by simply clicking on a link in the email. Some common types of phishing email include:

·      Email from the Help Desk or Email team notifying you that your “email quota has been reached” or “your email account has been disabled” and including a link for you to click. MedStar’s help desk and MedStar IT will never ask for your password in an email or over the phone!

·      Email seeking to obtain personal information, such as username/password, real names, addresses and social security numbers.
·         
     Phony security alerts – via email, pop-ups or social media (Facebook, etc…) warning you that your computer is at risk of being infected, typically with a link to click
·      Requests for money or bank/credit card account information. Often the bad guy poses as someone from another country who needs assistance accessing a large sum of money or even a friend or family member stuck in another country without any money.
Safeguard: To defend against phishing emails, you need to understand that they are typically designed to persuade you to click on a link or submit personal information.  As such, be wary of providing any information based on an email. To learn more, you might want to try this online quiz to test your phish spotting skills:
https://www.opendns.com/phishing-quiz/


PHYSICAL OFFICE SECURITY
Sometimes the Social engineer will simply use tried and true old fashioned con-man approaches including:
·      Impersonating repairmen, IT support personnel, managers, etc., either by phone or in person and simply asking for the information they want.           
Safeguard: Challenge the authority or identity of persons unknown to you – ask them to identify themselves.
·       Collecting and analyzing information from discarded trash, aka “dumpster diving”.     
Safeguard: Any confidential, sensitive or personally identifiable information (PII) for patient should be shredded or placed into a designated secure shredding bin for pickup.  Remember, your trash can be a goldmine for a bad guy.
·       “Shoulder surfing”, which is watching to see employees type their passwords.                        Safeguard: Don’t type passwords with anyone else present (and be courteous by not watching other typing in theirs).
·      Searching a work area for passwords or other sensitive information that has been written down.         
Safeguard: Never write down passwords.
·       Using unattended computers that are already logged-in.                                                         Safeguard: Lock offices and lock computers when not in use.

While it’s not the “Hi-Tech” approach we might see on an episode of CSI Cyber, Social engineering is one of the most effective ways for the bad guys to get the access and information they need. This was perhaps best stated by a very prominent security expert, Bruce Schneier, who said “Amateurs hack systems, professionals hack people”

No comments:

Post a Comment