Sunday, September 16, 2012

The Importance of Training Your Staff About Social Engineering

The internet is a joy for millions of people worldwide. You can gain insightful information, shop, pay bills, and talk to people on the other side of the country or world – all via the internet.

Unfortunately, in the wrong hands, the internet can also be a nightmare for the same people who cherish it. This is because of the latest scheming method called social engineering.

What is Social Engineering?

Social engineering is a technique con artists use to gain unauthorized access into a company’s sensitive data. There’s a twist, however, with this type of conning versus the traditional hacking methods. The con artist visits a company and poses as an IT person. Prior to acting in this role, he plans a strategy that includes befriending a particular company employee. So while relying on human psychology, the friendly, fake IT person manages to trick the employee into revealing private information such as his or her office account, password, data, etc.

Some fake IT persons even manage to eavesdrop on employees talking about company information, at which time they overhear sensitive information being mentioned. As a result of these acts, the con artist has the information needed to break through firewalls and other security systems - gaining full access to private information.

Meet Cosmo the Hacker 'God'

Social engineering has con artists as long as 15 years old. This is the age of Cosmo the Hacker 'God'.

Cosmo took on the role of social engineering within his group UGNazi (short for "underground nazi"). For nearly a year, they stole private data from financial and government institutions such as NASDAQ, the CIA, and California’s government website. They even managed to steal New York mayor Michael Bloomberg’s social security and address.

They even used social engineering on accounts from Amazon, Apple, AOL, AT&T, Best Buy,,, Microsoft, Netflix, Network Solutions, PayPal, Sprint and T-Mobile.

Cosmo and his robbing crew were arrested. He’s awaiting a court date, possibly ending with him spending his 16th birthday, which is in March, behind prison bars.

Unfortunately, social engineering doesn’t end with Cosmo. There are thousands – maybe millions – of other social engineers that are either planning their hacking strategy or already enforcing it.

This is why it’s important to train your staff about social engineering so they won’t put your company’s private data into the wrong hands.

Read more about Cosmo in Mat Honan's blog Post at this link:
Cosmo, the Hacker ‘God’ Who Fell to Earth

How to Train Your Staff to Recognize Social Engineering

The following five tips will help you train your staff to recognize social engineering before hackers obtain your business data:

1) Train your staff to provide good customer service … with caution. Every business wants a good image and this starts with providing good customer service. However, it’s this friendliness that hackers prey on. They use it to their advantage by stating that they could use help in getting some private information in order to do their IT job.

Combat their conniving strategy by training your staff to verify all inquiries – regardless of who a person claims to be. This is a very important step since social engineer participants are very good at lying.

2) Secure your business. You wouldn't let anyone into your home. You’d secure it with a home alarm system, burglar bars, a watch dog – you’d make sure it’s safe. So why not do the same for your business?

Therefore, consider hiring a security company. Check to see if any complaints have ever been filed against the company and if they screen their potential employees. This can be the gatekeeper of your business; let them verify everyone who enters your building by showing proof of their identity.

And this leads to the next tip …

3) Make a phone call to validate any IT person asking for assistance. Con artists posing as IT workers will ask an employee for permission to download something onto their computer. Or they might request a password. They will claim these requests are necessary in order fix a computer problem.

Unless this person has worked on your computer before, their requests should be denied. Instruct your employees to call the IT company and validate the worker and their request.

Also, workers who manage private information should validate inquiries with non-public information including calling the person back. Again, this protects your company from data leakage and con artists eager to steal private data.

4) Train your staff to avoid picking up strange items such as USB keys. If your employee finds an USB key, the last thing they should do is plug it into their computer. This is because that USB key is the key for con artists to steal every piece of data off their computers.

Instead, designate a lost and found area in your business; thus, allowing employees to return items they find at this location. Also, be sure to assign a gatekeeper to this area; for curious minds might return to steal the information themselves and see what’s on it – playing into the human psychology of curiosity. Remember, social engineering relies on human psychology.

5) Advise employees to monitor their conversations. Explain to your employees that you never know who’s around and listening to every word they say. While they might think people are eavesdropping on information about their hot date the night before or how their spouse irked them for the millionth time, hackers using social engineering could care less about these details. Instead they’re interested in private information that will give them gateway inside your business’ private system.

So tell them to monitor their conversations and most importantly, don’t discuss business information so openly, especially in the presence of other people.

Training your employees with these tips will enable you to combat hackers relying on the wits of social engineering.

No comments: