In Albert’s Corner this month, thoughts on the social engineering side of hacking.
We all expend a lot of time, effort and money on hardware and software solutions to protect ourselves from digital bandits in the Ukraine and elsewhere. Every month there’s a new and improved version of ransomware or a more sophisticated approach to fooling you into clicking on a phishing link. Staying up to date with the necessary combination of protective layers and employee education can be exhausting … and it also completely misses a huge part of the picture.
I just read a chilling blog post written by a guy who pretends to be a fire inspector. He and a partner barge into banks, walkie-talkies blaring, and proceed to “inspect” the facility for unsafe conditions. While the author creates an ongoing diversion, his partner crawls under desks to check power strips and so forth … and plugs USB keystroke loggers into as many PCs as he can. Then the two pretend to be interrupted by an emergency call, creating a pretext to return in a few days and collect the dongles.
Fortunately, the author of the post is actually one of the good guys, the head of a security firm. He stages these demonstrations to show banks just how vulnerable they are to social engineering, and the banks’ executives are usually – and predictably – shocked when he presents results a few days later.
Not every hacker has the chutzpah to pull off something like that … but they don’t have to. The dangers are much greater than just the “fire inspector” or the unknown delivery person who follows one of your employees through the door that’s supposed to require a key card. Consider this: how many of your staff have passwords or other login information written on a Post-It and stuck to their monitors? And how well do you know and trust the people who clean your offices after hours?
Social engineering takes many forms outside the office, also. Those cute Facebook posts asking you to name your first pet or your hometown? Well, those are also common security questions for website logins. Give up that information on social media and hackers are one step closer to impersonating you online.
Hacking and malware may seem like remote possibilities in both senses of the word: it’s easy to think all the miscreants are overseas somewhere, and that the odds of it happening to you are small. Neither one of those assumptions is correct. The enemy just might show up at your front door any day, and all the firewalls and antivirus software in the world won’t protect you if they do.
Albert Blaize is Vice President of Sales and Marketing for TRG Networking. Contact him at firstname.lastname@example.org.