MyPage is a personalized page based on your interests.The page is customized to help you to find content that matters you the most.


I'm not curious

Protecting against Social Engineering

Published on 20 November 14
338
0
1

On the heels of the massive Target breach in 2013, we saw several other companies falter this year. eBay, for example, had an issue that originated from a security flaw â an IT expert discovered a vulnerability that allowed him to take control of any eBay account with the only requirement being that he knew the personâs username, which is public information on the site. The rest as they say is history â eBay sent an email out to all users to update their information. However, at this point the damage is done, and the real threat is what can happen with that data out in the world.

The biggest problem with the eBay breach is that in addition to usernames and passwords, additional information include Date of Birth, telephone numbers, and addresses were also included. This means that via some cunning questioning, a malicious entity could call claiming they represent company X, verify your information with you, and then get you to provide the missing pieces of the puzzle they would need to hijack bank accounts and more. This technique is referred to as âSocial Engineeringâ. It isn't limited to phone conversations â emails custom-made for victims can contain private information to look that much more legitimate, resulting in even cautious users giving up the goods as it were, and providing the hackers the information they need to really get started.

Say one of your employees received an email that appears to be coming from your HR department. They may ask to verify some information for company records, and they might send the information that the hacker has, as well as some information that might be an educated guess. The employee, seeing a spoofed email address, doesn't know that the sender is actually trying to steal information from them, so they correct the data and send it back without thinking twice. Because of this, a hacker that has been looking to get into a corporate database now has the credentials to get in without raising any red flags, since they got the username they were missing to get in the system.

This doesn't mean that you donât need traditional security tools â far from it. If your database doesn't leak, then it is that much harder for hackers to have these extra nuggets of data to help them getting the missing pieces â they need to find the puzzle first. This is more a matter of being prepared for additional attacks that people might not even consider. Even something as simple as providing an email address to a person requesting can be the difference between a hacker getting into your account, or walking away because they are missing the one key they need to get what they want.

This also means that traditional internet security techniques need to spread outside the traditional realm of avoiding funny emails and shoddy websites. Employees and users now also need to be cautious about receiving strange phone calls and text messages as well, things that havenât been historically covered by IT security training. The biggest thing that you can impart to anyone that works with your organization is vigilance, since so much data is now out and about.

To defend your organization from these threats, a firewall to protect against traditional IT threats is a must, but so is a training plan to educate employees on the potential dangers that exist on the internet. I highly recommended working with a service provider to detail any possible threats and work from there accordingly.
On the heels of the massive Target breach in 2013, we saw several other companies falter this year. eBay, for example, had an issue that originated from a security flaw â an IT expert discovered a vulnerability that allowed him to take control of any eBay account with the only requirement being that he knew the personâs username, which is public information on the site. The rest as they say is history â eBay sent an email out to all users to update their information. However, at this point the damage is done, and the real threat is what can happen with that data out in the world.

The biggest problem with the eBay breach is that in addition to usernames and passwords, additional information include Date of Birth, telephone numbers, and addresses were also included. This means that via some cunning questioning, a malicious entity could call claiming they represent company X, verify your information with you, and then get you to provide the missing pieces of the puzzle they would need to hijack bank accounts and more. This technique is referred to as âSocial Engineeringâ. It isn't limited to phone conversations â emails custom-made for victims can contain private information to look that much more legitimate, resulting in even cautious users giving up the goods as it were, and providing the hackers the information they need to really get started.

Say one of your employees received an email that appears to be coming from your HR department. They may ask to verify some information for company records, and they might send the information that the hacker has, as well as some information that might be an educated guess. The employee, seeing a spoofed email address, doesn't know that the sender is actually trying to steal information from them, so they correct the data and send it back without thinking twice. Because of this, a hacker that has been looking to get into a corporate database now has the credentials to get in without raising any red flags, since they got the username they were missing to get in the system.

This doesn't mean that you donât need traditional security tools â far from it. If your database doesn't leak, then it is that much harder for hackers to have these extra nuggets of data to help them getting the missing pieces â they need to find the puzzle first. This is more a matter of being prepared for additional attacks that people might not even consider. Even something as simple as providing an email address to a person requesting can be the difference between a hacker getting into your account, or walking away because they are missing the one key they need to get what they want.

This also means that traditional internet security techniques need to spread outside the traditional realm of avoiding funny emails and shoddy websites. Employees and users now also need to be cautious about receiving strange phone calls and text messages as well, things that havenât been historically covered by IT security training. The biggest thing that you can impart to anyone that works with your organization is vigilance, since so much data is now out and about.

To defend your organization from these threats, a firewall to protect against traditional IT threats is a must, but so is a training plan to educate employees on the potential dangers that exist on the internet. I highly recommended working with a service provider to detail any possible threats and work from there accordingly.

Post a Comment

Please notify me the replies via email.

Important:
  • We hope the conversations that take place on MyTechLogy.com will be constructive and thought-provoking.
  • To ensure the quality of the discussion, our moderators may review/edit the comments for clarity and relevance.
  • Comments that are promotional, mean-spirited, or off-topic may be deleted per the moderators' judgment.
You may also be interested in
Awards & Accolades for MyTechLogy
Winner of
REDHERRING
Top 100 Asia
Finalist at SiTF Awards 2014 under the category Best Social & Community Product
Finalist at HR Vendor of the Year 2015 Awards under the category Best Learning Management System
Finalist at HR Vendor of the Year 2015 Awards under the category Best Talent Management Software
Hidden Image Url

Back to Top