In a discussion this week I heard a rather interesting quote. All computer systems can be compromised but it is vigilance and persistence that create a secure environment. This is very true. I was talking to someone that makes his living doing penetration tests on business systems using applications that he has developed and also his slant on social engineering.
One of the things that he did bring up was that hacking and gaining access to business systems has started to go full circle. This means that social engineering is playing a larger part of the hacking repertoire. Social engineering is a huge subject and a little larger that the space I have here but I will touch on it for now.
In the past the combination of a social engineering attack coordinated with a direct attack usual had the attacker gaining access at some level. This had then been superseded by the script kiddies and so called hackers who use readily available programs and exploits from the internet (usually infecting themselves in the process) as a means to access business systems. This has been augmented with virus, spyware and malware applications that have been broadly targeted on the internet and catching unsuspecting and insecure business in the net.
The newest component in the hacker’s ability to gain access to your business system is the use of social engineering and the use of social media to gain insight into a business’s infrastructure. In the old days they would get on the phone and ring the company and get as much information out of those people who were answering the phone. This has changed greatly with the introduction of social media.
For example – Joe is a payment receipt clerk for your business. He has a very in-depth profile on a social media site which includes all of his information, where he works, what he does, who and what he like and dislikes and birthdays and family information. This information he allows anyone to see. A hacker can do some research and find out about Joe and he can do some further research on your business and who you do business with. What “Mr Black” the hacker does is creates a carefully prepared infected invoice (infected PDF file) that he sends from one of your subcontractors and from an expected source. Joe being an innocent worker doesn’t worry about the email because he believes it is coming from a legitimate source so he clicks on the file. If this sound familiar – this is how RSA (one of the most secure security systems on the internet) was compromised.
To have this happen, you have to have some serious legitimate information (Critical IP) that the hacker is after or some seriously available unsecure money to make it worth the hackers worth while.
Most high level Government workers and business CIO and CEO, although they have profiles on social media sites don’t have in-depth information concerning their everyday work environment and even that information is only available to friends or contacts that they know.
To protect yourself from a social engineering attack is relatively easy; Keep critical business and personal information to only those people that you want to have that information, not the whole internet. Furthermore access systems that need passwords need to have high level complexity and you should also have some level of auditing and reporting on the internal systems to track transactions within the business.