10 social engineering exploits your users should be aware of

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.techrepublic.com/blog/10-things/10-social-engineering-ploys-your-users-should-be-aware-of/

No matter how well you lock down network security, your company can still
be compromised. How? Social engineering. Here are 10 ways social engineers
can get to your data without touching a keyboard.

Hackers know your network security might be their toughest route to getting
at your data. So they turn to other means... such as social engineering
(SE). SE is a nontechnical method of intrusion that relies on human
interaction to trick users into handing over the keys to the kingdom.
Unfortunately, it works—and it works well. In fact, SE is one of the
biggest threats to your company security.

What should you be on the lookout for? Here are 10 common SE ploys you and
your users need to know about.
1: The familiarity exploit

This exploit is one of the most widely used by those perpetrating SE hacks.
It works like this. Hackers make themselves familiar to those around you.
Slowly but surely they become known within the confines of the company.
They come around a lot, and eventually they become trusted. At that point
they can begin working their way inside the company, gaining access to
areas of the company they shouldn't be, entering the building after hours,
etc.
2: The information exploit

When you are approached by someone with all the knowledge they should have,
it's easy to believe they are part of the plan. So when that stranger
enters the company building with an intimate knowledge of the building or
of one or more employees, you might be inclined to give them a free pass.
In today's world, it is incredibly easy to gather information about a
person. Facebook, Twitter, Instagram, Pinterest... they make everyone an
easy mark for an information exploit. If someone claims to have intimate
knowledge of a fellow employee, summon the employee to the reception area
and call the knower on their hack.
*3: The new hire exploit *

If someone really wants to gain access to company information (or servers
or employees), they can apply for a job. This is one of the main reasons
why every new employee must be thoroughly vetted. Of course, some social
engineers will still fly under the radar. New employees should always be
put on a rather short leash at first. It might sound a bit harsh, but you
need to give them time to prove they are trustworthy around precious
company data. Even then, good social engineers will understand how that
works and wait until they've fully gained your trust before they strike.
*4: The interview exploit *

In a similar vein, important company information often escapes the safe
during hiring interviews. There are social engineers who know this and will
gain an interview just to squeeze all the information they can without
having to bother showing up for a single day of work. Make sure the
information handed out during an interview offers nothing in the way of
proprietary secrets. Keep it superficial; keep it common.
*5: The hostile exploit *

This may sound a bit counterintuitive, but it works. Most people avoid
hostile people. When you hear someone having an angry conversation on the
phone or even mumbling to themselves (as if they've just had an argument),
you will avoid them. In fact, a lot of people may avoid that person,
clearing the way into the heart of the company—and to your data. Don't be
fooled. As soon as you see something like this happening, call security.
6: The body language exploit

An experienced social engineer will be an expert at reading your body
language and using it to get their way. Breathing in concert with you,
smiling at all the right times, adapting to emotional changes—there are
many ways a social engineer can use your body language to make a connection
and earn your trust. Doing this forms a bond that enables the social
engineer to manipulate you and eventually acquire your company secrets. If
you notice a complete stranger in your company doing or saying all the
right things, your first inclination should be suspicion (or at least
curiosity).
*7: The blind date exploit *

This one should be obvious. We've actually watched it played out in movies
and television to perfection. A handsome or beautiful stranger asks you out
on a date. Things go perfectly. So perfectly, in fact, that second and
third dates are imminent. The stranger woos you until they can ply secrets
from you as if they were common knowledge. Far be it from me to prevent you
from having a budding romantic life, but keep your guard up should that
dreamy date start asking questions they shouldn't.
*8: The consultant exploit *

This has happened. A social engineer will pose as a consultant for hire,
get the gig, and drain you of your information. This is especially true
with IT consultants. You need to make sure you vet those consultants and
never give them all the keys to the kingdom. Do not trust blindly. Just
because someone has the skills to fix your servers or your network, that
doesn't mean they won't take advantage of those skills and create a
backdoor—or just blatantly copy your data. Again... vet, vet, vet.
*9: The piggyback exploit *

This one is easy and all too common. How it works is simple: The social
engineer waits for someone to use their passcode to enter the building and
walks in right behind them. Or the SE struggles with a heavy box and asks
the legitimate employee to hold the door for them. Being kind, the employee
waits and allows the SE entry into the building... to do what they will.
*10: The tech talk exploit *

You've seen the film *Hackers*, right? Remember the scene where Dade (aka
Zero Cool) calls the company and convinces the hapless employee to give him
the modem number? All he had to do was know what he was talking about and
the hapless wonder handed him every bit of information he needed. This is a
common hack. When those who don't know are confronted by those who do, most
often their lack of knowledge will lead them to hand over whatever it is SE
needs.
Have you experienced an SE hack?

The social engineering hack exists because it's easy. If you suspect your
company is vulnerable to such exploits, make sure your employees are made
aware that such possibilities exist.

Have you ever been a victim of social engineering? If so, how did they pull
off the hack?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.