Social Engineering-Exposing the Wolf
(This is Part 1 of 2 essays on workplace espionage and terrorism).
Unauthorized access to sensitive company information is a relevant concern for anyone in business. Intellectual property, company secrets, and marketing information, once exploited, can break a company’s market advantage overnight. Unfortunately, such information is routinely and unwittingly given to corporate spies by employees through the use of social engineering.
Simply put, social engineering is a confidence game. It is the deceptive engagement of persons in a conversational manner to acquire valuable information. Interactions may occur via phone, email or personal contact, and traditionally have been a popular technique for computer hackers to gain access to ‘secured’ computer systems.
Just as concerning is the use of social engineering to acquire intelligence on physical environments for the purpose of conducting terrorism. By their nature, companies (or any other operating environment) have an assortment of people with extensive functional knowledge of their workplace. Though most employees know not to divulge company secrets, how many know not to discuss security procedures or infrastructure details?
For instance, receptionists often manage delivery schedules and maintenance crews are experts on seemingly innocuous physical plant information. Because of many people’s inherent desire to be helpful, such information is usually easy to extract from unsuspecting victims.
Workers in public environments (hotels, theme parks, nightclubs, etc.), are especially susceptible due to the transient nature of their clientele and the target potential for such locations. In this case, a simple ruse inquiring about a facility rental can provide cover questions regarding security routines or capacity information; information which can help in planning a terrorist attack. In addition, employees need to be reminded of discretion in social situations such as industry mixers or networking groups when guards are down and questioning can occur without arousing much suspicion.
How can social engineering be mitigated? Here are some tips:
- First, create“loose lips, sink ships” awareness in your organization. Most people don’t realize that discussing seemingly inconsequential information can be important when viewed through a terrorist’s eyes.
- Include a social engineering component when conducting security audits including who has access to sensitive equipment, personnel schedules, or building systems.
- Encourage the all-important, does this person belong here/why do they need this information? question for all employees. Remember, IDs can be faked, but cover stories require extensive forethought and continuity.
- Recognize the personality types such ‘engineers’ use to gain their information, including: ‘The Kindred Spirit’ (leverages similar personal or professional interests to gain trust); ‘The Charmer’ (appeals to ego); or ‘The Simpleton’ (“Sorry! I didn’t realize this was a restricted area. What do you guys do back there?”).
Fortunately, becoming a victim of social engineering is preventable. Through proper awareness training, employees from all levels can take measures to mitigate such attempts and reinforce the notion that security is everyone’s job.
Chris Manson
Chameleon Associates, LLC
<< Return to Newsletters | Print this page
|
