Picture it: you are at the next technology conference boasting about how you just spent your entire IT budget to buy the best security equipment on the market. You have earned the admiration of your peers. And then comes a call from the IT department. An employee has compromised your system by clicking on a malicious link in a phishing email, thinking it was a legitimate message from the helpdesk.
Social engineering is what happens when an individual uses manipulative tactics to have an employee bypass network security in order to access otherwise confidential information. This manipulation can take the form of a spam email, a phone call pretending to be an angry customer, or even someone walking through the front door impersonating a vendor.
Recently, the HORNE Banking team performed a social engineering test at three branches of a regional financial institution. With little more than some Googling, a visit to the local office supply store and a touch of Southern charm, we gained physical access to two of the three branch servers – simply by asking to see them.
In the three branches we visited, we encountered two branch managers and a customer service representative. The customer service rep followed procedures as if she was reading them. In short, we were not going to get past the lobby without approval from the head of IT. In contrast, not only were we able to convince the branch managers to walk us through teller row and past open vaults into restricted areas, we were left essentially unattended with the servers. We were even able to convince them to give us access to their unlocked workstations.
The two branch managers would have had to offer us a sandwich and deep-tissue massage to make us any more comfortable in their respective server areas. Sounds nice, right? Not if you value security.
A quick search of hardware keyloggers shows how easy it is to obtain an undetectable device that allows a person to watch every keystroke entered into that system from the comfort of their La-Z-Boy. These can be keystrokes like routine maintenance efforts that require administrative user name and password, or access to loans and deposits systems. Couple this with the unlocked network workstation, and you can see how simple it would be for viruses, scripts or malware to be dispersed through a spoofed website for any number of nefarious actions.
What can be done to prevent the threat of social engineering?
First, put policies and procedures in place for your employees to reference. Make sure your call center is properly vetting calls before divulging sensitive information. Tell employees not to click on an attachment or link in an unsolicited or strange email. (Rest assured, that foreign government official is not really going to share the millions.)
Provide ongoing awareness training. A mention of security during the annual company BBQ is not enough. Post reminders, news and information on the company intranet. Send out periodic newsletters alerting employees of potential hazards and the various ways that individuals with malicious intent attempt to take advantage of their desire for excellent customer service.
Finally, check your processes with a social engineering test. It’s the best way to gain peace of mind that your hard work and broken record reminders have paid off.
Performing social engineering tests is likely to show that no matter how well you have configured your system and no matter how high quality your equipment may be, people are consistently inconsistent.
Are you confident in the security of your servers? HORNE can help you identify gaps and put processes in place to keep your information safe and sound.