Information, according to Merriam-Webster dictionary, is “the communication or reception of knowledge or intelligence”. It was also put as “knowledge obtained from investigation, study or instruction” and likened to facts, data and intelligence. Information Security (sometimes shortened to IS or InfoSec) is the practice of preventing unauthorized access, use, disclosure, modification, inspection or destruction of digital and non-digital information.
There are several techniques or methods of social engineering used to attack sensitive, private and confidential information. Some of these are:
Phishing and Spear Phishing techniques focuses on sending out a lot of generalized e-mails with the expectations that only a few people will reveal private information/data. Spear phishing emails require the attacker to perform additional research on their targets in order to trick them into performing requested activities.
Voice phishing also called Vishing uses a rogue interactive voice response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution’s IVR system. The victims are informed to call in to the bank via a number provided in order to verify information. The victims receive the message vie e-mail and more advanced systems transfer the victim to the attacker/phisher, who poses as a customer service agent or security expert for further questioning of the victim.
Watering Hole: a computer attack strategy where the attacker guesses or observes websites a particular group/organization/industry/region often use and infects one or more of them with malware so that the members get infected. Relying on websites that the group trusts makes this strategy efficient, even with groups that are resistant to spear phishing and other forms of phishing.
Online Baiting exploits human curiosity. Attackers create malware-infected floppy disk, CD-ROMs, or USB flash drives and give them legitimate labels that should make people curious to plug them into systems, leave them in locations where people/targets will find them. Inserting the disk into a computer installs malware, giving attacker’s access to the victim’s PC and possibly the target company’s internal computer network.
Quid Pro Quo Social Engineering Attack aka “something for something”. This is a strategy where an attacker creates/causes a problem for the victim, then gets across to the victim pretending to be a technical support officer or agent or someone that can offer help, the attacker eventually helps the victim get rid of the problem but in the process request the target input commands that allows the attacker launch malware or gives the attacker access.
Fortunately there are several ways to prevent or mitigate these attacks and they include:
- Implement data classification in the organization and grant privileges only on “need to know” basis
- Identify which information is sensitive and evaluate its exposure to exploiters and breakdowns in security systems.
- Establishing security protocols, policies, and procedures for handling sensitive information.
- Training employees in security protocols relevant to their position. If a person’s identity cannot be verified, then employees must be trained to politely refuse.
- Specify and train personnel when/where/why/how sensitive information should be handled
- Perform unannounced, periodic tests of the security framework.
- Prevent social engineering and other fraudulent tricks or traps by instilling a resistance to persuasion attempts through exposure to similar or related attempts.
- Enforce approved regular software updates and patches.
- Install shredding machines in sensitive areas.
- Don’t throw away or discard old disks carelessly. Ensure proper procedures are maintained for disposal of old computer systems.
- Conduct security awareness seminars for all staff and vendors who must work within your network.
Companies should thoroughly monitor their websites and networks and then block any traffic, if malicious content is detected. Most times, employees become the moles and create the loop holes to leak information. It is advised that a non-disclosure agreement be signed annually to keep sensitive information undisclosed and make employees more responsible for its safety. Be wise in handling of information and smarter in disclosing information.