Introduction
In modern times, one of the most common ways of manipulating the security of information of an organization or individual is through social engineering. The successful application of techniques in this technology has enabled attackers and hackers to access information that is sensitive and crucial from computer and network systems.
Social engineering is a method of accessing data, systems, or buildings by making the best use of human psychology instead of using complicated methods for hacking or breaking in. The attackers manipulate individuals to provide or reveal the information that they need to gain access to secured systems. In most cases, the victims never realize that they have been tricked, manipulated or their systems have been hacked (Hardnagy, 2010).
The common reasons for social engineering are getting access to information or network systems without authorization, committing fraud, theft of identity, industrial espionage, and disruption of a network or system.
Social engineering trends and ways
Attackers use different methods in social engineering. One of the methods is exploitation of familiarity. The attackers get trust from the individuals they want to exploit by familiarizing with them. An attacker may impersonate someone who is in authority and request for sensitive information through emails and phone calls. Pretending to be someone well known by other employees, the attacker may send emails directly to the employees’ email accounts with intention of obtaining some sensitive information. An attacker may also access important organization’s documents from the organization dumpster. An attacker may come up with pop-ups, hack into an individual search web, and direct the search to their own page (Williams and Sawyer, 2012). The hacker may also send an online form to his targets portraying that there is a sweepstake competition and request for the individual’s details. Once this information is availed, they would use it for their intended purpose. Another complicated method used by the attackers is reverse social engineering. The hacker impersonates someone in authority and the employees find themselves asking him questions. This last method needs adequate planning, research and execution for it to be successful (Tolman, 2008).
The attackers use tactics that convince their targets to trust them and eventually provide crucial and private information. The attackers also ensure that they never ask for too much information from one individual but ask for little information from several people.
Impact of social engineering and prevention
Social engineering in most cases impact negatively on an organization especially with regard to information security. It may lead to hacking of employees’ email accounts and retrieving vital information that the attacker could use to gain access to an organization’s financial information. Gaining access to such information may result to lose of revenues, reduction of productivity and loss of reputation by the organization.
Fighting or preventing social engineering should be an organization’s priority. One of the strategies would be deploying strict security rules at all levels and securing organization’s network. Employees with high positions and authority in an organization should have access to minimum sensitive accounts. Only those who must access the accounts and specific resources of importance require the accounts. These powerful accounts would need regular audits and strong authentications. It would be important to do regular audits on both successful and unsuccessful attempts of accessing company information (Mann, 2012).
An organization should also have in place systems for detecting and investigating potential attacks. It should also deploy virtual teams able to counter the attacks by detecting targeted areas and the resources compromised. The team would also counter any attack that is in the process without interfering with the company operations and establish ways of preventing such attacks in future. There should be a determination on whether the company policies and technology have loopholes that may make it vulnerable to such attacks. The company should make it a priority to alter or minimize the use of such processes or technologies.
Putting in place courteous policies to ensure secure actions among the employees and the organization’s partners without having a feeling of being offended would be of great help. To access information or locations considered sensitive would require approval from the concerned authorities. Program awareness is critical especially in the policies, processes, and technology. A guidance to be established should be realistic, durable, memorable, proven to be effective, consistent and concise (Mann, 2012).
Social engineering can also occur through opening of malicious files. The organization should therefore ensure that they train their employees on matters regarding opening untrustworthy emails sent though their email addresses so that the organization is not too vulnerable to the attacks.
It is very important for an organization to ensure security of its information. To do this the organization would need to train their employees on security awareness and use ways that are creative to ensure there is an understanding of the threats posed by social engineering to the organization. Employees should also be educated on the skills and methods that the attackers use, the roles they have to play in the protection of the organization and given advice on how to ensure they do not become victims of the attacks. There ought to be regular updating and refreshing of the available information on how to uphold security. The meaning and importance of the message needs continuous refreshing to avoid people losing sight (Mann, 2012).
There should be emphasis on enforcement of good behaviors where necessary. The attackers in most cases take advantage of the positive social norms and qualities that people posses in carrying out their attacks. Behaviors that encourage asking individuals to clarify their reasons for intending to access specific locations or information from an organization or individuals need to be encouraged. At times, organizations or individuals need to emphasize that saying “no” to some requests may not be an offense or a way of denying one any right. This would restrict access to the specific locations and information. Policies that ensure practice of safe behaviors by users or individuals in realistic ways also need enforcement when the necessity arises. The users or individuals should be aware that the necessity of such measures would help in protecting them and the organization from the consequences caused by attacks through social engineering.
References
Hardnagy,Christopher. (2010). Social Engineering: The Art of Human Hacking. New York: John Willey & Sons
Mann, Ian. (2012). Hacking the Human: Social Engineering Techniques and Security Countermeasures. Aldershot: Gower Publishing
Tolman, William H. (2008). Social Engineering. South Carolina: BiblioBazaar
Williams, Brian & Sawyer, Stacey. (2012). Using Information Technology 10e Complete edition, 10th edition McGrew-Hill higher education. A. Kindle Edition.