Whether it is dumpster diving, pod slurping, or impersonating someone else, hackers know that social engineering is still a good way to penetrate our security. See, social engineering hits directly at our weak spot, people. People are still the weakest link in the security chain and it is difficult to fix because it means changing behavior.
I recently had the opportunity to talk about social engineering with Carl Herberger. Carl is VP of Information Security and Compliance Services with Evolve IP, a managed technology provider. I asked Carl why hackers are still using social engineering to gain access to organizations. He told me, "it's easier to infiltrate an organization because security is not focused here. Technology can't fix this problem alone, it requires a change in behavior." Carl listed five vulnerabilities tied to bad behaviors:
- People want to be helpful. Sometimes the help goes too far and they give away too much information.
- People want to avoid confrontation. It's difficult for some people to ask others to prove who they are. They don't want confrontation.
- People like convenience. No one wants to be put out by additional security even though it may benefit the organization.
- People are messy. By nature, they leave paper around, copy multiple people on e-mail, and leak data.
- People are curious. A great example is an employee who finds a USB drive in the parking lot. The first thing they do when they get to their desk is plug it in to see what's on it.
Even though social engineering attacks are some of the most difficult to defend against, not all is lost. There are technical controls that can be put into place:
- Lock down peripheral devices. There are commercial products that allow security administrators to completely lock down USB ports. Carl admits that this might be difficult since many devices are USB connected today.
- Use Data Loss Prevention products. Know who has access to your data, when they access it, and what they are accessing.
- Lock down mobile devices, or limit what they can connect to.
- Use encryption on every device.
In addition to the technical controls, Carl recommends that a company implement an awareness and training program. According to Carl, "if an employee does not know what social engineering is and how they can be exploited, how will they ever change their behavior?"