Social engineering: attacks have evolved, but countermeasures have not

Abstract

The formidable threat Social engineering sounds like the stuff of spy movies, but it is very real-life as some recent high profile cases show. Social engineering works - it is very effective as it is a powerful psychological technique. The HP scandal that involved investigators impersonating board members, employees and journalists to obtain phone records shows just how far determined social engineers will go. Some HP employees took it slightly too far however, with directors having to file a statement with the US Securities and Exchange Commission (SEC) admitting to the company's violations. Social engineering is a threat that has evolved in sophistication in the last decade, however, countermeasures have not kept pace. The one real countermeasure is to empower security awareness in staff. Staff need to be aware of attacks on two fronts. There are two types of social engineering: technology-based and human-based deception. Social engineers will often claim they are real employees, and will ask to be emailed confidential information at a valid address as well as an external one. All employees, especially those with privileged information, including executives, human resource personnel, and personal administrators, must know how to spot a fraudster a mile away. And employees must be coached into staying calm and not revealing their suspicions to the fraudster. Security experts Richard Power and Dario Forte dissect the sneaky tactics that staff should watch out for… Social engineering, the practice of conning people into sharing sensitive information, is a cyber security threat that has evolved in sophistication and broadened in scope over the decade we have been both writing about it and training people how to thwart it. Unfortunately, in most organizations, countermeasures against social engineering have not kept pace.