“If it is online, it can be hacked!” This phrase has served as the motivation for both hackers and security professionals for years. Every network has its weaknesses and vulnerabilities that hackers can exploit to gain access to your network. The only way to completely avoid a potential attacker is to pull the network cable. However, depending on the circumstances, doing this could actually create the exact denial of service result the attacker intended.
A network is only as strong as its weakest link. The most common weak link in a network environment are the people that use it. It may be surprising that a company’s employees would be the initial target of an attack, however, some people do not realize the amount of valuable information that can be obtained about a company through casual conversation. Names of coworkers, email addresses, and basic company practices may seem like idle conversation, but hackers can use this information to gain valuable insight to the company in preparation to an attack. For example, an email address may seem trivial, but this could tell an attacker the typical format of employee email addresses, such as first initial and last name. Additionally, attackers can spoof an email address and send an email pretending to be that person.
It’s a dirty job, but someone has to do it. Dumpster diving is when someone goes through the discarded waste of an organization to gain information. There is a plethora of information that can be obtained simply by looking at what other people have thrown in the trash. During the early stages of an attack, there is a process called footprinting. In this reconnaissance phase, an attacker attempts to gain as much information as possible about a network environment. Typically, people don’t think about what they are throwing away or the security around the dumpsters that hold this trash. A simple dive into these bins will expose a lot about a company including names of employees, email addresses, memos, sticky notes with old passwords (or new ones), business documents, and forms, all of which can be valuable to not only gain access to a company’s network but navigate through once inside.
Phishing is by far the most common form of social engineering. Emails are abundant and employees are often targeted in this form as it is the easiest attack to set up and deploy. Phishing is when a fraudulent email tries posing as a legitimate one in order to steal information (usually personal credentials). For example, a secretary receives an email from a supposed corporate executive claiming that they cannot log into their computer and would like to use the secretary’s login credentials until the IT department fixes their account. While usually appearing legitimate, these emails will steal any information provide in the response. A good practice is to verify the person you are talking to and who they claim to be and to never click any links from a suspicious email.
A variation of phishing is spear fishing which focuses on specific targets like financial institutions or government agencies. The attacker identifies users in an organization by using common online avenues, such as Facebook, email, or the corporate webpage. The attacker might also gather names and job titles from assigned parking spaces. Afterwards, the attacker mounts a campaign to exploit employees' vulnerabilities with the goal of using their access privileges to penetrate the corporate network infrastructure. Even the best corporate security measures are vulnerable to this attack because it is an inside job and takes advantage of the people within the organization. It is launched within the corporate security perimeter by using stolen employee authentication credentials. Spear phishing is becoming more common as people are increasingly careless about revealing personal information through chat sites, blogs, and retail shopping sites.
Preventing most phishing attacks is a matter of educating users. Train your users how to spot potential attacks by holding training sessions and sending reminders about what to look out for. At the very least, you should remind your users to always check for the following potential attacker indicators:
- An HTTPS address: if a website does not have an HTTPS address or a lock icon, it is not a secure site and no personal information should be entered under any circumstance.
- The lock icon can be spoofed so users should not simply assume that its presence indicates a secure HTTPS site.
- If you receive an email from a company you are unfamiliar with, always call the company to confirm that the request is legitimate. Most companies have a 1-800 number solely for this purpose.
- Always delete any unsolicited e-mails about foreign banking; these are usually fraudulent.
Social engineering is a technique of tricking employees into divulging valuable information, such as passwords. These attacks usually prey on people’s emotions such as curiosity, anxiety, fear, and greed. When attackers target your network, every security measure that can be taken should be taken to prevent the loss of valuable company data. Spending thousands of dollars on state-of-the-art network defense equipment will not mean anything if just anyone can access the machine; similarly, a complex password will not protect your computer from unauthorized access if it is written on a sticky note next to your desk. Network security is important to any business and should always be a top priority. Educating employees about the importance of network security and establishing counter-social engineering policies and practices will provide appropriate security measures to defend your network.