Tips: Watch Out For Criminal Social Engineers
Halock Security Labs, an information security organization, warns all companies with a physical location and Internet presence to make sure security policies and procedures are strictly enforced during the holidays, because criminal social engineers are out shopping for others' confidential data. Offices are particularly vulnerable in times of increased social activity, like the holidays, because employees are accustomed to seeing new faces, new vendors, receiving many e-mail solicitations and disclosing personal financial information online while shopping.
Halock specializes in ethical hacking and social engineering -- at a client's request, to test a company's physical and Internet vulnerabilities. In one recent instance, a Halock employee was able to enter the corporate headquarters of one of the country's largest financial institutions and gain almost complete access to the company's sensitive data simply because he was carrying a cake.
"When asked what he was doing, our man simply said. 'I have cake,' and nobody wants to impede the progress of a nice looking cake -- right?!" said Jeremy Simon, Halock's CTO.
"Social engineering is typically defined as the skillful exploitation of the natural human tendency to trust. This engineering can come through an actual physical interaction, through an e-mail, as in phishing schemes or online, through falsified websites. The criminal social engineer is out to con someone into giving up credentials that can ultimately be used to generate or gain access to sensitive information," said Terry Kurzynski, CEO, Halock Security Labs. "And during the holidays companies are inundated with strange names and faces in the form of guests, delivery people, greeting cards, special offer Web sites -- the list is endless. Some of these guests are quite unwelcome," he adds.
What can a company do to make sure that they don't inadvertently let the Grinch spoil Christmas?
Here are a few techniques that Halock Security Labs recommends:
- Stick to your policies and procedures. Carefully track visitors coming and going into your facility. If you don't recognize someone or they are not displaying the correct badge or ID, ask them their purpose and who they are working with. It will become clear if they belong within the walls of your organization.
- If your organization has a clean desk policy and/or a system lock policy for unattended systems, be sure to enforce those policies. Shred documents that contain confidential or sensitive data. This goes for home and work. Identity thieves pray off of the garbage can. Criminals that have socially engineered their way into an organization will be looking for low hanging fruit including paper documents or systems left unattended. They may try to quickly install a malware program on systems left unlocked and potentially gain administrative rights remotely to that machine.
- As for your online shopping this holiday season, be sure to locate the little picture of a lock the on bottom of Web pages whenever you provide private information, including credit card numbers, name and address. Be especially careful of phishing attempts to get your password, social security number, account number, or credit card number based on an e-mail that has arrived in your inbox. Never click on hyperlinks in e-mails unless the message comes from a trusted source (and even then, be careful.) And don't ever give out your password, credit card number or social security number via e-mail.