Gauteng Business News

Send  Share  RSS  Twitter  01 Oct 2012

HR: Social Engineering: the Art Of Intrusion


Recent Gauteng Business News

Social engineering is about hacking the human mind, something that in many ways is significantly easier than finding a new software vulnerability and using it as a gateway into your enterprise. These vulnerabilities, called zero-days, can cost tens of thousands of dollars in the hacker underground – money that can be saved if someone can be conned into installing a computer virus on their own machine. After all, there is no need to go through the effort of picking a lock when you can talk someone into letting you into their home, says Doros Hadjizenonos, South Africa Sales Manager at Check Point Software Technologies

But just what makes for a good social engineering attack‘ The key is the lure, which can vary from an attention-grabbing post on Facebook about a celebrity to emails with subject lines about your company’s business. One of the most publicised attacks of the past year was the attack on RSA, which started with an employee opening up an email entitled: ‘2011 Recruitment Plan.’ When the employee opened the accompanying attachment, the person set off a change of events that led to data being compromised. While hacking a system requires knowledge of programming vulnerabilities, hacking the human mind requires a different kind of knowledge – specifically, what types of emails or links is the victim most likely to click on.

One way to get a hold of that information is to target people according to their jobs and interests, and there is perhaps no greater source of data on those subjects than social networks. A cruise through a LinkedIn profile can reveal a person’s work history and position; a gander at Facebook accounts can uncover their friends and hobbies. While social networks have done a lot in the past few years to bolster their privacy controls, many users may not use them or may inadvertently render them ineffective by ‘friending’ someone they do not really know. Research has shown the average fake profile on Facebook has an average of 726 ‘friends’ – more than five times as many as a typical user of the site.

Hacking the human mind also takes other forms as well. For example, search engine optimisation (SEO) is a favorite technique of hackers. The idea behind SEO is to increase the ranking of your website on search engines such as Google. In the right hands, this is perfectly legitimate; in the wrong ones, it increases the likelihood people will land on a malicious site. There are also techniques that are far less technical, such as an old-fashioned telephone conversation that gets someone to let their guard down.

Just recently, Check Point sponsored a study by Dimensional Research that revealed that 43 percent of the 853 IT professionals around the globe surveyed said they had been targeted by social engineering schemes. The survey also found that new employees are the most susceptible to attacks, with 60 percent citing recent hires as being at “high risk” for social engineering. Unfortunately, training does not seem to be keeping up with the threats, as just 26 percent of respondents do ongoing training and 34 percent said they make no attempts to educate employees at all. The good news is the tides are changing and more businesses are raising awareness about security threats – and what social engineering techniques employees may be susceptible to.

Education is a key element of defending against attacks, but the process begins with having sound policies for protecting data. This includes controlling who has access to what information, and setting policies that are enforceable and conducive to business operations. From there, employees should be educated on what the policies are and then tested on them. Key to this is sharing information about the attacks that are detected so employees can better understand how they are being targeted. Often, a good dose of caution can go a long way – if an unexpected email arrives asking for private information, follow up with the purported sender to make sure it is legitimate.

Buttressing all this should be networks and endpoints protected by best practices and the latest security fixes, but at its heart, fighting hacks against the human mind requires attitudinal changes more than technological weapons. If there is antivirus for the human mind, it has to be updated with knowledge of corporate policies and an understanding of how attackers are targeting their victims. Incorporating that information into a training program can be the difference between a data breach and a quiet night at the office.

HBC-SolutionsBusiness Profilesjane-shonfeldohse-consultancyperfect-wedding

Online Foreign Exchange
Foreign Exchange


Fax 2 Email



Online Casino


Shop Online

Study IT
Study IT Online

Web design
Web Design


Work from Home
Company News


© 2021 All rights reserved.

Daily Newsletter Subscription


Subscribe to the Gauteng Business News Daily News and information email (it's free).

Thank You
Your email address has been added.

Email Address: