• January 19, 2016

Hacking People: Your Greatest Security Risks Are Inside the Enterprise

When CIA Director John Brennan was hacked in October 2015, few realized the culprit would turn out to be a self-proclaimed high school student. By posing as a technician, the young hacker was able to trick another provider employee into releasing the spy chief’s personal information. The hacker then reset the password on Brennan’s personal email account and accessed sensitive government documents. These included Brennan’s application for top-secret government security clearance and a spreadsheet with the names and social security numbers of government employees.

The Social Engineering Con

This case shows the power of social engineering, or the art of hacking humans. Using psychological manipulation to hack employees is significantly easier than scouring code or systems for enterprise vulnerabilities. Social engineering strategies are far less intensive. Rather than poring over code, hackers cruise Facebook accounts and LinkedIn profiles for information to help establish familiarity with selected targets.

LinkedIn profiles, for example, help hackers build organizational employee email lists. These lists will almost never include IT staffers, as attack queries would likely raise red flags. But HR, accounting, customer service, and marketing personnel make attractive targets, as they’re more likely to respond to requests expressing urgency. With a clever enough ruse, your employees can be persuaded to surrender sensitive information or to click on a link or attachment that unleashes malicious code.

Building Social Engineering Defenses

Obviously, traditional perimeter security measures such as firewalls, breach detection measures, and anti-virus software are all but useless against social engineering attacks. Guarding against these threats requires effective awareness and training programs that include frequent reminders and follow-up sessions to keep employees vigilant.

Training is a potent defense against social engineering hacks. It not only substantially reduces the number of people who fall victim to such attacks, it creates a network of “human sensors.” And humans are far more effective at detecting attacks than almost any technology.

Supplement training with periodic social engineering testing to help you identify vulnerabilities and monitor the effectiveness of training programs. Tests include emails with fake links sent to targeted employees, such as new hires. Employees who click on the link will be taken to a website with training resources while it measures and reports test performance.

To create greater social engineering threat awareness, train employees to:

  • Resist the urge to click on suspicious email links and attachments, even if the sender seems familiar
  • Be wary of urgent requests for information
  • Type URLs included in emails directly into the web browser rather than clicking on links
  • Follow a clear process to report suspicious activity

The prevalence of social media provides hackers with a target-rich environment through which they can launch attacks. But with diligent awareness and training, your people can function as effective security tools, working to keep your business-critical data safe and sound.

Like this story? Read more about “Security Strategies to Prepare for that Dreaded 3 a.m. Phone Call.”