WATCH Using Social Engineering to Manipulate – Day 7 of Cybersecurity Awareness Month 2021
Today we’re going to talk about social engineering with Craig Taylor of CyberHoot. And there’s a lot to it. So Craig, could you share what social engineering is, and what some of the examples are.
Sure, and happy, I’m happy to do that. social engineering for anyone that’s ever watched a TV show called Mr. Robot, it was central to the hacker getting into wherever he wanted, or to breaking into networks through email or logical attacks.
So in a nutshell, social engineering is convincing someone in your small business to carry out an unauthorized action, or give privileged information or privileged access to something in your business that they shouldn’t or aren’t permitted to go or to have access to.
So it’s convincing someone to give you something that you’re not supposed to have. That in a nutshell, is social engineering. And it can be physical or logical. And what I mean by that is hackers or attackers, will show up at your business as a utility worker, or as a contractor, and try to work their way into your business unknown, unnoticed, and they can blend in because they’re one of those types of utility workers.
And logically, they will be sending you phishing attacks, which are emails that are designed to steal your credentials if you fall for it. Or that you might be urged to download a file and install malware into your computer that grants the hacker access to your network and ultimately, your data.
Okay, how can we defend against it?
So social engineering is all about knowing what it is, and you need to train your employees and have policies to govern their behaviors around physical and logical security.
So for training, you want to train your employees to question or to offer assistance to unexpected visitors. On the logical side, you need to teach them how to identify a phishing email. And by the way, there’s other forms of phishing, there’s phishing for voicemails that are left by hackers trying to get you to respond to them by calling them back.
There’s text messages that go to your phone. If you’ve received these, it’s like, here’s a link you need, you want a prize, click the link, those could that’s called smishing. It’s all similar veins of phishing smishing vishing, which is social engineering, getting you to do something you’re not supposed to. A lot of these requests, an easy way to spot them is that they create a sense of urgency.
Because hackers and social psychologists both know that if you have to make a snap decision, you may be tricked into making the wrong one given enough time, I’m sure all of us could snuff out or sniff out a social engineering attack against us physically or logically. But the urgency makes us make that snap decision and make some mistake. Another thing that you can do is you you need you need to be aware that physical social engineers will try to befriend you, they’ll commiserate with you.
They’ll drop names of important people in your company, and you can’t fall victim to that line of questioning to that line of befriending you or being shoulder to cry on. You just need to be very clear and understand and have your employees trained, that it’s not an option for you to be friendly and hold the door for someone coming to your office with their arms full of books.
You need to ask them who they’re going to see and what they’re doing there because you don’t recognize them. Right. So that’s another physical so there’s the training aspect of it. There’s policies that say we do expect you to question unexpected guests in our in our offices, and to be on the lookout and train them on spotting and avoiding phishing, phishing and smashing attacks.