Most people think securing your computer systems is the job of your IT department and software you install. Furthermore it is commonly believed that most security breaches are because of “hackers” compromising an organization’s web site. Consequently an organization’s security is not really your problem, but that of your “network gurus” protecting the web site.
In fact this perception is quite wrong. One report showed that a staggering 70% (!!) of security breaches were not caused by hackers, but by “internal vulnerabilities.” These include lost or stolen equipment, and accidental or malicious employee attacks. The recent theft of Target store’s customer credit cards was not the result of an internet hack, but was actually done inside the stores via the check out system.
Experts describe methods to get at computer security through manipulating human targets, rather than computer systems, as “Social Engineering.” As the stats above show, social engineering is a much more effective way to get into secure network areas than hacking. Here are just a few of the ways that you can be targeted to be an accomplice in the compromise of your organization’s network.
- Your equipment is stolen. Make sure all your devices with critical information are password protected and have a self-erase feature enabled, if it exists. This includes laptops, smartphones and tables.
- Posting passwords in open spaces like your desktop that can easily be read or photographed by a passer by. See how you can better manage your passwords.
- Phishing Emails or, even worse, unsolicited phone calls. The trick with these types of attacks is that they are approaching you as someone in authority. For example, you may get a phone call from someone in “Human Resources” asking for your Social Security Number. You need to be suspicious of such people. Ask for validation of who they say they are and then research it. Scammers like to pose as network administrators who will ask for your login information, so be wary of unexpected calls from such people.
- Attachments. Be suspicious of any email that has an attachment that you did not expect to receive. Here are some ways you can avoid going to bad websites
- “Click the Link” promotions such as linking Facebook pages. These can often take you to dangerous web sites. It is best to just delete these kinds of emails.
- Be suspicious of free wi-fi hotspots. Posing as a nice person, troublemakers will make such networks available to easily collect passwords and credit card information. I personally know of a case where an organization was able to hack into a casino (ala “Ocean’s Eleven”) by offering a free hotspot to one of the executives in the organization.
- Someone watching over your shoulder. If you are in a public area be wary of anybody lingering around you. Security agencies already have software in place to scramble monitors to outsiders. Look for apps to appear in the next few years that will make clear what your eyes are looking at and scramble the rest to everyone else.
- Dumpster diving. You should shred or securely depose of any paper or material that have or point to secure data. Like the movies, people will go through your trash to find out what they want. Even things as seemingly innocuous as organization charts can be a starting point for system compromise. For example, org charts can be used in phishing phone calls as described earlier.
There are many other examples of how people can be manipulated into giving privileged information, but the ones listed are among the most popular and effective.
Your organization’s internal data can be a source of money to an outsider. They will prey on human trust to break in. Make sure you place trust in the right places to keep you and your organization safe.