By Rob Rudolf, CISSP-ISSMP, MBA

Confidence scams are as old as human history, but in the modern age, they increasingly involve technology. Cyber security professionals refer to these scams as social engineering attacks: using technology to take advantage of the natural human nature to trust. Most of us have seen spam and “phishing” e-mails. Phishing attacks are e-mails designed to get you to click on a link, launch an attachment, call a phone number, or make contact with a con artist. But did you know Social Engineering can involve phone calls, fake websites, e-mails targeted at specific personnel, and even physical activities?

If you research social engineering, you will see terms like:

• Spear Phishing: targeting specific individuals.
• Shoulder Surfing and Tailgating: bypassing physical security controls.
• Pretexting: invented scenario to take advantage of the victim.
• Baiting: offering something users cannot resist.
• Quid pro quo: helping someone solve a problem, while taking advantage of him or her.
• Ransomware: malware that holds data hostage until a ransom is paid.

Rob Rudloff is the Partner-in-Charge of Cyber Security Risk Services at RubinBrown

Petty criminals want to make a quick buck by taking advantage of individuals. The really dangerous criminals want access to your organization’s network, computers, and applications so they can steal records, trade secrets, and intellectual property or conduct major fraud. Most of the major breaches reported in the past three years can be traced to a social engineering attack. Social engineering attacks resulted in some access to the victim’s network, computers, or applications. The attackers used their foothold to access confidential systems, collect data, and exfiltrate the data from the environment. Once the attackers have the confidential data, they sell it to criminals, ransom it back, or use it to publicly embarrass the victim.

Social engineering takes advantage of human trust, so protection against these attacks needs to include a variety of methods. Here are a few ideas to reduce the risk from social engineering:

• Knowledge: understand your environment and your sensitive data.
• Internal Controls: implement internal controls to protect your financial systems from fraudulent transactions.
• Training: take time to train your team about social engineering , phishing, and the other cyber attack techniques.
• Culture: encourage a culture where it is acceptable to report potential attempts.
• Technology: many technology solutions exist to help with everything from inspecting e-mails, blocking connections to malware sites, requiring strong authentication, and logging security events. The key thing to remember is that technology is part of the overall solution; there is no silver bullet.
• Vigilance: make the effort to create an ongoing evaluation process for your organization. Test your security, people, and technology controls to identify areas of improvement.

Social engineering attacks take advantage of technology while exploiting the weak points in our defenses: our people. The threats are present, so address them using the appropriate combination of the recommendations above that fit your environment. There are many ways to reduce the risk for your organization by using the right combination of people, process, and technology.

Visit rubinbrown.com or call 303.698.1883 for information.