We often talk about social engineering in the context of phishing (general) and spear phishing (targeted) attacks, in which scammers, fraudsters and ne’er-do-wells use plausible-sounding emails to lure unsuspecting, unprepared — some might even say unprofessional — workers into clicking links that download malware and endanger corporate networks. But have you considered where they might get their information in the first place? How do they know who to target? How do they know how to target them?
There are many ways of digging up information about people, but by far the easiest is to rely on their indiscretion. People are astonishingly careless with their information. Online, it’s amazing how much personal data you can gather with just five minutes’ googling. Facebook, Twitter and LinkedIn accounts will provide information that can easily let you know who to target, and provide details that can be exploited. If you’re a cyber criminal targeting a particular company, you can, for example, have a full list of its employees and the positions they hold within minutes. From there, you can gather more and more details with ease.
Another answer is pleasingly old-fashioned: eavesdropping.
An interesting article on Tripwire highlights an aspect of social engineering that often isn’t considered by security professionals — what employees chat about over lunch.
“The next time you’re in a restaurant or coffee shop try it for yourself and see what knowledge can be gained by simply listening,” the article says. “Employees of the target company are usually easy to spot based on the forgotten ID card dangling from their neck or corporate shirts and jackets. This is also a fantastic opportunity to learn company lingo, internal structure and even office gossip.”
One way of addressing this issue is to make staff awareness an integral part of the organisation’s security posture. Staff training is an essential aspect of corporate information security, but it is often overlooked, especially by small to medium-sized organisations that may not have the time or resources.
The international standard ISO 27001 sets out the specifications of an information security management system (ISMS), an enterprise-wide approach to information security management suitable for organisations of all sizes, sectors and locations. An ISMS encompasses people, processes and technology.
If you think your organisation doesn’t have the time or resources to implement ISO 27001, think again.
IT Governance’s FastTrack ISO 27001 Consultancy Service is designed specifically for small enterprises with fewer than 20 employees. It will help your organisation achieve certification to the Standard in just three months for a one-off consultancy fee of £5,000 +VAT.
With its low cost and fast implementation, the FastTrack ISO 27001 Consultancy Service delivers ISO 27001 compliance with minimal disruption to your business, and includes a staff training session.