InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
To protect their information, enterprises resort to a large set of technical measures: in the best case, a mix of detective and preventive ones. Current technologies come with embedded resources, which for instance can discover targeted data breaches with the help of machine learning, or detect malware by employing next-gen endpoint protection. But what if the attack targets people instead of technology? Or still worse, if your employees hand out sensitive data to the attacker, more or less willingly? You guessed – there is social engineering hidden behind. Read our experts’ tips on how to protect yourself effectively.
First of all, the cloud offers a whole host of advantages over conventional solutions. It's dynamic, agile, modern, available as DevOps and on-demand. The latter as needed in the dimensions of scaling, availability, time, etc. - and at clearly defined costs.
Looking from the point of view of an attacker, the best way to sensitive data is invariably the one with the weakest resistance. If there is no technical vulnerability to exploit, there is always a worthwhile alternative: people.
That is exactly where social engineering picks up on. Man, and his innate “weaknesses”, are relentlessly exploited. Do you need a couple of examples of such vulnerabilities, with which an attacker can make himself busy and thus trigger specific reactions?
Want a real example? Jerry Careless finds in his mail a message that sounds attractive: “Win a trip to New York!”, promises the alleged HR team. But you have to hurry, because only the first 100 registrations will take part to the raffle. Sounds great! Who wouldn’t like to be one of the winners? Let’s go, then: it would be a pity to be the 101st. Just enter your user ID and password in this Web page… and just like Jerry, many other of the 500 recipients of the message do exactly the same…
For them, it was a blessing in disguise. Actually it was no real attack, but a social engineering audit done by our experts. However, the fear remains: you see how fast you can end up in the crosshair, and become the victim of an attack.
The huge advantage of social engineering attacks is that it doesn’t depend on the heterogeneous mix-up of technologies in the target enterprise. The attacker doesn’t have to invest any precious time in the identification and analysis of the enterprise’s IT components, and their potential vulnerabilities. Once the attacker has defined the target of his attack, off he goes. And people are incredibly helpful: under time pressure, often they forget the fundamentals of security behaviour.
An attack can be launched with the help of just a little information, which often is openly available on the target company’s Web site: e-mail addresses, telephone numbers. Social networks are good allies of social engineers: they carry information on enterprises and their employees, free for the taking, often for quite legitimate reasons.
Social Engineering can take place in the preparation of an attack, or the attack itself can consist of social engineering. So let’s start with looking into the actual phases of an attack:
The most effective protection against social engineering consists of the security awareness of employees. Since people are at the center of this issue, people can stop this risk in the budding, by choosing the correct behaviour.
If a social engineering attack is suspected, you should never lose sight of the following points:
You can find even more tips for protecting yourself from social engineering in our free social engineering checklist. Download now!
Please never forget, that social engineering is totally independent from the underlying technology. The transport medium can be an e-mail, an SMS or a telephone call: it makes no difference. A healthy dose of scepticism can help uncover a social engineering attack.
An effective protection can only be achieved with the active support of employees, obviously including management. Therefore, it is important that the basic know-how is delivered through appropriate security awareness measures, to inform all personnel on possible dangers and risks, and make them consequently sensitive to the issues. This is the only way in which behaviours and settings can be changed with a lasting effect.
Do you want to know what information about your enterprise can be found in the Internet, which can be abused in a social engineering attack? What “digital tracks” does your enterprise leave around, and how are they connected to company- and branch-specific threats?
Our Cyber Threat Intelligence Report provides you with a complete overview of your actual Internet-based threats. Call us now, and we will show you the view of an attacker on your company! You will be surprised, and ask yourself why you haven’t been attacked yet. Click here to take the offer:
Do you have questions about this post, or an actual problem? Then leave a comment or contact us directly. We are happy to hear from you, and we are ready to help you in all your needs with our professional expertise.