Social engineering has become a real and a dangerous threat to the corporate world. As companies devote more resources to technical security, technical attacks have become more expensive. Therefore, social engineering has become a popular alternative for cyber criminals interested operating cheaply. After all, these attackers seek the same high returns on investments as business owners.
One of the most alarming findings that have been made show that, it does not an experienced professional in social engineering to effectively penetrate a company. Attackers who are Inexperienced penetrate easily to free resources such as Twitter, Facebook, Google search, LinkedIn and Google Street. These resources, coupled with customer service departments and call centres that are focused on customer satisfaction, are enough to gather valuable information from most targeted companies.
The following report examines the company ABC Ltd, a rapidly growing business having product diversifications and aggressive acquisitions. The company’s IT staff is understaffed and does not have adequate knowledge about IT security and computer fundamentals. As a result, the company seeks IT services from company XYZ Ltd. Ms. Tatyana, one of the employees assigned to provide these services in entrusted with ABC’s premises and computers. As a result, the company’s IT security becomes prone to hackers. The report also examines the possible solutions that the company can undertake to curb the threats it faces and the limitations it’s likely to experience while employing control frameworks to reduce this threats.
The ABC LTD faces several internal threats to its IT Security. This is due to the company entrusting Ms. Tatyana entirely with its premises. Ms. Tatyana is an employee of the XYZ Company, and she has been assigned to provide IT services to ABC Limited. She has unlimited access to the premises of ABC Ltd, and in addition to that, she has been given privileged (administrative) access to the computers of ABC Ltd, including those of the CEO and CFO. This poses immense danger to the company’s IT security. One of the internal threats that ABC Ltd faces is a spear phishing attack. This refers to an e-mail spoofing fraud attempt that would target the company in an effort to gain unauthorized access to confidential data. Since Ms. Tatyana has unlimited access to the company’s premises, she also interacts with the employees of the ABC Ltd. These employees could disclose confidential information, from financial data to passwords to Ms. Tatyana. These employees unable to identify counterfeit email messages and fraudulent websites could be opening the company’s closed doors to Ms. Tatyana who could be ill-intentioned.
Another internal threat that ABC Ltd faces to its IT security is the loss of computers and other data storage medium. This is because Ms. Tatyana has access to all the computers in ABC Ltd and she could be a threat herself. This is because she shares critical information with Dallas about product pricing, business strategies, dividend policy and prospects of ABC Ltd. Dallas then shares this with the CEO and CFO of PQR Ltd which is a serious competitor of ABC Ltd. This puts ABC Ltd at serious risk of losing its computers to thefts which could be arranged by its competitors to access vital financial information about the company.
Customers, employees and partners require secure access to business critical applications spanning distinct platforms and operating systems, exposing them to security risks. Attacks on business information can take place if there is incorrect management of this access. For instance, discontented employees could access sensitive business information they should not have access to such as a colleague’s salary package from the Human Resource records. Another employee could unknowingly make incorrect financial data transactions or accidentally delete records from a database. This is because the staff at ABC Ltd has inadequate training programme about IT security and computer fundamentals. Fraudulent activities could therefore take place, such as financial records being altered if access to these resources is not tightly monitored.
Social engineering, being a non-technical kind of intrusion relies heavily on human interaction. It involves the use of manipulation and deception to make people divulge confidential information. It’s done for the purposes of fraud, information gathering or computer system access. A social engineer usually uses the telephone or internet to trick people to reveal top secrets about a company or make them do something that is against the security policies of the organization. (Applegate, 2009)Therefore, social engineers exploit a person's tendency to naturally trust their word. It’s generally revealed that users are the weak link in security, and this principle is the one that makes social engineering possible. The following are some of the most common social engineering tactics:
Social networks such as Facebook, twitter and MySpace are a social engineer virtual treasure trove of personal and corporate information. (Mann, 2008).The social engineers connect to the people using these sites to earn their trust.
This is a technique of fraudulently obtaining private information. The phisher sends an email that appears to come from a legitimate e.g. a credit card company, business or a bank requesting authentication of information and admonition of dire consequences if it’s not provided. The email normally contains a link to a falsified web page appearing to be legitimate and has a form requesting all details from home address to an ATM card’s PIN.
This uses physical media and relies on the curiosity or greed of the victim. In this, the attacker leaves a malware infected USB flash drive, floppy disk or CD ROM in a location that he is sure it will be found and gives it genuine looking,curiosity –intriguing tag , and simply awaiting the victim to use the device. (Stephanie, 2003) After the victim inserts the disk into a computer to see the contents, the user unknowingly installs malware on it and most probably giving the attacker unrestricted access to the victims PC and possibly, the targeted company’s internal computer network. PS’s set to auto run inserted media may be compromised as soon as rogue disk is inserted unless computer controls block the infection.
Quid pro quod
An attacker randomly calls numbers at a company, disguising themselves as technical support. This attacker will eventually hit someone with a genuine problem, thankful that someone is making a call to offer them help. In the process, the user will key in commands thereby giving the attacker access or introduce the malware. (Alim et al, 2009)
Dallas and Tatyana use the following social engineering tactics: firstly, the company XYZ in which Dallas is the CEO encourages its employees to join a social network sites such as Twitter, Facebook. Dallas and Tatyana use these sites to win ABC Ltd employees’ trust. Ms. Tatyana also becomes a friend to Milton and Hilton, via the social networks. She convinces Milton and Hilton as they have expertise information about the IT security of ABC Ltd and they give her critical information about business strategies, product pricing, dividend policy and prospects of ABC Ltd. Tatyana also discusses this with Dallas who then communicates this with the CEO of PQR Ltd which is a serious competitor of ABC Ltd. Ms. Tatyana is also a friendly to the employees where she has been assigned to provide IT services, and she uses this to manipulate them and makes them divulge top secrets and intensely critical information about ABC Ltd. Tatyana also has complete access to ABC Ltd premises and its computers, and she could install a malware that could help her gain access to sensitive information about ABC Ltd.
Tatyana and Dallas could also use physical media and rely on the curiosity of the employees at ABC Ltd. She could leave a malware infected physical media and after the employees use it, they would unknowingly install the malware and in the process giving Tatyana access to the information she requires.
ABC Ltd already has firewall, antivirus software and physical security with video surveillance. These are extremely valuable in safeguarding the company’s from data attack. However, there could also be limitations while using these internal control frameworks. Configuring and maintaining firewall could be a difficult task. A network firewall could lend users a false security sense, making them not to maintain security at the machine level. If it fails, this could become disastrous to the company’s data. Antiviruses also face challenges since new versions of malware are ever being discovered. As a result, researchers must therefore find live copies of it, which is always devilishly tricky, to start forensic analysis to determine how it functions. Then, they must create tools to identify and destroy it. These researchers must thoroughly test the new security updates before they are publicly launched. If the updates are not thoroughly tested, they would cause performance problems and also affect the windows core operations negatively. On physical security, the company should ensure that the server room is always locked when it’s not in use. All doors should have functional locks to prevent theft. Only the authorized personnel should have the key codes to access these rooms. The company can also set up authentication system that is integrated into the locking system so that every person needs to identify themselves using a smartcard or a biometric scan to unlock the doors. The company should also install video surveillance systems where they are extremely difficult to tamper with or disable. The cameras should provide a good of all the people entering and leaving the buildings. However, video surveillance also has limitations when they are placed in inappropriate areas. The employers could invade the employee’s privacy. Video surveillance could create a feeling in the minds of employee that the company does not trust them fully. This might lead to a reduction in employees’ productivity and unhealthy relations between the employees and their employers.
In conclusion, as much as IT security stands at risk, ABC Ltd should take precautionary measures against data theft by outsiders such as Ms. Tatyana. ABC Ltd Has competitors such as PQR Ltd and therefore it should ensure that its information is kept secure from malicious who would want to know about the top secrets of the company.