A New Form of Hacking

I recently learned about a new kind of computer hacking from Kevin Mitnick, a speaker at the recent 2017 AmeriQuest Symposium in Orlando who addressed a topic known as “social engineering.” Not so long ago, Mitnick was one of the world’s Most Wanted hackers.

He defined social engineering as “a form of hacking that relies on influence, deception and manipulation to convince another person to comply with a request in order to compromise their computer network.”

Hackers use social engineering for a variety of reasons:

  • It’s easier than doing software or technology hacks
  • It is nearly 99.5% effective
  • It leaves no audit trail

The real problem with social engineering is that your employees are unwittingly revealing information that the hacker then uses against you or your company.

Hackers start by doing information reconnaissance looking for organization charts, names and titles of employees so they can determine the type of information the employee may have access to. They can go to places like LinkedIn, enter your company’s name, get the names of key employees and find everything they need to determine who is in the “circle of trust” for those employees.

When hackers launch these social engineering hacks, they prepare in advance by adopting a role or identity and developing reasons to call your employees.

Another favorite trick is to send via snail mail a thumb drive specialty gift that looks like it comes from someone who is in that employee’s circle of trust. They go so far as to imprint the company logo on the drive and package it from the company they are impersonating. Since the recipient thinks the drive is coming from someone they trust, they insert it in their USB port. This allows the hackers to unleash a Trojan horse (virus) onto that computer or to steal passwords and other important data.

Mitnick advised meeting attendees to be careful when connecting to free wireless networks because hackers are setting up fake wireless networks which allow them to access information. He also said to be wary of software update notices; they could also be fake. Once a fake update is downloaded, the hackers have access to that computer and the all information it contains.

More sophisticated attacks are launched via browsers, media players, document readers and booby-trapped PDFs.

Why are these social engineering hackers successful? Mitnick says it’s because “there is a hole in the human firewall. People think it can’t happen to them.” Another reason is because of people’s natural desire to help.

So how do you prevent your employees from falling victim to these tactics? First inform them about the sophisticated tactics hackers are using today. You can also do mock attacks to test how your employees respond and then educate them on the right way to deal with these situations. You also need to establish a social engineering incident response program as well as modifying what Mitnick calls “your company politeness policy.”

He strongly recommends telling your employees, “It is okay to say no to information request.”

When building your human firewall, keep it simple. Set up a protocol that is easy to understand and follow. Develop interactive social engineering resistance training and whenever possible, use technology to take decision making out of the hands of your employees.

Read this cool event review and other interesting articles at the source.

Source: FleetOwner

Topics: Social Engineering, Trojan virus, fake update, human firewall, thumb drive, fraudulent email, hacking, keynote speaker, security awareness training, LinkedIn, snail mail, USB, wireless networks, AmeriQuest Symposium, booby trapped PDF, Orlando, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Redefining Your Enterprise’s Cyber Security Posture During Mergers & Acquisitions

With 3,205 data compromises occurring in 2023 alone, fortifying your enterprise’s cybersecurity posture is more important than ever.

Read more ›

Choosing a Penetration Testing Company for Mac-based Environments

Powering your business with Apple devices because of their reputable security and privacy features? You may be surprised to learn that while Apple dev..

Read more ›

AI in Cyber Security: Impacts, Benefits, and More To Be Aware Of

Artificial intelligence in cybersecurity has been a hot topic lately, especially with the rise of OpenAI’s ChatGPT. But does that mean it would make a..

Read more ›