Social Engineering 101

Social Engineering A

Hi again, I’m Gary Hunt and I want to start right off thanking everybody that has downloaded and subscribed and listened (I hope because if you download and don’t listen, well what would be the point…right?)

Anyway, by the time you hear this, we will have passed 500 downloads of our podcasts.  That makes it oh, let’s say 5 weeks since we really started.  It’s been about that long since I started only recording each episode once.  I was going through a perfection obsession during the first few episodes.  Obviously if you are listening you realize I came up ……well let’s just say I came up waaaay short of the perfection thing.  Working full time and putting out a podcast weekly, well let’s just say it’s not easy.  I will promise you though that I never fell asleep while I was recording.  Editing, well that may be a different animal..

Since January 15th we have been hovering around the top 15 to 30 Technology, software how-to podcasts on iTunes.  I would like to thank everyone for that too.  This is episode 8.  So,  just 2 more and we will have 10 in the can.  We will have to make the tenth one a little celebratory.  I can say we will have a major announcement during the 10th episode so stay tuned.  (I always wanted to say that.)   We are roughly speaking putting a podcast out every week.  I want to publish on Sundays whenever possible.  I am also announcing each published podcast on Google+ and Twitter as I mentioned in the intro earlier.

How do you feel about this freakin’ weather?   Have you about had it?  By this time every winter Detroit on the average will have around 24” of snow.  I heard on the news a couple of days ago (right after another 10” btw) that we have reached 67.5”.  I’m not an algebra scholar but isn’t that almost 3x normal??  My fun meter ran out right around 24”.  We have a little ….well let’s just call it a tongue firmly in cheek editorial about the weather later this episode.

This week we are talking about Social Engineering.  This subject covers the methods criminals use to steal your data, your identity, any and all of your secrets they can get their hands on.  Like it or not, you are worth money.  Joe Ross, President of CSID ( a leading provider of global enterprise level identity protection and fraud detection solutions and technologies) and author of the blog:  Help Net Security, in an article titled:  Why cybercriminals want your personal data breaks it down.

And I quote:   “Based off of what we’ve seen at CSID, a credit card number, name and date of birth can sell for $13. A Social Security Number can go for $20. A bank account with a balance of $10,000 goes for an average cost of $625. Even the value of a person’s social media account has worth. According to RSA, 10,000 followers on Twitter sell for $15. 1,000 likes on Facebook sell for $15.”

http://www.net-security.org/article.php?id=1915

The criminal that steals your identity is not doing it so that he or she can use it.  Noooo they sell it on the online black market.  One of which was just in the news last week:  the Silk Road.

According to Linda Criddle, Founder of iLookBothWays.com in an article entitled:  “What is Social Engineering”,  Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer. 

In our last episode where we covered ransomware and malware in general, we described the three components of an information security strategy: the things you’re required to do by law; the operational processes and procedures you put into place; and the technology tools you use to get the job done.  That is all fine and good but good security takes into account the least common denominator…….the human being.  Yes, even the human being who may be in charge of enforcing those very security tenets.

I don’t remember who said this but the biggest truth in this discussion is that the best security policy is only as good as its people staffing it.  On the Information Daily.com website, Cyber Security was quoted as saying that as much as 75% of all data breaches are in fact inside jobs.  Let’s drill down a little further….the article further says that 12% of those 75% actually had “ill intent” and 63% were caused by somebody losing or misplacing corporate assets.  If you don’t believe that then talk to your friendly network administrator and ask him how many times he can remember when a large portion of the company’s data was “lost” or deleted accidently.  Criminals use social engineering because it is probably easier to exploit natural human tendencies than it would be to hack your system.

Common Tactics in Social Engineering

1)  You get an email from a friend:  This could mean an actual friend or something/someone you are familiar with.

  1. Your brother, best friend, your bank, Pay Pal.

2)  Phishing attack:  a phisher sends an email or text message that appears to come from a company, bank or institution.  It will look EXACTLY like it came from their website.

  1. The email may explain that you have received an efax from someone…
  2. It may also explain that you have won some sort of prize…
  3. It may explain that there is something wrong with your account and they need to verify (anything in this spot should signal something wrong).
  4. Or the email may ask for your help….does the name of a minister in Nigeria ring a bell?

3)  Another common tactic is to send you an email answering a question of your that you never actually asked.

So What do you do?

Educate yourself and don’t become a victim.

1)  Don’t be impulsive.  No matter how inviting/interesting an email may look, stay away from it.  Delete it.  Curiosity is indeed a killer.  If it has a download attached to it, delete it.  If it comes from a foreign country, delete it.  If it is from somebody you know but “something just seems odd about it”, delete it.  Make sure you keep your anti-virus up to date.

2) Automatically delete any request for financial or password information.

3) Automatically reject any plea for help.  If it’s real, your friend will call you.

4) Don’t allow any link wherever you may land.

Be safe and goodnight.

Gary Hunt

Show Links:

 

References used for this Podcast/Blog:

Social Engineering:  The Basics, by:  Joan Goodchild, CSO Online, December 20, 2012,  http://www.csoonline.com/article/514063/social-engineering-the-basics?page=4

What is Social Engineering, by:  Linda Criddle, Webroot, http://www.webroot.com/us/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering

The biggest malware, security threats in 2013, by: Charlie Osborne, Zero Day, December 5, 2013,  http://www.zdnet.com/the-biggest-malware-security-threats-in-2013-7000023968/?s_cid=e036&ttag=e036

Top 5 Social Engineering Exploit Techniques, by: Jamey Heary, Network World, November 14, 2009,  http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.html

Study: People open email even if its suspicious, by: Dave Johnson, Moneywatch, September 12, 2013,

http://www.cbsnews.com/8301-505143_162-57601915/study-people-open-email-even-if-its-suspicious/?tag=nl.e857&s_cid=e857&ttag=e857&ftag=TREe00e266

Cyber Security: 75% of Data Breaches are Inside Jobs, by: the Daily Staff Writer, the Information Daily.com, September 27, 2012, http://www.theinformationdaily.com/2012/09/27/75-of-data-breaches-are-inside-jobs

Social Engineering: 5 Security Holes at the Office (Includes Video), by: Joan Goodchild, CSO Security and Risk, June 8, 2009, http://www.csoonline.com/article/494464/social-engineering-5-security-holes-at-the-office-includes-video-?page=1

Why cybercriminals want your personal data, by: Joe Ross, Help Net Security, November 12, 2013, http://www.net-security.org/article.php?id=1915

Leave a Reply

Your email address will not be published. Required fields are marked *