*By Julie Oliveira
Every day, companies suffer several attempts of attacks where malicious people use different techniques to take advantage of internal vulnerabilities to extract relevant data and information. Often, these vulnerabilities are identified in digital systems and controls within the company, however, it is also necessary to focus on the vulnerabilities generated by the most fragile link of Information Security, the human being. After all, no matter how many logical and physical security controls the company applies, if its employees, third parties and partners are not made aware of the matter, these controls can easily be circumvented through Social Engineering techniques.
Social engineering
The most common and, consequently, the most discussed cyber threats are those that exploit system vulnerabilities to infiltrate networks and steal user data. However, we are not limited to threats that take advantage of systemic failures, after all, human errors can happen and compromise information. And it is from this principle that Social Engineering is formed.
Social Engineering consists of a set of techniques applied to gain access to confidential and valuable information of people or companies. Generally, these techniques are based on people's persuasion, taking advantage of their naivety or trust, obtaining useful information that allows unauthorized access or performance in various crimes.
In the case of companies, social engineering takes advantage of an employee with no knowledge of the subject or who is unhappy with the company, who can provide confidential information to anyone who manages to deceive him or, often, without even having to bother. .
Types of Attacks
There are several types of social engineering attacks, using different techniques to mislead people. We can cite a few below:
- Quid pro quo: With a name referring to an expression with the meaning of “taking one thing for another”, it is based on the technique of generally offering a prize for something in exchange, such as CPF or other personal data. In this way, the person is convinced that they have won something and that in order to release the prize, they need to share their data.
- Phishing: The most common type of attack, which consists of sending emails impersonating people or institutions and convincing the recipient to access links, provide confidential information about themselves or install malware on your equipment.
- bait (bait): The bait is a technique that is based on the creation of a trap, using, for example, a pen drive with malware A victim finds the device and, curious to see what's on the pen drive, plugs into your machine and compromises your system after getting infected.
- Pretexts: They are stories told to deceive their victims, usually using real information obtained in different ways, they appeal to people's naivety and trust to carry out the attack.
Within companies, we can still list some behaviors practiced by employees that tend to facilitate access to confidential company information, as stated in the previous topic, without even having to go to the trouble of deceiving employees. These behaviors are:
- Conversations, referring to the company or the work performed, in public places such as transport, food courts, etc. Depending on the information shared in these conversations, anyone close to you will be able to hear and, if they have the intention, use it against the company;
- Information about the company or employees on social networks. Many employees tend to share information on their social media about where they work, what they do, where they are, etc. This information in the hands of someone with malicious intent can be used to form a context for them to be able to deceive and convince people, gaining undue access to some physical or logical environment of the company;
- Last but not least, the famous badge on the food court table to save place. By leaving an access release item at the disposal of hundreds of unknown people, without its monitoring, it allows anyone to steal the badge and gain access to the company's environment, going through all the physical security controls in place.
how to protect yourself
In order to protect the company's confidential information, inside and outside the company, it is necessary to invest in awareness. As stated earlier, the main vulnerability exploited in this type of attack is the human factor. Therefore, it is extremely important that all employees, third parties and company partners are trained and made aware of Information Security and Data Privacy matters, including good practices for information protection, guidelines to be followed in the identification of threats, tests for ensure that knowledge has been fixed and application of attack simulators in the organizational environment, ensuring that employees will not be affected in an actual attack.
Conclusions
As presented in this article, we can conclude that as much as companies invest in controls for logical and physical security, it is extremely important that they invest in constant awareness of their employees, after all, human failures cannot always be protected by logical and physical controls. safety. Especially in social engineering attacks, we need the employee to pay attention to the threats around them and prevent an attack from occurring within their company. However, it is important to remember that Social Engineering techniques, even though they are used with bad intentions, can also be used to support the identification of vulnerabilities present in the company, enabling the mitigation of risks even before they suffer an attack. Would you like to know more about this service? Contact.
— Julie Oliveira is SR GRC and Information Security Consultant at [SAFEWAY
How can we help?
SAFEWAY is a consulting firm in Information security recognized by its customers for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
