Social Engineering IS hacking...

You work at a famous fast food restaurant that has hundreds of locations and thousands of employees across the country. While manning the cash one day an official looking man walks in and asks to see the supervisor or manager. This just so happens to be you. The man introduces himself as John Doe from the Toronto office and tells you he’s here to do your annual inspection. He points to his laptop bag and says he just needs a wall outlet, a network plugin and a quiet place to work and then he can complete the inspection. You haven’t been supervisor all that long and this is your first inspection so you comply, not wanting to look bad in front of someone from the corporate office. After you set John Doe up and make sure he’s comfortable you get back to work. You don’t see him again until the end of the business day when he comes out and tells you he’s finished the inspection and you’ll be hearing from head office about the results. You see him off and finish your day, thinking nothing of the interaction.

A few months go by and one day someone comes in and introduces themselves as Bob Mee and says he's here to do the annual inspection. You explain it’s already been done and mention John Doe and the date of his visit. Bob tells you that no one by that name works at the head office and shows you official ID and documentation regarding the annual inspection date. You’ve been a supervisor less than a year and you never paid attention to the inspections before so you just assumed the man was genuine. Not long after this, a corporate memo is sent out revealing that the computer systems got hacked and some customer and corporate data has been compromised. They trace the breach back to your location and through investigation it’s revealed that John Doe was the culprit. He faked his way into getting access to your network and data. You wonder how this could have happened, the company has firewalls and expensive anti-virus software. What was the weakest link that allowed this to happen? It was you.

The above scenario , while seemingly elaborate and unlikely, is completely possible. No amount of money spent on firewalls, anti-virus and other security appliances can protect you from social engineering. Social engineering is when someone uses their charisma and confidence to get access to important information from a user. The weakest link in your security strategy will always be your employees. In order to mitigate the security risks, you need to have a security strategy that is balanced between hardware/software appliances and security awareness training for users. In this example, the employees could have had security training that empowered them to ask for proper ID and qualifications from strangers claiming to be an employee. As well they could have called head office to verify the inspection information. Basic security training gives your employees a chance to defend against these front-line social engineering attacks. Why attack a company this way? It requires far less money and effort then trying to hack the network from a distance. If you can fool the right person, then you have your gateway.