Expanding and updating your security awareness program needs to be done on a consistent basis to keep the materials fresh and to educate users on what the latest threats are. One topic you may wish to consider in your next presentation / training material is the increased frequency of “vishing” or voice phishing attempts.
This is not a new scam per se but most of your users have most likely had “Microsoft Technical Support Representatives” who call and try to get people to install malicious software or request credit card information so they can bill for false services. In fact, in a study conducted by Microsoft, 22% of people that were called by phony support technicians fell for the scam.
See complete article here
At the recent Defcon conference a social-engineering capture the flag contest captured information such as its janitorial contractor, hours of breaks, and even got the store manager to logon to an external website to fill out a survey about an upcoming visit.
See complete article here
We at NCI have also recently been made aware of a scam whereby cybercriminals are calling people indicating they are responding on behalf of NCI and that they have had a cyber-security breach and to provide sensitive information in order to protect themselves.
Please see our information bulletin here
Social engineering is one of the greatest risks to businesses today and the only defense is constant education and awareness programs.
Please contact NCI to schedule a free 1-hr executive education session delivered by our CIO – Eugene Ng to help you garner awareness throughout your organization.
For more information please contact your NCI rep.
Security awareness is crucial for organizations as technical controls can only offer protection to a certain degree. In targeted attacks, organizations may find that attackers do not only attempt to penetrate an organization by way of technical control bypass or exploitation, but also by exploitation of employees; in the security industry, we refer to this skill set as social engineering. Social engineering, for lack of a better explanation, can be summarized as manipulation of individuals to attain an end goal that is usually not aligned with the victim’s best interests. In other words, social engineering is crafty lying with a technical focus on psychological human behavior. Before we go on to discuss the impact of social engineering on organizations, it is worthwhile to discuss the mechanics of social engineering.
Primarily, social engineering relies on the use of cognitive-biases to manipulate victims in to disclosing information or performing actions for the social engineer that are typically against their best interests or at least not something the individual would perform without manipulation. For the not so psychologically inclined, a cognitive bias is essentially the human tendency to make systematic errors in reasoning. Now that we have an idea for what social engineering is, we can explore common attack vectors and technique employed by social engineers in the next few blog entries to come.
(Editor’s Note: This is Part 1 of a 5 part series on social engineering.)