In organizations with a large number of different staff profiles, ensuring an adequate level of information security represents a major challenge. The most effective way of raising the awareness of employees and their training is so-called social engineering.
Social engineering is a set of techniques by which an attacker tricks or convinces a user to carry out an activity (e.g., opens a malicious e-mail, uses a USB key infected by malware, etc.), thus allowing the attacker access to the confidential data of the organization. The attacker usually takes advantage of a user’s response to a particular situation (e.g., to a tempting offer, trust, willingness to help, etc.).
There are several forms of social engineering:
- technical methods,
- personal contact,
- threat and extortion.
For successful execution of such social engineering schemes, it is necessary to gather a lot of information about the organization and potential targets (employees, clients). Information can be obtained by use of publicly available information about the organization (internet, phone directories, etc.), by visiting the organization, or by establishing friendly relations with the employees of the organization.
Examples of different scenarios of social engineering:
- sending “malicious” e-mails,
- planting malware on portable storage media,
- installation of a “malicious” application on a mobile device,
- connecting unauthorized devices to the internal network of the organization,
- gathering information over the phone, during personal visits, by mail or e-mail,
- entering the company’s premises without identification at the entrance,
- entering a restricted area by using somebody else’s identity.
On the basis of the executed scenarios, a report is prepared with recommendations which can help raise employees’ awareness of information security and improve current security mechanisms.