Protect your data and database against social engineering
According to security experts, it is much easier for attackers to gain access to confidential company data or IT system by manipulating employees, rather than using cracking techniques. This act is known as social engineering.
In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. Consequently, not only DBAs or IT personnel but all the company employees should be aware of common methods used by the so-called “social engineers” in order to protect their data and databases from such attacks.
A social engineer runs so-called a “con game”. For example, a person using social engineering to break into a computer database would try to gain the confidence of someone who is authorized to access the database in order to get them to reveal information that compromises the database security. They might call the authorized employee with some kind of urgent problem; social engineers often rely on the natural helpfulness of people as well as on their weaknesses.
The act of manipulating people requires a certain amount of background knowledge concerning the targeted company and its employees. For this purpose, social engineers especially make use of the internet. By gathering information via search engines, social and business networks – notably Google, Facebook or LinkedIn – it is possible to build entire organizational charts of the target organization and associate company partners from the located data.
The result of their research allows social engineers to impersonate others and become part of their self-created scenarios. In this case they perform the so-called “pretexting”. Usually every employee tries to handle all kind of requests in a helpful manner, avoiding conflicts where possible. Social engineers take advantage of these attributes. They could pretend to be an employee of a partner company, or of the targeted company itself, in order to access data of IT system. Further to this, social engineers also request regular, non-personal information or data, similar to the aforementioned example of web browsers. During short, friendly discussions their requests are mentioned in passing without seeming suspicious to the employee concerned.
„Baiting” is another common method used by social engineers. During this act, they place mobile data storage devices on company premises, often labeled with the company logo, so that they will be found by an employee. As soon as the finder connects the device to his computer, malware will be installed, which may be a threat to the whole company’s IT system.
Overall, it is very difficult to mention every method used by social engineers, since there are constantly new and creative ways to illegally collect data. Essentially every kind of information must be used with special care. Even if data may seem unimportant, it could be of great importance to the attackers and their plans. Employees need to be constantly aware of their own important role within the security system of their company and treat requests kindly but with healthy skepticism.