The Savvy and the Sneaky: What Colleges and Universities should know about Social Engineering
June 13, 2012
This is not a call to change how you interact with your key customers and vendors, but it is a call to implement best practices in your IT (and physical) security systems. In this article we will briefly examine some of these social engineering techniques and methods for combating this threat.
Anatomy of the Con
Information is the key asset for any con or hacker trying to infiltrate your systems. They can be very sophisticated at soliciting information from unsuspecting employees. By seeking seemingly innocuous information from a number of different employees, the con is able to establish credibility and gain access to increasingly sensitive information.
Social Engineering Tactics
There are any number of techniques cons and hackers employ to access important and confidential information.
“Hi. I’m here to fix the printer.”
Not all cons are virtual. Sometimes con artists and hackers will seek to gain physical access under the guise of being a vendor, such as the repairman from your printer manufacturer. Once in, the attacker may be able to access open network jacks, sensitive information coming off the printer, and could potentially gain access to more sensitive areas of a department.
“Hey! Look what I found!”
Cons and hackers are also capitalizing on new methods of storage technology to carry out attacks without entering your institution. Instead, they just leave some bait in the parking lot. In a practice called “baiting,” the attacker may purposely leave behind a USB storage drive or a CD-ROM on campus grounds, often with enticing titles, such as “salary information”. If the employee then inserts the device into a computer on the college server, the hacker may be able gain unfettered access to the system through viruses loaded onto the device.
“Please click here to test the strength of your password.”
“Phishing” involves using phony e-mails from seemingly trusted sources, such as fellow staff members, to infiltrate networks and steal information. Attackers design the email to appear as though it is internal or from a trusted vendor, and often using subject lines such as “Check the strength of your password” or “You have won an iPod!” If an employee opens the e-mail and follows the links within, the social engineering artist could gain access to the network either by recording key strokes or having the user unknowingly give them log-in information.
How to Protect Your Institution: A Checklist
First line of defense: Establish a strong information disclosure policy
Institutions need to establish a clear policy that establishes who is allowed to access information and what type of sensitive information can be disclosed. This policy needs to be shared with all employees, who also need to be trained in its use. Developing an information disclosure policy assists employees in determining the proper steps to follow and reassures them when they need to challenge a caller for authorization. It should be stated clearly in the policy that it is never appropriate to discuss user name and account information or to divulge passwords over the phone.
Training, Training, Training
A good information security program is only as good as the people who follow it. Inform and train your employees on proper information security procedures. Your IT department should send out routine notices about how to avoid dangerous schemes, such as phishing scams. Instruct your employees to never use a link embedded in an email message, or to use USB, CDs or DVDs not provided by the organization. Providing regular updates of information security best practices helps keep the topic top of mind.
When in doubt, check it out
This simple rule can take out a lot of the guesswork for employees. If an employee is uncertain in any way about what they are being asked to divulge, they should be instructed to always consult with a supervisor. Its best to take down a person’s contact information and get back to them once the supervisor has authorized the request.
Keep it locked up tight
One of the easiest ways that a person with less-than-honorable intentions can infiltrate your institution is through lax physical security. The most basic step is to require all visitors to check in with security. Credentials and authorization should be double-checked with a supervisor, and when in sensitive areas, the visitor should be escorted by an employee at all times. Make sure that documents are not left in the open and are shredded when appropriate. The more roadblocks you put in the way, the more likely a thief will be deterred and seek an easier target.
Require approvals for mobile device connections
For electronic social engineering attacks there are a few lines of defense an institution should adopt. First, you want to make sure all your institution’s computing devices are using reliable and current anti-virus software. Also, check to make sure that the firewall and spam filters are working properly. These devices and applications will help to either block or filter unwanted e-mails, and the viruses or executable programs contained therein, from reaching your employees. Your IT department can even lock down CD/DVD drives, USB ports and other ports used to attach portal media devices.
Strong Network Controls
Of course, don’t forget about your networks. Set up and test your firewall and spam filters and make sure that your virus protection is updated regularly. Invest in encryption for your technology hardware, including any portable devices such as laptops and smart phones. Go even further by locking down any network jacks with passphrase protection so that if someone does infiltrate a campus building, they won’t be able to plug into a jack that is being unused, thereby gaining access to your network.
The culture of higher education institutions can make them vulnerable to various social engineering schemes to access confidential information. But by observing best practices and putting in place strong disclosure and IT security plans, universities can dramatically decrease the risks and stave off hackers and cons and prevent data breaches.
Matthew J. Putvinski CPA, CISA, CISSP serves as director of the IT Assurance Services group at Wolf & Company, P.C., a Boston-based certified public accounting and business consulting firm providing assurance, tax and risk management services. In this role he provides guidance to clients around IT controls, information security, the development and implementation of critical technology processes, and strategic technology planning.