You are here

Why Social Engineering is one of Your Biggest Security Threats

We’re wrapping up our series of insight from our summer trip to DEF CON24 by transitioning from last month’s Combatting the Rising Threat of “Smart” Devices to focus on one of the biggest security threats, social engineering. At DEF CON this year we witnessed the social engineering “village” host its annual contest that challenges attendees to use social engineering tactics on real target companies. The goal is for the participants to demonstrate different social engineering techniques and ultimately acquire the targets’ network infrastructure information. For this contest, the participants conduct target research using search engine results, social media information, and IP registry information, and then use this information to their benefit as they launch actual, targeted social engineering attacks.

In discussing their research, participants noted how social media and marketing research websites offer a large amount of business and personal information on the companies and employees. This information helps the participants (and hackers) tailor their approach to an employee’s specific position in a company or personal interest, which can increase their chance of social engineering success. For example, when performing social engineering calls to a sales representative at the target company, the participant played the part of a prospective or current customer to more easily gather information. Similarly, when talking to a member of a company’s IT department, the participant impersonated a vendor or another employee of the company.

While this may just be a “contest”, it serves as a clear reminder that not only is social engineering still one of the biggest security threats, but employees also still tend to be the weakest link in information security controls. What are some things you can do to better prepare your employees for an attack? Regularly provide them with up-to-date information security awareness trainings and send them security reminders. You also need to do your best to instill in all employees how crucial it is for them to be vigilant when it comes to security, and to understand the potential financial, reputational, and legal damage that can result if they divulge confidential information to anyone who shouldn’t have access to it.

For more information on this topic or assistance with your information security program, contact Jason Clinton, CISA, IT Assurance Supervisor, at 617-261-8132 or