Social hacking is the criminal act of manipulating people to surrender confidential information. In most cases, the perpetrators are looking for opportunities to take advantage of vulnerable or naïve people, by deceiving them into handing over sensitive information. This information can be used against them and provide a gateway for hackers to gain access to bank accounts, computer passwords and other personal details.
Hackers can destroy victim’s lives and social hacking in particular is a favoured choice. The core reason for this is because it is one of the most straightforward hacking techniques. For instance, trying to convince someone to give you their password in a threatening or underhand way is far less time consuming than attempting to physically hack their account.
A major part of personal security is being aware of who to trust and remaining vigilant at all times. It is important to safeguard your personal information by following general best practice techniques. With average UK salary and savings currently at £26,500 and £7,838 respectively, there is potential for hackers to defraud victims out of considerable sums of money if committed on a wide scale. Consequently, the threat to businesses of all sizes, especially those that keep large amounts of cash in the bank, is potentially severe.
The weakest link in a personal security chain is the individual who is too trusting. The harsh truth is that you can’t trust everyone, especially where technology is involved. As a result, businesses must ensure that all members of staff within their hierarchy are aware of personal security threats and understand how they are expected to react in different situations. You can have the most advanced security systems and protocols in place, however if staff are not adequately trained to respond when confronted by these criminals and inadvertently release sensitive personal information, none of it will matter. It is therefore recommended that you invest in the appropriate security training to provide staff with the necessary knowledge they require to always act in the most secure way possible.
Due to this ever increasing threat, outsourced IT support provider, Twin Systems thought it pertinent to ask experts from a wide spectrum of the IT world how is it best to deal with the threat.
We have answers from the former CIO of one of the UK’s largest companies, technology and hacking website owners and contributors, the Group IT Director of a Times 100 listed company, other business managers, one of our own IT specialists and an esteemed technology writer who regularly writes for Forbes magazine and has helped start companies now worth over $1 trillion. We hope their responses and advice will give you some real world information on how you can deal with the threat.
We asked them all one question:
“If you were to start a new role tomorrow, how would you address the threat of social hacking when looking to protect the data of your business?”
Here are their answers.
- Bob Cringely, technology writer, journalist, author and Forbes magazine/New York Times contributor.
Social hacking? Well to some extent the cat is out of the bag with this one. I don’t think most companies can demand their employees completely abandon social media, especially since nearly every company I know uses it to help in choosing new employees. So here’s what I would do:
1) Encourage employees — especially those in critical positions — not to talk about work over social media. You probably can’t demand it but it’s worth asking.
2) Monitor your employees’ use of social media as well as you can just in case something does slip out.
3) Throw some real resources into some variation of #2 to use social media as a strategic weapon for your business in the same manner that I tell state lotteries worried about Internet gambling competition to start using the Net to reach beyond traditional borders and find new customers.
These are the questions I would be asking were I to start a new job tomorrow:
- What level of awareness in the business is there to the risk? Are the risks fully understood at board level? E.g. reputation all damage, real impact on bottom line etc.
- Have the potential risk scenarios been quantified in monetary terms? – this usually gets the first point sorted
- Is there a C level responsible and accountable?
- Do individuals have their responsibilities enshrined in their jobs and objectives?
- Has security awareness training been updated to reflect the change in threats?
- Is mystery hacking used to test procedures?
- Do organisation units understand their respective responsibilities for identifying, assessing and acting on threats and events?
- Are the responsibilities clear for dealing with third parties – social platform vendors when the shit hits the fan?
- Are organisational responsibilities clear for escalation including legal, PR, business continuity planning teams etc.?
- Are internal threats understood? Leaver processes often fail to consider user accounts on social platforms which can be used after staff depart.
- What automated monitoring tools are used to monitor suspicious activity?
- Are their processes and systems in place to handle customer complaints?
Great question and a topic that should be on the fore front of all our minds. My first step would always be to analyse what encryption tools are in place for the business to use and whether they are in fact being utilised. The biggest threat always starts from within, and it still amazes me how many people email unprotected customer data without appreciating the potential risks. Next, I would invest in a leading discovery tools, such as “Dark Trace” to get a drains up view of how secure things really are. From there it’s a question of establishing a robust plan and executing this efficiently.
Since the privacy of our business data is an asset that must be protected at all cost, I’ll invest heavily on anti-exploit applications solely tailored to protecting the system integrity. I’ll also create awareness of social hacking activities and/or methodology by addressing the employees on social engineering and how they can stay away from attackers. As well, I would educate them on the popular social hacking methods, such as; spear phishing and role playing by malicious persons.
Last of all, I would install strict rules within the working environment that will restrict the workers from using their personal external hardware such as pen drives, USB sticks etc. to access the office systems that can be easily exploited. The use of personal machines (including PDAs) to access protected areas will be restricted as such machines could easily become infected with adware, Spear Phishing tools and other malicious programs.
Social engineering is one of the largest threats to any organisation regardless of size. To protect my business against social engineering I would start with giving my employees the necessary training and guidance. Employees are and will always will be the biggest security risk.
There are a number of things I will keep an eye on to ensure the data of a business is kept secure.
- Education of the workforce regarding never clicking on suspicious links is going to be the first priority.
- Ensuring all webpages are being examined carefully by the employees to certify that they are not phishing pages.
- Using powerful anti-virus scanners at all times and especially on the files sent in online chat sessions.
- Implement a policy that a strong alpha numeric password including symbols is required to be used by everyone across the company, going further to secure all the accounts associated with the business work.
Social hacking and engineering should be a growing concern for all businesses as it poses one of the greatest threats to security inside most organisations.
If I were to start a new role, I think the first thing I would try and address would be the understanding of the problem. Staff are often unaware of the potential risks posed by sharing access to systems and software amongst their colleagues and there seems to be a lack of training available for staff on best practice and the potential risks around the subject matter. By providing simple training to staff on the risks involved, behaviour should be improved and risk reduced (although training by itself will never mitigate all risk).
Another very simple way to help protect data would be to ensure regular updating of passwords to make sure they are secure with lowercase, uppercase, symbols and number combinations as standard practice. It always amazes me how often default passwords for systems aren’t changed.
From my perspective, social hacking is more about the individual rather than technology. Sure corporate spam filters, firewalls and GPO’s can be implemented to reduce risks to the corporate network but pretty much all employees have a life outside of work, whereby they utilise social media and freely available connectivity to all sorts of Wi-Fi zones, 4G networks etc. all of which are out of the control of their employer.
It is the individual’s information which is often the first step in garnering access to a corporate network.
In both cases, education and high profile corporate policies and ethos would be my first step in highlighting the issue to all employees, not only in regard to corporate information but, and this is where the message will probably hit home most, theirs.
This is an interesting question as it is very difficult to stop the risk that people bring due to curiosity and lack of concentration, often stemming from being asked to do too many tasks at once or being very busy.
We see many times ourselves how easy a phishing attack can be, when the attack is targeted at the right people within a company. Sometimes though, it doesn’t even need targeting; an example of this is where you receive an email that has been sent in error, such as payroll information for instance. For 95% of recipients, curiosity would get the better of them and by them wanting to see how much their colleagues are earning, the attachment gets opened and the virus let inside the system. There are times when we have encountered the ‘correct’ people being sent their own ‘payroll information’ via an unknown email, and still opening it due to lack of concentration/vigilance.
Human curiosity is one of the biggest issues we face. One of the easiest ways to spread a virus through a company or to install something that will allow remote access, is to drop a USB stick outside a company’s door.
Eventually, someone will see it and the majority of people will put it in their PC out of curiosity/a general will to help return it to its owner. All that’s needed in this case for it to work, is for it to be set to ‘auto-run’ as soon as the USB stick is connected. Once connected, you are in big trouble. Preventative measures are immeasurably more effective than reactive ones in this case, but the only way to truly safeguard your business is to put a company-wide ban on USB sticks which is highly impractical for many, although with the shift to ‘cloud’ and ‘drive’ sharing systems being used by more corporations, this is definitely a way around it (although not the most easy to implement).
The human element is always going to be the biggest risk to any network security. The amount of information people put about themselves online makes it even easier to for a determined person to specifically target someone as a point of entry into a company. Anyone who is lax enough in their own personal security – having a fully open Facebook profile for example, where all of their information is readily available to anyone interested, specifically the company they work for, is making themselves a target for would be hackers.
Just from revealing your name and company, you are as good as giving away your personal work email address. The majority of UK companies email formats take the form of either
Inexperienced hackers could spend hours trying different variations of the email formats, more experienced ones would use programs to do it for them, but the most experienced of all would use advanced search modifiers on Google to find any email address related to the company online and then just fill in the blanks. Company policy could well be to not use your work emails for anything other than work, but you can guarantee someone, especially in large organisations, will have used it to pay for a bill, leave a review or sign up for a newsletter online. With the right search strings, these can be found. It is then just a matter of time before someone opens an email sent from a hacker.
The only way in my opinion to tackle this, would be continued reinforcement to people of the risks that there are in exposing their own personal information online, but you cannot control what people do in their personal lives, only advise.
This is a really cool video regarding what I have just said above, that really makes a point.
As network administrators we have to try and mitigate security risks as much as is possible. Which can include:
- Mail filtering
- SPF records added to the DNS provider to prevent spoofed emails appearing as though they come from within your own organisation
- Making sure antivirus is up to date
- Group policies to prevent users from installing applications
- Group policies to prevent users from using removable media (if possible)
- Continued user education of security risks
To conclude, the threat of social hacking is very real and it is essential that businesses take the necessary steps to prevent attempted attacks from being successful. We hope these answers from IT specialists ranging from hacking bloggers to CIO’s and IT directors of £billion organisations have provided you with the necessary information to take the next steps to managing the dangers of social hacking and protecting those within your workplace.
Download our Twin Business IT Guide for more information or to see what we can do for you.