As an outsource security partner BAI provides managed security, managed firewall, managed ids, content filtering, internet security, network security, penetration testing, and vulnerability testing.

managed ids, content filtering, outsource security, vulnerability testing, internet security, managed intrusion detection, managed firewall, security audit, penetration testing, network security, information security, managed security, Firewall Notification, Voice Over IP, Fixed Costs, Security, Auditing, Reporting, Policy, Monitoring, Networks, Protection

  BAI Security works with internal IT teams to provide firewall and IDS management, content filtering, custom threat alerts, Internet and network security and penetration and vulnerability testing.BAI Security works with internal IT teams to provide firewall and IDS management, content filtering, custom threat alerts, Internet and network security and penetration and vulnerability testing.  
  ServicesAbout UsPartnersNewsContact  
   
 
 
Articles & Press Releases

New Social Engineering Attacks – Resistance Futile?
Untitled 1

Recently I had the opportunity to see Kevin Mitnick speaking in a video archive from a popular news program.  He was talking about an upcoming presentation he was making.  Most people know (or should know) who Kevin Mitnick is.  I personally remember reading so many wild stories about Mitnck's hacker exploits.  Did he really hack into the NSA and steal the address book?  Did he also break into NORAD?  Well, I’ll let you read his book to find that out.

What Mitnick is most famous for are his social engineering skills. In his book, Mitnick states, "Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he isn't, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology."  One of the more interesting parts about that comment is the fact that he mentions how social engineering can be done with or without the use of technology.  Traditionally, I believe most people think about social engineering as a hacker picking up the phone and convincing a user to give up valuable authentication credentials or other vital logon information to private systems.  Until fairly recently non-technical phone-based social engineering was in fact one of the most common methods. 

As a firm that specializes in security auditing / risk assessments and Managed Security Services for high-profile regulated industries, such as banking and finance, utilities, and healthcare, we’ve seen social engineering truly evolve from its early days.  As one example of the new face of social engineering, we’ve demonstrated how a properly crafted email and web-based social engineering attack could be executed with near perfect (and by perfect I mean almost everyone gave up sensitive data) with marked consistency. 

The fact of the matter is that if your organization is like many others your personnel could be hit with an attack in the form of an email that looks so much like an internal message and is so convincing that as many as 95% or more of your employees would give up the most sensitive information, such as user logons and passwords. Is this a ticking time bomb within your organization?  If you’re not auditing for it and training your users on what to do, frankly, your current expectations on how safe you are from this form of attack may not be realistic.

If a malicious individual were armed with some basic knowledge of how this process works and had the following:

  • Some basic web development experience and a compromised web server
  • A short-list of freeware applications downloaded from the web
  • Access to your website for a company logo and corporate graphics
  • The names of your personnel in key departments

he or she would be well on their way to having everything they need to launch a likely successful attack against your environment. 

This method of social engineering is on the rise and it’s not hard to see why when you look at what kind of success rates the hackers can get and the minimal technical resources it takes to pull it off.  You already see and hear about variations of this type of attacks constantly in the form of Phishing attacks against customers of banks and financial institutions, Amazon, AOL, etc., etc. 

(Phishing:  malicious individuals create mock websites of legitimate companies, lure their customers to the mock site and harvest their sensitive information (i.e., login names, passwords, and account information) for illegal purposes.)

Preventing social engineering attacks

The best combat strategy against social engineering is user awareness that these attacks do happen.  Here are some good business practices:

  • Audit your employees and use the results to revise and reemphasize security policies.
  • Train employees to never give out passwords or confidential information over the phone, in response to emails or on non-business websites.
  • Train users on how to identify valid vs. malicious versions of your corporate web pages.
  • Train users to first validate any suspicious communications (internal or otherwise).
  • Update your incident-handling procedures to include social engineering attacks.
  • Conduct periodic security awareness training programs.

 

  

Find out how the professionals at BAI Security can help you secure your business. Contact Us Today »

 

Sign up Now!
 
 

    © 1995-2010BAI Security Inc. All Rights Reserved. Privacy Policy | Sitemap