Social Engineering an Information Security Issue in a Corporate World.

Posted: September 15, 2011 in Uncertain World

Information is said to be one of the most valuable asset for organization, especially for organization which are developing new innovative products. So the information which is the intellectual property always has threats from being acquired by attackers. An attacker here can be our competitors, hacker and even government agencies. To make a strong defensive strategy we need to know the center of gravity of opponent as shown in Table 1. This is to understand for what purpose enemies are attacking our organization (Welch, Buchheit, & Ruocco, 1999).

Attacker

Purpose

Center of Gravity

Competitors

Organization who have similar business, try to have information superiority to gain success.

Secrecy, knowledge, wealth

Government

To gain politically

Finance, knowledge

Individual Attacker (Hackers/Criminal)

To gain fame, self-satisfaction.

Freedom, wealth, access to IT infrastructure

Table shows attacker, the purpose behind attacking our organization and the
center of gravity
(Welch, et al., 1999).

It has been observed that organizations focus more on technical security of their organization such as firewalls, password, network and operating system, it is more of a protection mechanism that is applied to secure technical operations. Usually the emphasis is on physical protection mechanism and other operational security issues. As there is no security in terms of information implemented, there is no awareness created among employees’. Social EngineeringDue to this employees usually disclosed sensitive information (names of employees, designation, telephone number and etc) to unauthorized person. This unauthorized person could be an attacker. This mishandling of information can cause loss of billions of dollars to the organization (Winkler, 1996).
Similar impact has been observed in the organization. We are planning to start our campaign to create awareness among employees regarding handling of sensitive information of their organization which is also the intellectual property of organization.
The ultimate goal of an attacker is to acquire sensitive information which if gained would make him superior in information i.e. information warfare tactic. An attacker usually applies “Social Engineering” which is a non technical method to acquire information. A lack of awareness among employees causes an attacker to be successful; generally, employees are only asked not to disclose password, log-out personal computer if you leave your desk. Many employees do not understand the level of sensitivity of a document and often throw it away in bin. There are many cases reported that employees often reveal information to unauthorized person to get rid of from annoying phone calls or emails. The organization is also to be blamed for this as they do not practice to educate employees in terms of social engineering attacks (Winkler, 1996).
Now the main thing is how an attacker utilizes social engineering method. Social engineering is said to be a method in which an attacker interacts with targeted organization’s employees asking them for information. Attacker applies deception to show a fake identity such as computer support staff and may ask employees for their login password, which in most of the cases employees give away. Another way could be that an attacker gains a job in an organization and may be given official access to sensitive information, even if not given access it may get information from others. Attacker can also take advantage of other techniques involved in social engineering, it can go for trash dumpster, this is also known as dumpster diving. This seems comic but this technique really work, lot of employees throw away  information written on a piece of paper, this information is usually very important for an attacker to know; it tells about the organization or updates which product is about to release and all. Burr bags and shredders are use for the purpose of destruction of information written on paper. A case was reported that U.S telecommunication systems were compromised and were brought down this by gaining passwords from the New York Telephone Company garbage (Winkler, 1996). Apart from this, there are other techniques also used in social engineering, the competitors hire these groups of people who work for collecting information for them so they can be superior in terms of information. These attackers practice shoulder surfing techniques and eavesdropping to collect sensitive information.
The impact of social engineering make organization loose business from market, for example if an electronic gadget developing firm was about to launch a product which was one of its kind and the competitors come to know about the product, its features and launch date then competitors might take advantage of this and would launch a better product before the launch of your firm. This would have severe impact on the launch of new product in market, organization would suffer heavy financial damages and could lose place in market.Social Engineering
Advertisements
Comments
  1. […] Social Engineering an Information Security Issue in a Corporate World. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s