Social engineering in information security is the art of human manipulation. Criminals or malicious hackers use this method to gain access to confidential information, which can then be used to compromise a computer system, bank account, or electronic medical record (EMR).
Learn the methods that are used to execute social engineering and countermeasures that can be taken to combat it.
What are social engineering hackers looking for?
- Login credentials
- Email addresses
- Answers to a password reset question
Some Social Engineering Methods
Pretexting – This method requires prior research on a targeted victim. The attacker will use the information gathered to impersonate a legitimate business and try to get the victim to believe the attacker is legitimate. Once trust is established, the attack will ask for sensitive information he doesn’t already have such as access to electronic health records (EHRs), telephone records, banking records, etc.
Phishing – Typically, if an attacker is targeting a company, he/she will send out emails to every employee working there. Sometimes an attacker will impersonate a bank or news agency. The email will contain a link to a malicious web site that resembles a legitimate organization’s site. Once an employee clicks on the link, malware will be downloaded to his computer and the attacker now has access to the network. Check out our post on Spear Phishing, a type of phishing.
Baiting – In this attack, the attacker will leave malware-infected USB sticks in a place where it’s easy to spot by employees at a company. Then, all the attacker does is wait for someone to find it and plug it into their computer.
Quid pro quo – An attacker will call random numbers at a company pretending to be IT support calling back. Eventually the attacker will reach someone who has a legitimate problem and help them, but in the process make them do things to help him/her get into the system.
- Proper training can prove to be useful to a company in dealing with social engineering. Use at least a portion of your mandatory annual training to cover this material. (Never give out your password, always make sure who you’re talking to is who they say they are, etc.)
- Identify what information is sensitive and establish security protocols for that information.
- Make sure sensitive physical documents are properly discarded. (Shred discarded documents, sometimes the waste management service offers garbage bins with locks.)
- Conduct a Security Risk Assessment (SRA) per HIPAA at least annually. There is no such thing as perfect security measures.
Director’s Comment: Client side attacks like this are increasing across all industries, including healthcare. One reason is because organizations are taking steps to harden the perimeter, so the attack surface becomes smaller. As this occurs, attackers look to easier pickings, often relying on your employees to “open the door”. Healthcare workers have a natural inclination toward helping people, and this can be disastrous for your organization if they fall victim to a social engineering attack.
Find out additional way hackers can get into your secure health IT network in our FREE ‘Tales from an Ethical Hacker’ webinar.