Security Audit = Social Engineering? Explain!>
If you’re confused already, you’re likely older than 35 years old. If you know all about this,you’re likely younger than 30. If you want to learn more,you’re just plain smart. This is not an in-depth view on Security Audits and the name transition to Social Engineering. This is simply a brief overview, because ifyou’re like me, too much of this cyber talk could bore me to death. That’s why I have cyber guys for that and I deal with Physical Security and Investigations. This should be an easy read though for you to get an idea if your business can benefit or not. Which it can.
A Security Audit is a testing or audit of a company’s security system. It can test physical security, computer systems or both.
Social Engineering is the latest catch phrase for essentially the same thing as a security audit. The main difference is security audits are slightly more step-by-step driven and social engineering is more using scientific methods and psychology to test or affect change in information networks and “human networks” behavior.
Essential Knowledge or Vocabulary:
“Getting Inside” – Individuals that gain access into a building or information system. Typically this is by some type of con game or sneaky means like the show Burn Notice, but sometimes it is by simply walking in unrestricted.
“Pre-Texting” – telling a lie or creating a situation in order to get an employee to divulge some type of sensitive information that can be used for whatever purpose the suspect has. It could be very simple, such as “Hi my name is John, I am from the community newspaper, can you take me on a tour and tell me about your business”. It also can be as high end as a person purposely getting hired to be able to steal business information or assets.
“Pen Test” – Penetration Test. A covert attempt, typically a proactive approach, to break into a building, secure facility, computer information system or in some cases all of the above at once in order to test a system. The purpose being to show a company or corporate facility where it is weak and where it is strong in regards to safety, protection of trade secrets, information, etc.
Example circa 2014 – My firm (Paladin Investigations & Protection), conducted a Pen Test for a multi-million dollar corporation. In less than an hour we were able to gain access to the back doors of the building, walk out with several lap top computers, a couple of purses and expensive communication equipment. We had keys to company vehicles and more. All told the total value was in the area of $75,000. As if that wasn’t bad enough, we could have easily planted chemical weapons, bombs or shot several people. In addition, we were able to gain the use of a computer and access the company mainframe. Not one time were we challenged by employees. Imagine the insurance payouts and lawsuits for those potential losses.
“Phishing” – process of trying to acquire sensitive information like usernames, passwords, and credit card details, for malicious reasons, by claiming to be a trustworthy entity in an email or text.
“Intrusion” – When a “social engineer” is able to gain access to an information system by conning an employee face-to-face, in person. At the basic level this is telling a big lie to steal information.
“Asset”- anything of value to an organization. Information to property.
“Vulnerability” – weakness in a system or its design that could be exploited by a threat. Lack of firewalls, password requirements or just no cameras or locks.
“Exploit” – an attack performed against a vulnerability.
“Countermeasure” – is a protection that mitigates the potential risk to a system
“Tailgating” – following an actual employee through the door to as a means to compromise physical security of a facility and in tandem with effort to gain access to a network or information system.
So NOW YOU KNOW a little bit about the terminology. With that you have a quick basic-level lesson on Social Engineering and an idea of the What, Why and Where it can happen. So what’s next?
WHO NEEDS an audit or a Pen Test? Realistically? Any and all medium to large businesses that are potentially subject to physical harm, theft of company information, secrets or assets. Ask yourself when is the last time you had one and how much do you stand to lose? Can you say Target, Facebook or Go Daddy? Can you say financial gain, political gain, revenge, fame or reparations. It happens to mom-n-pops, it happens to the big guys too and it happens for multiple reasons.
* Nearly half of all large corporations are victim of social engineering.
* Cost per incident is between $25,000 to $100,000 on average for smaller companies.
* For large corporations the average cost is upwards of $2.5 million dollars.
* The real cost comes from direct losses, in some cases large fines or penalties, damage to both personal and brand reputations and the erosion of customer loyalties caused by negative press.
TAKE ACTION – now that you know it CAN happen to your business:
- Review your safety procedures and countermeasures. If you have some in place make sure they are up to date and changed every couple of years at least. Phishing scams, Social Engineering and the con games are changing weekly, some even daily. You have to be prepared.
- If you are unsure of your systems integrity then make sure you have it checked out by a professional. It is well worth the time and money to have it done right.
- Once your system is checked out tests should still be run whenever:
- Any major upgrades are applied to the system
- Security patches are applied
- User policies are modified
- Any network infrastructure or apps are added
- New physical locations are established
4. Call Paladin Investigations & Protection, LLC for a full Security Audit / Social Engineering inspection and testing in the Michigan and Great Lakes Region. If you’re outside this area call someone local you can speak with and meet in person. Bottom line is you need to call and assess your systems security to protect your company, your proprietary information, your people and your reputation.
Post for Paladin Investigations & Protection, LLC
Saline, MI 48176 www.paladinpipro.com/