Despite the threat of identity fraud, cyber crime and espionage, people are still too trusting – sharing personal information with people they don’t know and posting their details online without a second thought to how that seemingly useless information in the wrong hands can cost them.
And it’s not only users. Businesses, and big businesses at that, also don’t exercise appropriate control over how much information they give-away or to whom they give it to, allowing those with criminal intent to gather just the type of information they need about an organisation’s network and security infrastructure in order to get in and take what they want.
“Social engineering, both technical and non-technical, can be a serious threat to IT security for both end users and companies alike. The thing is that it’s something most of us do everyday, very often as part of our jobs, and few of us recognise the danger of giving too much away,” says Richard Broeke, security consultant at specialist IT security company, Securicom, adding that he’s been able to solicit enough information in just one short interview with company risk managers themselves that he would be able to duplicate their entire network.
“A cyber criminal only has to catch you off guard and get you to answer a few pointed questions and he’s got all the ammo he needs to hack his way in. That’s why individual users and companies alike need to exercise extreme caution when it comes to sharing information with people or organisations you don’t know or trust. It doesn’t matter if it’s online, over the phone or face to face.”
So how can you avoid being conned out of vital, even confidential information, by a cyber criminal?
“Give the barest details. For the individual, a telephone number in the wrong hands at best puts you at risk on unsolicited calls from telemarketers while you are trying to have your dinner. Your e-mail address is a channel for spammers to bombard you with unwanted promotional material.
“But, for the more enterprising criminal, a telephone number is an ‘in’ for gathering more information about you if you, or whomever else answers your phone, is willing to give it to them.
“Then of course, cyber criminals can also use your e-mail address to send you spam containing spyware which tracks your internet habits and harvests important information including passwords, credit card details, internet-banking logon details and e-mail addresses.
“Think about it, addresses, work details, banking details, user names, passwords and such are all like little puzzles pieces that can be pieced together to tell a story about you or your business, a story that can used by a cyber criminal for their own gain. Always be sceptical about handing over this kind of information.
“If you wouldn’t run up to someone at your local shopping mall and tell them your surname, birth date, where you work, your contact number, how many children you have and banking details, then why would you consider uploading this kind of information online or send it via e-mail to a source you don’t trust?” questions Broeke.
The same goes for businesses, he points out.
“Companies must be weary of giving away information about their networks and security architecture. Never give away more information that what is already publicly available. This includes such seemingly insignificant facts as how many mail servers your company has and where they are located.
“And this applies when seeking the consol of IT security experts. Don’t just hand over information about your network to someone just because they claim to be an IT or security expert.
“Make sure to check the credentials of the company and ask for proof. Instead of laying it all on the table, rather invite the consultants to conduct a vulnerability assessment of your company’s security environment and let them come back to you with what they have learnt about your network.
“Ideally, select a security provider that has been used and recommended by other businesses. Simply put, don’t be too trusting,” concludes Broeke.