Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Social engineering is a dangerous and increasingly popular attack vector, but businesses are still ignoring the threat.
“The risk is heavy,” said renowned social engineering expert Chris Hadnagy, who goes by the alias loganWHD and HumanHacker.
“Too many companies are falling victim to social engineering attacks and doing very little to protect against it… [Social engineering] is used in everyday life and the bad guys are using it even more each day in each attack.”
Hadnagy said a single trusting individual with sufficient access credentials is enough to make an attack successful.
“If my goal is company-wide domination then a larger company has more people, more attack surface and a larger chance of failure,” Hadnagy said. “Yet people are so trusting that even small companies or individuals will be at risk.”
The effectiveness of social media attacks is on show at dozens of hacker conferences each year which often prove that big budgets do not equate to good security.
One of the world’s largest beverage giants was the first to fall at a recent US social engineering challenge, after an Australian contestant swindled enough information from the company’s IT help desk to access its corporate network.
“Unfortunately, unless there is a large shift in the way the higher-ups think, [the risk of attack] will not change. What we need is for companies to stop waiting until after there is a breach in order to make penetration testing a priority.”
Annual, full black box audits are the best way for organisations to combat the risk of attack, Hadnagy said. Education and strong policy also help, but he said “these are time intensive fixes that need constant care”.
Hadnagy has worked in the IT industry for more than a decade and is focused on social engineering and physical penetration testing.
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.