Before I get too wrapped up on the Hometown political scene and what it means to have so many former members of our office involved, I should make a better assessment of what likely occurred in our office when she came to us almost two years ago, and whether or not it was a calculated move, orchestrated by outside forces who needed to influence our editorial policy by having a mole within our organization.
Hacking experts – who usually focus on technical intrusions by black hat hackers – call what she apparently did “Social Engineering” – different from the political stuff we see churned out in colleges as education.
“Social Engineering takes advantage of what’s likely the weakest link in any organization’s information security defenses: people,” one expert concluded recently. “Social Engineering is people hacking; it is maliciously exploiting the trusting nature of human beings to obtain information that can be used for persona and often political gain.”
Social engineering, this expert says, is one of the toughest hacks to pull off.
“It takes bravado and skill to come across as trustworthy to a stranger,” the expert wrote. “By far, it is the toughest things to protect against because, again, people are involved and they’re often making their own security decisions.”
In social engineering, those with ill intent pose as someone else to gain information or position in a company that they cannot gain otherwise. Sometimes social engineers act like confident, knowledgeable managers or executives; at other times, they play the roles of extremely uninformed or naïve employees – such as being a cub reporter.
“Social engineers are great at adapting to their audience,” this expert wrote. “It takes a special type of personality to pull this trick off, often resembling that of a sociopath.”
Many social engineers perform their attacks slowly to avoid suspicion, although many begin their operation against a person through emails, phone calls or texts.
“The methods used depend on the attacker’s stye and abilities,” the writer said. “Either way, you’re at a disadvantage.”
Social engineers often know a little about a lot of things, often using social media to gather information about their target. Social engineers’ knowledge and determination give them the upper hand over management and employees, who don’t realize they are under attack and trust their attackers.
They often operate in an environment where a company has multiple locations, taking advantage of distance between employees.
The target can be anybody in an organization from receptionist to security guards to executives – trickling up.
People who operate the phones and interact with the public are often vulnerable targets since they like to be helpful and share information.
“Because the objective of social engineering is to coerce someone to provide information that leads to ill-gotten gains, anything is possible,” this writer points out.
Social engineering attacks are difficult to detect or protect against. Often, they aren’t well documented. And social engineers are limited only by their imaginations. Many such attacks don’t become obvious until after they have concluded.
“With social engineering, you never know the next method of attack,” the writer says.
Trust is the essence of social engineering.
“Most people trust others until a situation forces them not to,” this writer says. “People want to help one another, especially if trust can be built and the request seems reasonable.”
Most people want to be team players.
“This trust allows social engineers accomplish their goals,” the writer says. “Building deep trust often takes time, but crafter social engineers can gain it within minutes or hours.”
The friendlier social engineers are – without going overboard – the better their chances of getting what they want.
“Social engineers often begin to build a relationship by establishing common interests,” he says.
They often use information they get to determine what the victim likes and then the social engineer pretends to like those things, too.
“They can phone victims or meet them in person and based on information the social engineers have discovered about the person, start talking about local sports teams or how wonderful it is to be single again. A few low key and well-articulated comments can be the start of a nice new relationship.”
The whole hack depends upon believability, which is based in part of the knowledge social engineers have and how likeable they are.”
They often come into an organization as new employees.
“Often they modestly claim authority to influence people,” the writer said. “The most common social engineering trick is to do something nice so that the victim feels obligated to be nice in return or to be a team player for the organization.”
After the social engineers obtain trust of their unsuspecting victims, they coax the victim into providing them with what they wanted in the first place.
“Social engineers do this through face-to-face or electronic communication that victims feel comfortable with, or they use other technology,” the writer says.
Careless or overly anxious social engineers, however, sometimes give themselves away. They act overly friendly or eager. They brag about their growing authority, act nervous when questioned, appear rushed, using insider slang they haven’t achieved yet, asking strange questions, and other things.
“A good social engineer isn’t obvious,” this writer says. “Social engineers often do a favor for someone and then turn around and ask that person whether they mind helping them. This common social engineering trick works pretty well.”
Social engineers also engage in reverse social engineering. They offer to help if a specific problem arises (sometimes something they themselves orchestrated) and helps fix the problem.
“They may come across as heroes, which can further their cause,” he writes. “Social engineers may ask an unsuspecting employee for a favor. Yes – they outright ask for a favor. Many people fall for this trap.”
Technology makes things easier for the social engineer.
“The process of social engineering is pretty basic,” this expert says. “Generally, social engineers discover details about people, organization processes and information systems to perform their attacks. With this information they know what to pursue.”
There are four basic steps to social engineering: doing research on the target person, building trust with that person, exploiting the relationship through words, actions or technology, then use this information or status for personal gain.
“When social engineers have a goal in mind, they typically start the attack by gathering public information about their victim,” he writes. “Many social engineers acquire information slowly over time so that they don’t raise suspicion. However, obvious information gathering it the tip off.”
Sometimes, social engineers gather information about their victim by listening in on conversations or asking others about their victim. They sometimes listen into their victim’s voice mail when their victim I out of the office.
“Never underestimate the power of social engineers and the gullibility of your uses in helping them get their way,” he writes.
Now, a whole year or more later, it becomes obvious that she operated as a social engineer in our office.
The question remains, did she do it on her own behalf (trickling up) or was she operating on behalf of RR or some of the other political people who wanted to control the content of our editorial?
This leads to the next question. Does she still have influence over us in our office? And if so, will she and A, use that influence in the upcoming election.
No comments:
Post a Comment