Social engineering is a method of hacking that relies on human interaction. It exploits the goodness and trust in individuals to accidentally open a security door and allow a hacker into even the most secure of systems, like transportation or governmental agencies. It can happen anywhere, from anyone, so here’s what you need to know:
There are several kinds of social engineering hacks, but here are a couple examples that transportation and government agencies may be unprepared for:
- Your employee finds a flash drive in the parking lot. They bring it inside and plug it into the computer to hopefully find out who’s it is. However, the flash drive was actually a malware and by plugging it into the work computer, the hacker now has direct access into your system.
- A hacker reaches out to your employee via email or phone and asks key questions like the ones listed below. Although they are not password-related and seem innocent enough, with the answers the hacker has several password combinations to check.
- Do you have any pets? When did you get them?
- What is the most important thing to you?
- When is your birthday?
These are two stories of methods but beware that hacks can occur via phone, dumpster diving, social media, USB, phishing emails, fake technicians, and other in-person actions.
Although this kind of hacking is newer and seems elusive and difficult to avoid, there are several strategies transportation organizations can implement to minimize the risk.
- Train employees. Many employers train on cybersecurity, but some trainings miss social engineering. Employees are left knowing what to look for in an email to flag it as spam, but are unprepared for real-world interactions with hackers. This lack of education leaves them, and your network, vulnerable.
- Limit USB port access. One way to slow down hackers using the USB method is to ensure only a handful of essential employees have unlocked access to USB ports. On this note, the auto-run feature in Windows should also be disabled to prevent a DVD, CD or USB from auto-executing.
- Encourage obscure passwords. Passwords made up of public (or easily attainable) personal knowledge (pet names, birthdays, etc.) are far too easy for hackers to guess. If passwords are devoid of personal information and random, for all intents and purposes, it makes them much more difficult to guess. Keep in mind that this also makes them harder to remember, and you must discourage sticky notes under keyboards or unprotected file folders that are named things like PW, PASS, Passwords etc.,
- Ignore unsolicited requests for help. Many times, these requests appear to come from a trusted individual, like a coworker or manager, but the request usually involves getting money or providing your phone number, password, email, etc. Bottom line, if you aren’t sure, contact the sender directly (via phone or in person) before moving any further.
There are several more protection methods and strategies you can use to prevent or minimize these attacks. For more suggestions or for help implementing these strategies, reach out to us.