Despite Hollywood's glamorized portrayals, most hackers rely less on advanced computer skills to collect sensitive information, and more on "social engineering" to allow them access to secure networks and sensitive data.
Social engineering is a method of intrusion that hackers use to manipulate a person's trusting nature, often to gain a user's account credentials (username and password), in order to access sensitive information on a network. Social engineering is popular because it takes advantage of the trusting and helpful nature of most people and the fallibility of humans— it is far easier to trick someone into revealing his or her password than is it to invest the time to hack into a network where the target has deployed strong security controls and effective monitoring.
For healthcare providers, a comprehensive network security strategy involves more than up-to-date technical configurations. Savvy healthcare IT teams are investing in employee security awareness training and organization-wide vigilance to combat commonly used social engineering tactics. They understand that anyone with access to the network or sensitive data is a potential target.
Healthcare providers can better protect themselves and their data by recognizing some of the most common social engineering tactics that hackers employ:
Utilize trusted sources: email from a colleague
One of the most common social engineering tactics are attacks that masquerade as an email from a friend or colleague. Because it comes from a seemingly "trusted" source, receivers of such emails seldom question whether these are legitimate. Unfortunately, today's risk environment necessitates that all users should question any email from a co-worker, friend or relative that includes a link or attachment.
Why? Because hackers can utilize compromised or impersonated email accounts to exploit the trust of others in your organization and gain access to even more sensitive information.
Other malicious emails may include malware attachments such as documents, pictures, movie or music clips. IT teams know that these innocuous looking emails may contain links to sites that could download malware to the recipient's computer — thus granting the hacker access to the user's machine and possibly deeper into a secure network. Either scenario can provide a hacker an easy entry point to access a secure computer on your network.
Instill a sense of urgency
Hackers also send emails that offer to help resolve a problem, such as a security issue that promises to be addressed by clicking a link or downloading a software patch. These may appear to come from a familiar, trusted source — your bank, a popular software vendor, or a security firm.
Instead of patching a security hole, it could instead be allowing a hacker to gain access to your computer or network. The receiver, thinking he or she is being proactive in remedying a potential security issue, has done the opposite and created one! These emails are effective because they create a sense of urgency and play on fear, another type of social engineering.
Think, research and delete
Social engineering primarily works because people don't take the time to consider whether these emails — or just as often a phone call — are legitimate. Hackers and other criminals are con artists who depend on "the mark" to act first, and think later. This is why a little research can go a long way to determine if you are being targeted.
- If the message from a colleague seems the least bit odd, confirm that it is legit before clicking a link or downloading any attachment.
- Emails that convey a sense of urgency shouldn't be trusted at all. Warnings of a massive security hole that needs to be patched will be big news. If the warning isn't making the front page with a trusted news organization, it isn't likely a real concern. Further, most vendors don't proactively notify every affected user via e-mail. They rely on IT departments or automated operating system check-ins from personal computers to identify and patch vulnerable software.
- No financial institution or government agency will ask for any sensitive information via email.
- Remember, attachments, just like links, should always be treated with suspicion.
Don't ignore social engineering on the phone
Watch for the same type of attacks on smartphones. While users are becoming more savvy when it comes to securing their desktops, the same due diligence isn't often done when it comes to mobile devices. Hackers employing social engineering tactics know this and will try to exploit it. All the same common sense security rules should apply on all types of devices.
Social engineering works so well because it preys on human trust. To avoid being a victim, share these tips with your employees:
- Don't share or volunteer information via email
- Avoid clicking on links from strange email senders
- Avoid opening suspicious and unexpected attachments, and don't opt to "enable macros" or "active content" if prompted by Microsoft Office
- Think before responding to questions or situations that seem unexpectedly urgent
- Use the telephone to verbally confirm critical actions such as requests to transfer funds prior to carrying out the request
Remember that it isn't always advanced software that hackers use to access a secure network - often they exploit the trusting nature of its users.
In order to effectively guard against falling victim to social engineering, your security awareness training program should stress to employees to be careful what you click, what you share, and who you trust.
In his role as partner with LBMC Information Security, Mark directs the firm's resources to craft security solutions that mitigate those risks in a way that is practical and relevant to the organization's environment.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.