In the recent past there has been a significant influx in the number of organizations as well as individuals that are using computers to carry out their daily activities. Most of these organizations and people that have embraced computers into their daily operations rely heavily on the internet. They mainly use the Internet for the purposes of communication. As a result of the increase in the number of computers’ users, there has consequently been an increase in threats to information communication technologies and most importantly threats to computers (Hadnagy 2010). A computer usually faces a lot of security threats as it carries out its functions. The most common type of threat that a computer faces is viruses. Computer viruses are usually used by the attackers as a mean to cause a malfunction on a target computer or a target computer network.
Despite the numerous number of anti viruses that have been developed in order to prevent the computer from the attacks, computers continue to face and succumb to attacks. This is because computer attacks come in more than one form (Hassan, et al. 2010). However, it is imperative to take note of the fact that Information Technology security is important to an organization thus it should make considerable effort to make it effective and efficient. This is mainly because the nature of information that is conveyed via information technologies contains a lot of company intelligence.
In most cases when the attackers are unable to successfully launch attacks on a computer they usually engage in social engineering. The art and technique of exploiting the psychology of a human being in order to gain authorized access to data warehouses, buildings or computer systems is commonly referred to as social engineering. These techniques aim at obtaining information that would enable the attacker to invade a system without raising alarm (Luo, et al. 2011). The following is a list of examples of information that the attackers seek to obtain from employees: the identity of an individual that has the right to privileged access, passwords, keys, bank account numbers, usernames, identity badges and access cards, and list of phone contacts among others. The main tactic that is employed by the social engineers is identity theft and this is because social engineering aims at obtaining organization intelligence without detection. Recently more and more information technology systems have become victims of social engineers. This is attributable to the rise in the number of organizations that are using computers as a means of executing their daily tasks.
This paper will use a case study of ABC Ltd in order to describe some of the issues that pertain to information technology threats and social engineering (Tolman 2008). It will explain internal threats to the information technology by providing examples from the case study. The paper will define social engineering and discuss some of the social engineering tactics that are commonly used. Finally it will provide a brief description of the various forms of internal control frameworks that can be used to curb social engineering.
Explain the internal threats to Information Technology security in ABC Ltd.
More often than not internal threats to information technology security in ABC Ltd as well as other organizations arise as a result of the negligence of the members of stuff. One of the areas where the information technology systems of ABC Ltd are vulnerable is with regard to the outsourcing of information technology services (Tolman 2008). This is mainly attributable to the fact that during outsourcing an external party will obtain access to the sensitive information pertaining to the company. This implies that ABC Ltd will entrust most of the secrets of its business to XYZ Ltd. As a result of this it is evident that XYZ Ltd can leak the business intelligence of ABC Ltd either knowingly or unknowingly.
Another area in which ABC Ltd is vulnerable to attacks is the granting of unlimited access to Ms. Dallas who is the chief executive officer of XYZ Ltd. Ms. Dallas consequently delegates the authority to Tatyana who is one of her employees. This authority grants Tatyana unlimited access to the premises of the organization and administrative privileges to the computers of the organization (Mann 2008). It is also important to highlight that Tatyana has access to the computer of the chief executive officer of ABC Ltd and this means that she is able to see the dealings of the entire organization. This puts the organization in a vulnerable position because Tatyana is not a permanent employee of the organization. As a result of this Tatyana can decide to trade company intelligence to the rivals of ABC Ltd such as PQR Ltd or even work for them.
ABC Ltd is vulnerable to threats of Information technology because of the fact that most of the employees of XYZ Ltd are members of the social networks. This in turn implies that most of their personal information is contained online (Hadnagy 2010). As a result of this such information can be target by a social engineer who can use such information to design attacks against ABC Ltd. The main technique that the social engineers can employ is impersonation however this does not mean that the other social engineering techniques are not viable.
What is social engineering? Describe the most common tactics of social engineering. In your answer refer to at least two journal articles.
Social engineering is the art and techniques of gaining unauthorized access to the computer systems, data warehouses and computer networks among other information technologies. Social engineering heavily relies on the exploitation of the psychology of a human being in order to gain unauthorized access to the information technologies (Hassan, et al. 2010). Social engineering mainly targets at obtaining information that is pertinent to the identity of the employees. The attacker then uses this information in order to dupe the system and gain unauthorized access. In most of the cases the main aim of the social engineering is to obtain company intelligence. Social engineered attacks have been on the rise due to the widespread use of the computers. Another factor that has greatly contributed to the influx of the social engineers attacks is the prevalence of cut throat competition in the world of commerce. Social engineering is becoming widespread as a result of organizations developing various means and techniques of conducting business. Organizations effect proper security mechanisms that will ensure that the security of the information is well safeguarded.
Most of the organizations usually convey through information communication technologies. Organizations also store such information in secured information technology devices. Access to the information of this nature is usually limited to a few individuals within the organization (Luo, et al. 2011). Such information is conveyed and stored in well secured information technology because it is considered to be company intelligence. In most cases a company can secretly launch attacks on the information technology systems of rival companies. At times social engineers can choose to independently launch attacks against a company in order to obtain intelligence which they can later resell. At other times social engineers can launch attacks for non commercial interests such as activism.
The social engineers employ various techniques in order to be able to obtain unauthorized access to the information technology systems of an organization. One of the most commonly used tactics by the social engineers is impersonation. This is whereby the social engineers pretend to be one of the employees of the company in order to acquire unauthorized access in to the organization. Impersonation can be done physically or through the use of the software. Social engineers can employ physical impersonation as a way of obtaining data from an organization through the acquisition of illegitimate access passes (Maan & Sharma 2012). The attackers can dupe one of the employees of the organization into volunteering details regarding his or her access pass. Employees might also lose their access pass and then they are picked up by the social engineers who reconfigure the access pass in a manner that will enable them to maneuver the security systems. Social engineers can also impersonate themselves through the use of the software. They usually do this by duping employees into surrendering information that will enable them to gain digital access into the organization. Impersonation through the use of the software is the most common technique that is employed by the social engineers.
Social engineers can also gain access into the organization through the exploitation of the sympathy of employees. This is usually a scenario whereby the attacker poses as a one of the employees of the organization who is experiencing some form difficulties and needs the help of the organization. In most cases an employee would be compelled to help his or her colleague because they tend to sympathize with his/her colleague (Luo, et al. 2011). In the process of helping the so called colleague in trouble the employee within the organization is normally duped into presenting of the personal information. This personal information is then utilized by the social engineers to launch attacks on the target company.
Another technique that is commonly used by the social engineers is phishing. This is a technique whereby the attacker sends an email with a link to the employees of an organization. In the email the attacker normally requires the employee to click the link in order to access something. The social engineers normally design the link in a manner when the employee clicks the links then he or she is required to present personal information. When the employee types in his/her personal information the attacker obtains the information and uses it to conduct subsequent attacks.
Social engineers also employ intimidation as one of the techniques of enabling them to gain unauthorized access into the organization. The social engineer normally poses as someone that has authority over the caller for instance the managing director (Hassan, et al. 2010). The social engineer then makes sure that he or she addresses the caller in a manner that will intimidate them. For instance the social engineer might pose as the managing director of the company and accuse the employee of misconduct. During the process of accusations the so called managing director may require the employee to surrender some information in order for the issue to disappear.
It is also imperative to take note of the fact that the social engineers can create confusion in order to gain an authorized access into an organization. Case and scenario is when a social engineer turns on the fire alarm in order for the members of stuff to hurriedly rush out of the office (Maan & Sharma 2012). In most cases when the fire alarm is triggered the members of staff normally run out of the office without logging out their sessions. When the employees have run out, the social engineers normally rush to a target computer and carry out their dirty work as quickly as possible.
Explain the social engineering tactics used by Dallas and Tatyana. What other social engineering tactics could Dallas and her subordinates use to undermine IT security in ABC Ltd?
Ms. Dallas and Tatyana are taking advantage of their friendship in order to obtain business intelligence pertaining to ABC Ltd (Hadnagy 2010). This is the case because Tatyana often goes out for lunch with Mr. Hilton and Mr. Milton. During the lunches for most of their conversation they discuss matters to do with the business strategies of the organization, dividends policy, as well as product pricing. After these deliberations Tatyana meets Ms. Dallas who obtains the information from her and she later conveys the information to a PQR Ltd who is a rival competitor of ABC Ltd.
As the administrators of the computers within the organization, Tatyana and Ms. Dallas have the ability to dupe employees into volunteering personal information. After receiving this information Ms. Dallas and Tatyana can use it to obtain more intelligence about the day to day operations of ABC Ltd. This information they can later convey to PQR Ltd who is one of the competitors of ABC Ltd (Tolman 2008). Such information can enable PQR Ltd to gain unfair competitive advantage against ABC Ltd. Other examples of the social engineering techniques which the two can use are phishing, hoaxing, causing confusion, office snooping and dumpster diving.
Referring to the internal control frameworks, suggest how ABC Ltd could reduce its threats to IT security. What limitations might there be in using these frameworks to reduce these threats?
ABC Ltd should train more and more members of its own staff with regards to matters pertaining to information technologies. This training will ensure that most of the work relating to the information technology is carried out within the organization. This will significantly ensure the security of business intelligence for ABC Ltd. The organization should also publish more articles on social engineering and these articles should be distributed to the employees of the organization. This will serve to inform the employees on the techniques that are being employed by the social engineers. The management of ABC Ltd should also ensure that they have put stiff penalties on employees who are found to be guilty of negligence with regards to the use of the information technology (Mann 2008). The organization should also formulate policies and procedure for preventing social engineering attacks such as issuing of new passwords after a short duration of time.
One of the challenges of instituting internal control frameworks is that it is managed by human beings. This means that although the degree of vulnerability might reduce, the system cannot be completely free from the errors (Hadnagy 2010). Another challenge is that ABC Ltd might develop very effective and efficient information technology internal control frameworks but the implementation may be poor. As a result of this ABC Ltd will remain vulnerable to the social engineering attacks.
According to the discussions that have been carried out throughout this paper it is evident that social engineering is part and parcel of our society. Through the analysis of the various forms of internal threats to information technology security the paper has highlighted some of the loop holes (Hadnagy 2010). Social engineering techniques have also been discussed and this has facilitated the identification of the role of employees with regard to the information technology security. This paper has also briefly explained how social engineering works thus facilitating the development of internal control frameworks. These internal control frameworks can be used effectively and efficiently to mitigate threats to the security of the information technologies.