Social Engineering


7% of the attacks suffered by a company or a person come from social engineering. And the attention we provide from our organizations or companies, investment and relevance is practically null. Before spending millions on security devices and firewalls, consolidate a base with training and awareness of the entire structure of people in your company.

The techniques of Social Engineering are being used by people and companies with unethical intentions to gain access to the facilities and assets of your company, since people are the most defective security product that exists. They try to trick you into giving you your email password on the phone, searching through containers for the paperwork discarded, there are many ways in which someone can endanger the security of your company.

We must install in the mind of people who are part of the company or organization the "critical thinking" to deal with these attempts of social engineering. Critical thinking means thinking twice about what you are doing or are asked to do.

Companies usually discard all kinds of documents where sensitive data appear. It is as easy as going to the container where it is launched, to obtain that information. In the best case, companies comply with the regulations and contract document destruction services.

The tactics used by people or companies to subtract information are not limited to the cyber environment, if not, they try to introduce themselves physically in buildings, cafeterias, events, etc ... From giving away a USB with installed malware, until passing for personal of maintenance, suppliers or other collaborators not necessarily internal to your company, wearing the official uniform of our external collaborators.

Meet all the levels of your organization, if your employees, partners or collaborators can be influenced or cheated to extract information, money or privileges from the organization to a competitor or attacker.

It could be seen as the biggest security hole we can find on the Internet. Since, it is closely related to human behavior and difficult but not impossible to control or mitigate it. Attackers take advantage of basic human emotions to manipulate people and thus fall into their provocations from curiosity, fear or empathy.

We would classify the Social Engineering techniques in three sections:

  • Passive method:

    Observation, non-contact techniques, password recovery, social engineering and mail, IRC or other chats, telephone, letter or fax..

  • Non-aggressive method:

    Induction, accreditations, looking for discarded documents, looking over your shoulder, tracking people and vehicles, building surveillance, agendas and phones..

  • Aggressive method:

    Depersonalization, blackmail or extortion, psychological pressure or impersonation.

    The best way to prevent any type of attempt of vulnerability of the personnel of your organization is the prevention and awareness of said personnel. At Andubay we take care to inform, train and raise awareness of any person related to the company. From the revision of the protocols of action, until the implantation of the new ones and corrected.