Ever heard of "Road Apples"? And no - we're not relating to a piece of horse droppings at the side of a road. These "apples" are far more dangerous.
Security is only as strong as its weakest link. Unfortunately, most of the time, people are the weakest link. You may have spent a fortune on hight-tech security, state of the art firewalls, complex remote access frameworks and access passes to even enter the building. But be honest - do You know what a Road Apple is, and what kind of threat it poses? And more importantly, do your employees know?
Let's cover the basics first. Social Engineering in general manipulates people into sharing sensitive data, like logins and payment information. This is done by tricking the target into handing over information, usually done by posing as someone trustworthy: a colleague, a janitor or a governmental/authority person. By playing emotions like fear and trust they exploit human error to deceive their victims, and thus gaining access to valuable and sensitive information.
They might call you on the phone posing as a representative from your bank, they may send you an email claiming to be a colleague from another office abroad, or they may even knock on your door saying they are there to fix the ventilation. A well-planned social engineering attack can totally wreck an organization.
A more "creative" type of social engineering attack, based on human curiosity, are Road Apples - a social engineering attack based on a Trojan Horse type of attack. In a typical Road Apple attack, a cyber criminal takes a device - for instance a USB memory stick - and taints it with malware. They then present the tainted USB memory stick (in this case) to the public, and waits for someone to take the bait.
Usually some worker in the targeted organization will see the USB memory stick (or Road Apple) on the ground, table or floor where it was left. Then curiosity to investigate the content of the USB memory stick, and perhaps return it to its rightful owner, makes the worker carry the tainted device into the office and insert it into his/hers computer, executing the malware either by tapping on it or having it automatically executed. Straight through all your fancy security solutions!
Your security might look solid, but if the people are not aware and educated regarding the types of attacks used, it is all pointless. Stay well educated, stay alert, and take care out there!
Farsight is a Swedish IT development partner that makes people and organizations grow! We are your ”go-to-guys” regarding all your IT systems, technology and IT-security subject matters. At the same time, we are local community builders and ensue a sound labour market and good ethics. Our business is all about finding clever solutions for secure access, management and communication of business-critical information.