Aug 12, 2014

Social Engineering, Your Hosting Provider and Security

As prevalent and sophisticated as IT security threats are today, one of the most significant threats doesn’t involve writing complex code, spreading a virus, or launching a denial of service attack. As attackers have known for a long time, one of the potentially most effective attacks is social engineering, the art of manipulating people to gain access or information to something the attacker is not supposed to have. This type of attack may be low-tech, but it’s just as dangerous as any other major threat, and arguably more so.


What is Social Engineering?

Social engineering is designed to exploit human error, manipulating victims to turn over the sensitive information the attacker is looking for. While technology can be difficult to defeat, humans can be a chink in an organization’s armor. This kind of attack indeed turns up at hosting companies, and as the gatekeeper for customer accounts, we see attempts at social engineering happen at Codero.

These malicious individuals try to gain customer information, trade secrets, or details on the internal structure of the targeted company among other critical information. The attackers may pose as support technicians, executives, finance personnel for customer companies or even as employees. And while the motives for the attacks may differ, the attackers are likely probing for weaknesses, or attempting malicious behavior such as resetting a password, taking a server offline, etc. in order to exploit them for their nefarious purposes.


Frank Abagnale” – Licensed under CC BY 2.0 via Wikimedia Commons.

Perhaps the most widely known example of social engineering is the story of Frank William Abagnale, Jr. Abagnale, whose life was depicted in the Spielberg film “Catch Me if You Can,” serves as a prime example of what can be accomplished using social engineering and a little know-how. He was able to convince people that (among other things) he was a doctor and an airline pilot.

While Abagnale’s attempts at social engineering were fairly overt, modern day attempts are often much more subtle. Frequently, in an attempt to disguise the attack, the attacker won’t go for their target information directly, but will attempt to piece it together in a round-about way over many interactions so as not to arouse suspicion.


The Weakest Link in Any Security System

Despite all the fail-safes, all the layers of security technology – encryption, virus protection, passwords, policies and more — the softest spot in any environment will always be its people. People are trusted to make decisions, and sometimes these decisions can be bad ones – just what a social engineering attack is looking for.

At Codero, our staff is regularly trained and subject to frequent drills and training. In addition, we actively follow industry security reports and keep our training and processes updated. Our staff’s goal is to protect information, to verify each person to whom they are interacting with, and to always be on the lookout for social engineering attempts. Social engineering attempts have gone from anomalous events, to persistent realities that no one is immune without steady information and awareness. In some support cases, digital identification has to be escalated to human interaction to protect the integrity of accounts. Account authentication, whether it’s online or over the phone, is but one level in this security challenge. This has to be maintained, reinforced and applied throughout the operation.

Our customer’s information is the precious cargo that makes our business run, so we pay the utmost attention to protecting it. We constantly monitor and rate our employee training in addition to our security in general to stay ahead of the curve of evolving attacker techniques and provide industry-leading security to our customers.


How We Handle Social Engineering

angryPunchLaptopRecently, an employee of one of our customers contacted our support center to attempt to gain access to the corporate account. Naturally, we have no inherent conclusive awareness of who is employed by our customers’ organizations at any given time. This individual had the right information, such as the names of current employees, the names of executives, dates, server names, and more, to suggest that our support could safely give them the information they requested. However, each of our customer accounts are world class and mission-critical. We never bend the rules. Our support team is always helpful, but we have contingency steps built on contingency steps to help protect your valuable accounts.

After our stringent verification processes, we discovered that this “employee” was actually a disgruntled former employee. They were denied access to company information, and the customers’ infrastructure remained safe and secure. The social engineer tried and tried through multiple attempts, but to no avail.

In addition to our expansive product portfolio and all of its benefits, by combining the ease of automation and management systems with the level of support driven by principled process, we are like no other hosting company in the industry. That was just one example of how the integrity of our operations, what we deliver to our customers, is so critical. We constantly work to achieve the best service for all of our customers.

We are always at your service. Lets us know how we can help.

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedIn