I’m amazed every single day about the way people think about normal-life security inside companies. Big or small; everybody has weaknesses that go unnoticed until disaster strikes.
Whether it’s an employee, a disgruntled employee or an external entity who gained access to your company; it doesn’t matter much. Any of them can cause your company to go bankrupt instantly when the job is executed correctly and no disaster recover plan is in place.
The best way to convince management that they need a disaster recover plan; it to burn down the building across the street.
It’s evident that you have to make backups of your systems. But who ever checks if the backups are valid and not corrupted? Who checks them for viruses? Who stores them offsite? Who stores them on multiple locations even? If you do; how are these locations secured? Probably not as well as the location where the (file)servers are that you’ve just backed up. I would love to have a backup restored that I’ve injected with an exploit after corrupting the original files/drives.
Regardless of any of the digital security systems you have installed; no matter how 5-star your IDS/IPS is; if I walk into your building and give you a handshake, you can be pretty darn sure I have a goal for giving you that handshake. I can be a printer service guy that comes in to run your office printers for their maintenance…
Not many people know that most network printers are basically unsecured computers that are hooked up to the company network, and have the WORST SECURITY EVER when it comes to password protection and storage. “Within 5 minutes I’ll be able to get the admin passwords for the network, resulting in me owning your company network and data.”
This is just one simple way of social engineering. The main rule is that people who mean to do harm seriously don’t give anything about the way how they obtain their goal. They feel no remorse; they have no moral. They will do whatever it takes to get what they want to have.
When you go to any geek website you can buy USB keyloggers; mini pen-cameras and several other small tools to spy instantly and with next day delivery. This is very scary; there are keyloggers that don’t even need to be recovered. They send their logs via wifi / 4g to email; so the social engineer just plugs it in and runs. An even more evil version install itself automatically on the user’s computer unnoticed.
Humans have a natural tendency to trust; and this is the vulnerability that social engineers exploit. And will do very very successfully until the end of time as we know it. Social Engineering is far more important to be protected against than any other form of hacking. As long as people click on an email or do what someone asks them to do over the phone, IPS/IDS and firewalls stand no chance.