IT Compliance

CBC Social Engineering Audit

What is social engineering?

Social engineering is using manipulation to compel people to divulge confidential information. Often times it refers to using that information or manipulation to gain access to or exploit a computer system.

What is a social engineering audit?

Community Banc Consulting of Ohio, Inc. employs the same methods as hackers and scammers, but in a controlled environment to glean confidential information from your community bank. We will do this by exploiting weaknesses in our information technology security and preparedness of your employees.

How does social engineering affect a community bank?

Since most community banks now have firewalls that make it extremely unlikely that an attack will originate purely from outside the community bank's network, hackers will resort to gaining inside information or access to achieve their goals. They will use the techniques of social engineering to get the access and information they need to access the banks network and computer systems or to obtain confidential information.  Other hackers will use the access just to be disruptive to normal business.

What are the techniques of social engineering that are used against community banks?

Some common techniques are listed below:

Pretexting - usually involves calling an employee with a fictitious scenario concocted to gain trust and information

Phishing - often this technique uses legitimate appearing email to trick bank employees into performing actions like entering information into bogus websites.

Spoofing - this is attack is sometimes used in coordination with phishing. The attacker exploits flaws in the bank's email security to send legitimate appearing email to bank employees with the goal of compelling them to divulge information

Baiting - normally involves leaving some type of storage or media device where a bank employee will find it with the hope that the victim insets it into their computer and thereby downloading a Trojan or virus onto the system.

Quid pro quo - an attacker calls the bank pretending to be from the bank's technology vendor and tries to find someone that had a legitimate problem that will then unknowingly grant them system access. Sometimes, the attackers use customer surveys and the promise of gifts for participating to get information.

What can a community bank do to combat social engineering?

The most important defense is to take a strategic layered approach to information technology security. The more layers you have in place, the more information a hackers needs to gain access. Security layers combat the weaknesses that employees inject into the situation. Secondly, banks need to test and train their employees using social engineering audits.

Click to learn more about implementing a layered security approach.

If you would like more information about social engineering audits, contact us at:

Paul Elder 614-848-3189 ext 121 or email Paul
Larry Krietemeyer 614-848-3189 ext 143 or email Larry