An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

TCM highlights National Cyber Awareness month: shows danger of social engineering

  • Published
  • By Nathaniel Bozeman
  • 376th Expeditionary Communication Squadron
Ten years ago, the Department of Homeland Security introduced National Cyber Security Awareness month in October to raise the profile of information security issues and the need for action. In recognition of this, I would like for us to raise our awareness of social engineering.

What in the world is social engineering?

Social engineering is the name for computer-security cracking techniques commonly known as hacking, that rely on weakness in human nature rather than weaknesses in hardware, software or network design. The goal of social engineering is to trick Airmen or Department of Defense contractors into revealing passwords, network vulnerabilities or other information that will help the hacker gain access to important data. By using social engineering, even someone with lousy computer skills can find his or her way into a supposedly secure computer system in order to access, modify or destroy targeted data.

Social engineering failures are costly yet avoidable. Scottish hacker Gary McKinnon, was accused of hacking into several U.S. military computers in 2001 and 2002. McKinnon allegedly wanted to know what the government knew about UFOs. Military officials credit McKinnon with deleting critical files from operating systems, prompting a shut-down of the U.S. Army's Military District of Washington network of 2,000 computers for 24 hours.

Another unfortunate event was the theft of Department of Veteran's Affairs (VA) laptop with a national database with names, Social Security numbers, dates of births and some disability ratings for 26.5 million veterans, active-duty military personnel and spouses. The laptop and accompanying external hard drive were both stolen in a burglary from a VA analyst's Maryland home. The VA estimated it will cost $100 million to $500 million to prevent and cover possible losses from the theft.

A question readers should ask is, "How do I, as a non-cyber operator, help protect our network from social engineering attacks?"

The first and easiest step you can take is to remove your common access card from your office computer before leaving your desk.

Second, you can challenge strangers in the hallways you do not recognize as members of your unit. Just because unrecognized individuals look like "VIPs" does not mean that they should loiter in the hallways of your unit unchallenged.

The third step is to encrypt information on a hard drive or when sending an e-mail with personal identifiable information. Personal identifiable information  is information such as social security numbers or your mother's maiden name. Hopefully, you are not exposing PII in the open without safeguards.

Fourth, you should actively shred labels and not simply dump them in the trash or recycle bin. Shredding everything is the correct answer.

The last step to take in defending against social engineering is to keep work conversation at work and not in town where people can eavesdrop on your conversation.

Please adhere to the simple, yet critical, steps to defend against social engineering attacks mentioned above. Always keep in mind that there will never be an environment where there is a zero percent chance of a social engineer attack. Second, understand that the moment you think you are safe and let your guard down is the very second a social engineer takes advantage of our network.