Social engineering is arguably the most unique form of cyber-attack. While most attacks rely heavily on IT skills and technology-based hacking tools, these make use of one of the oldest tricks in the book.
Social Engineering in a Nutshell
Despite what its name seems to imply, social engineering isn’t some highly advanced attack vector borne out of Web 2.0 technology. It’s actually something that makes use of the age old art of deception.
Social engineering isn’t designed to outright crack hardened servers, firewalls, or highly secure IT systems. It’s aimed at exploiting information security’s weakest link: the end users.
Social engineering is designed to take advantage of people’s naivety, impatience, and lack of a security-conscious mindset. It can come in the form of a business email message, a phone call from tech support, or even someone needing assistance.
Some of the most widely used social engineering techniques include:
- Phishing
- Pharming
- Pretexting
- Baiting
- Quid pro quo
The objective of a social engineering attack is always to get the attacker’s foot in the door. That means acquiring passwords, installing malware, finding or punching a hole in your defenses, or simply gaining trust that can be further exploited later.
Some Examples
Here’s an example of a phishing attack. One of your employees receives an email allegedly coming from the Disneyland Resort in Anaheim. The email declares he’s won tickets for two and that he just needs to download an attached pdf containing a form.
The problem is the email didn’t really come from Mickey Mouse and his pals and the pdf was really a malware installer. When the employee double-clicks the pdf to view the contents, the malware installs and infects his computer. Because that malware has the characteristics of a worm, it spreads to your entire network.
Another example. Someone calls in claiming to be a cyber security specialist from Linksys. He declares that they have an online threat monitoring system and it has detected signals from your network characteristic of a botnet. He adds that he would need to investigate further and that he would require your assistance to establish remote access. The caller is actually up to no good.
For some tech-savvy folks, these scenarios might seem so outlandish. But in fact, a lot of people fall for these. Why?
Why Social Engineering is Thriving
Before attackers carry out a social engineering attack, they do extensive research first.
Before emailing that employee regarding the promo from Disneyland, they already knew he’s been looking forward to trying Buzz Lightyear’s AstroBlasters, having missed it during his first visit.
How’d they know? There are a lot of ways but the biggest source of relevant information these days is also the most accessible: social media. Because of Facebook, Twitter, Instagram, and other social media sites, cyber crooks no longer have to hack into our computers to know where we work, what we want, where we’ve been, what’s in our bucket list, and a lot of other things about our personal lives.
In other words, a large majority of the information they need to conduct social engineering attacks is right at their fingertips.
Recommended Countermeasures
Social engineering can be countered through a combination of employee education, security policies, and the right security solutions. For example, you can set up spam/content filters and other similar solutions to counter phishing and pharming. Just be sure you configure these solutions properly. Otherwise, you could end up filtering out legitimate and important emails.
Would you care for a quick chat on the risks of social engineering and how we can help you mitigate them? Contact us now.
BRITECITY is an Orange County IT Services firm supporting local businesses in the area of Managed IT Services, Cyber Security, Cloud Services and Strategic IT.