11 Apr Social Engineering – Attacking Cyber Age with the Oldest Trick In the Book
Social engineering is arguably the most unique form of cyber attack. While most attacks rely heavily on IT skills and technology-based hacking tools, this one makes use of one of the oldest tricks in the book.
Social engineering in a nutshell
Nope. Despite what its name seems to imply, social engineering isn’t some highly advanced attack vector borne out of Web 2.0 technology. On the contrary, it’s something that makes use of the age old art of deception. Social engineering isn’t designed to outright crack hardened servers, firewalls, or highly secure IT systems. Rather, it’s aimed at exploiting information security’s weakest link – the end users.
Social engineering is designed to take advantage of people’s naivety, impatience, and lack of a security-conscious mindset. It can come in the form of a business email message, a phone call from tech support, or even someone needing assistance.
Some of the most widely used social engineering techniques include:
- Quid pro quo
- And others
We won’t go into the details of these techniques for now (although we might be able to talk about them in future blog posts) but what we can tell you is this – the objective of a social engineering attack is always to get the attacker’s foot in the door. This means, acquiring passwords, installing malware, finding or punching a hole in your defenses, or simply gaining trust that can be later on further exploited.
Here’s an example of a phishing attack. One of your employees receives an email allegedly coming from Disneyland Resort in Anaheim. The email declares he’s won tickets for two and that he just needed to download an attached pdf containing a form.
The problem is, the email didn’t really come from Mickey Mouse and his pals and the pdf was really a malware installer. When the employee double-clicks the pdf to view the contents, the malware installs and infects his computer. Because that malware has the characteristics of a worm, it spreads to your entire network.
Another example. Someone calls in claiming to be a cyber security specialist from Linksys. He declares that they have an online threat monitoring system and it has detected signals from your network characteristic of a botnet. He adds that he would need to investigate further and that he would require your assistance to establish remote access. Alas, the truth is, the caller is actually up to no good.
For some tech-savvy folks, these scenarios might seem so outlandish. But in fact, a lot of people fall for these. Why?
Why social engineering is thriving
Before attackers carry out a social engineering attack, they do extensive research first. For example, before emailing that employee regarding that promo from Disneyland, they already knew he’s been looking forward to try Buzz Lightyear’s AstroBlasters, having missed it during his first visit.
How’d they know? There are a lot of ways but the biggest source of relevant information these days is also the most accessible – social media. Because of Facebook, Twitter, Instagram, and other social media sites, cyber crooks no longer have to hack into our computers to know where we work, what we want, where we’ve been, what’s in our bucket list, and a lot of other things about our personal lives.
In other words, all (or at least a large majority of) the information they need to conduct social engineering attacks is right at their fingertips.
In the business place, social engineering can be countered through a combination of employee education, security policies, and the right security solutions. For example, you can set up spam/content filters and other similar solutions to counter phishing and pharming. Just be sure you configure these solutions properly. Otherwise, you could end up filtering out even legitimate and important emails.
Would you care for a quick chat on the risks of social engineering and how we can help you mitigate them? Contact us now.