Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. As an attack vector, SE relies heavily on tricking people into breaking normal security procedures.
In cybersecurity, the general public tends to think in terms of technology. This is not surprising since hackers attack and break into technological devices. Most people will likely point out to acquiring a new security appliance when asked what can be done to improve the security of their organisation. However, as much as these devices actually provide a level of security, the greatest risk is posed by end users. The human element in the security chain is the weakest link. This is what makes social engineering one of the most effective attack vectors to hackers.
Social engineering, and phishing in particular has been responsible for the successful compromise of many private and public sector entities and it is not difficult to understand why. Research has shown that Social Engineering has attributed to approximately 91% of all successful system compromise out there. Phishing (as defined in Wikipedia) is the attempt to obtain sensitive information such as usernames, passwords, credit card details for malicious reasons, often by disguising as a trustworthy entity in an electronic communication.
People tend to put too much faith in technology to protect them while hacking really is about finding the path of least resistance. Why crack an encrypted password when you can get someone to accidentally give you the unencrypted version? Why attempt to install a backdoor virus on your own when you can get an unwitting employee to plug in an infected USB drive? Some of the greatest hacks in history have been the result of social engineering and this will continue to be the case until more are educated on it.
As told in a story in the Washington post (here), hackers know what they do. Before crafting that e-mail, proper research on the target is done to ensure they understand as many facets of their target as there can possibly be. This also should not be surprising. That’s because Social Engineering depends on exploiting trust. See, if an attack is to target the HR of a company, it would make more sense disguising an e-mail as a CV application than a Sales report. A Sales report would be more suited to the Sales department. With this kind of trust, and a possible impersonation of a trusted partner, the victim will most likely open an electronic message and do as directed in that message.According to Kevin Mitnick, Social Engineers primarily target these human attributes, to gain what they want:
-Desire to be helpful
How to go about Social Engineering.
Social Engineers have the potential to cause some serious damage to their victims, which could be social, economical or reputational. It is now important more than ever to understand what precautions can be undertaken to prevent, alleviate and contain the devastation that can potentially be caused as a result of a Social Engineering attack.
- Physical Security For any security conscious business, first and foremost importance has to be strong physical security, enforced throughout the organization and consistently on everyone. Without tighter controls and lax security, attackers will have little trouble physically accessing stations, they need, to launch their digital attack. In addition, once clear and concise security policies are established and implemented, they should be periodically tested, to determine the state of security awareness among staff members, to resolve gaps, if any are identified. It is also equally important for the the staff to be continually reminded that the possibility of an attack is real, which can occur at anytime without warning. Some Physical Security items to look out for include:Having CCTV cameras in place. Reminding employees to not plug-in any USB drives or any other digital device they find around the premises and submit them to relevant depart for expert analysis.Remind employees to be vigilant and report any suspicious behaviour to security
- Internal/Digital Security Rolling out a series of digital protective services and software tools, to negate the risks of attacks. While this may not be completely effective against all forms of SE attacks such as tail-gating and and physical baiting, they however provide some partial protection and is better than nothing, When it comes to protecting digital data and assets, the more security measure undertaken, the better.Also, use of sandboxing mechanisms can be very productive. Sandboxing is the creation of an isolated virtual machine, use of which will protect the network from propagative malwares, with tendencies to spread itself over the domain, even if an employee inadvertently plugs-in a compromised USB flash drive into their computer. Use of sandboxing against some visual deception attacks is so effective, that some popular browsers i.e. Chromium or Firefox, have built in sandboxing technologies to prevent exploitation through Internet browsers.
- Implementation of efficient Security policy & procedures. It is imperative to have a concise and clearly defined set of rules for maximum effectiveness and should be available to all employees regardless of their ranks. One of the greatest benefit of enforcing security policies and procedures (i.e. policy on data protection, prohibition of business related information on social media, policies on the use of bring your own device-BOYD), is that not only it protects the company from intruder attacks, but also from potential lawsuits that may arise in case of a successful attack and crackdown from local authorities because of business non-compliance. In addition, a well maintained and regularly updated policy, which is the end result of comprehensive research, updated laws, lessons learned from previous attacks and derived from policies of other successful businesses in the same industry, can result in greatly reduced risks.The lack of clear security policy can in effect become the cause of overwhelming non-compliance among employees, leading to successful attacks and fines from authorities.
- Penetration testing.When a company has employed enough security measures and feel confident that it has protected itself from an attack, at that stage, it is a good idea to get a second opinion from an established and professional penetration tester. Primary purpose of a penetration test is to determine technical vulnerabilities and weaknesses in the network, systems and applications being used by the business. As well as testing the resilience of the company’s digital assets, many penetration testing firms also offer their services to determine the security outlook of business employees.By employing the same tactics as a malicious Social Engineer, but with company’s consent, an official penetration tester will attempt to access the system by human manipulation, direct hacking or using other tricks such as telephone pretexting, phishing, bating, tailgating or other browser based exploitation attacks. Once the simulated attack is over, the firm or professional leading the attack presents the employer with a detailed report of the vulnerabilities identified, probable causes of weaknesses and remedial strategies, which the business can follow to patch up the identified fragility.If the focus of simulated attack was internal employees, as well as infrastructure, then the company may also discover what human manipulation technique was used to gain access to the desired information. The information obtained can be very useful in hardening the network and employees in preparation for a real life attack.
- User training and security awareness. Because people are easily accessible and evidently more exploitable, compared to technology, the human element in businesses remains most vulnerable to Social Engineers. Policies to ensure strong passwords, two-factor authentications for work login, top of the range firewalls and IDS really do not matter if employees do not know the importance of keeping their pin, passwords and access card safe. The fact is, none of the security measures matters, because a company’s security is only as strong as their weakest link, which in this case is employees.Social Engineers and hackers have been aware, since the inception of technology, that the human link in any technology equation is always the most exploitable element. Humans are the mouldable key that can be easily manipulated to gain entry to any network, system or data. They know that the human heart and flesh is weak. Which is why the trend to access targets by ‘technology only’ is changing. Obtaining information from someone under false pretenses, manipulation, deceit and coercion is now conventional.In essence, the most effective mitigation strategy of dealing with Social Engineering is education. With periodic and systematic security training, guidance and frequent reminders on the need to stay on guard and staying vigilant against suspicious behavior, businesses can effectively turn their weakest link into the strongest.It is vital for employees to understand the significance of protecting sensitive information. As well as the importance to know how a Social Engineer might strike. With awareness they can develop the knowledge of various attack vectors and establish capability to differentiate between a dispersed or a direct attack. With education, employees can learn that a Social Engineer won’t directly say “Give me access code for the server room, please?”. Instead they will tie little pieces of information they have acquired over time, decipher cues and signals given to them by multiple employees and then join all the pieces of the jigsaw puzzle, to unearth the information they have been after.Although preparatory work for training and the actual delivery itself can be manually intensive and costly and the long term benefits may be uncertain at first, but this is the plunge companies will have to take if they wish to fortify themselves against Social Engineering attacks. Absolute security can never be guaranteed, but by playing smart and educating employees on security awareness, companies can turn their ignorant workers into educated and resourceful watchmen, essentially turning them from liability to an asset.