Most companies spend significant time and energy protecting sensitive data from hackers by investing in the latest firewalls, anti-virus software, and access control management solutions. However, all this effort is useless without considering the human factor.
Social engineering is the most powerful tool in a hacker's arsenal and can help them gain access quickly, quietly, and easily into your network. If you want to protect your data and maintain your reputation, take some time to understand how social engineering jeopardizes your entire cybersecurity system.
What is Social Engineering?
The concept of social engineering is simple, using human psychology and emotion to access sensitive facilities and networks. Every person is vulnerable to manipulation—forgetting this is one of the most common security mistakes in any company.
The term came into prominence after Kevin Mitnick – a famous hacker—used incredibly straightforward techniques to break into dozens of computer networks. He remained connected and on the run for two and a half years.
Since his inevitable brush with the law in 2000, Kevin has consulted on social engineering and its role in cybersecurity. The FBI and many Fortune 500 companies have hired him to do social engineering penetration testing on their systems to identify potential vulnerabilities.
There are plenty of tactics used in social engineering, but these tend to follow a life cycle:
- Preparing the ground includes identifying the right victim and gathering background information. Once the attacker has the target and some information, they select a method of attack.
- First engagement (the hook) allows the attacker to build rapport with the victim by spinning a story. If the victim trusts the attacker, the interaction continues. The attacker won't ask for any information at that point until this trust has been fully established.
- Obtaining information (the play) is the longest stage of the interaction. The play phase helps the attacker milk the victim for the necessary information. The length of this interaction depends on how many details the attacker wants to extract.
- Exit happens once the attacker has enough information to proceed with the deception. It may include bank account details, a social security number, or access to sensitive data. They will cover their tracks and end the contact without arousing suspicion.
What makes social engineering so concerning is that exploiting human psychology is much easier than you'd think. People are naturally helpful and self-serving, both of which are easy features to exploit in the pursuit of information or gaining access to restricted networks.
Social Engineering Attack Techniques
There are plenty of social engineering tactics that will deliver sensitive information into the hands of potential criminals. Some social engineering techniques don't even require personal interaction and are exclusively online.
Reliable security awareness training should include detailed information about social engineering hacks. While understanding these techniques won't make everyone immune to them, the knowledge will help foster a renewed vigilance that may help curb potential data security concerns.
Baiting
Baiting is a common social engineering attack that relies on exploiting someone's greed or curiosity. The attacker will tempt the victim with something attractive or valuable (bait) and then exploit this response to their own ends.
One of the simplest yet most effective examples of a bait attack is leaving a malware-infected flash drive in a conspicuous public area. The attacker will mark the flash drive as something interesting, like 'company payroll.' Any curious onlooker will pick up the drive, and the chances are good that they will insert it into their work PC.
Instead of insider information or juicy gossip, the flash drive will quickly infect the computer with malware that can report back to the attacker with personal information, such as credit card information, login credentials, and other damaging secrets.
The online version of this scam is similar, with web-based ads promising great sums of money or other enticing products to encourage the end-user to install a malware-riddled app.
Scareware
Scareware generates fictitious threats to spur users into irresponsible actions. An example of this is the pop-up that tells you that your computer has a virus and that you should install a particular anti-virus software. These ads tend to be bright, flashing large warnings across your screen to add to the sense of urgency. The desired effect is often achieved as shocked people download the malware or visit the malicious website.
Pretexting
Pretexting is one of the most common forms of social engineering, especially since it underpins many other types of attack. It is creating the ploy that the social engineer is someone trustworthy and reputable.
Pretexting often requires a significant amount of research, especially if social engineers are trying to obtain sensitive information by impersonating a real individual. The lie can be as simple as pretending to be an insurance salesman and wearing a cheap suit, all the way to deep-cover operations that follow everything whoever is being impersonated.
The main reason social engineers use the pretext angle is to establish a veneer of legitimacy. People won't trust someone in ragged jeans and a hoodie, but they will typically relate to someone who looks important or endearing.
Phishing
Phishing is one of the most common types of social engineering because it is both easy and effective. It uses emails, phone calls, or messages to create a false sense of urgency or tricks people into giving away confidential information, such as banking details, login credentials, and a social security number.
What makes phishing so effective is that it relies on bulk emails. Social engineers will often get one 'bite' from sending out thousands of emails, so the method saves them time and effort. Since these emails look legitimate, many people struggle to tell the difference between a phishing attack and a real banking or insurance email.
The most successful phishing attacks of the past have been on banking sites. Victims will receive an innocuous email saying that their account has been compromised. It usually asks the receiver to resend their password and username to the official channels and provides a link or window for the attacker to gain access.
Once the attackers have this information, they access the bank account and steal the money before disappearing into cyberspace.
However, since phishing attacks have become so popular, companies have started to take action. There are now common practices like blocking known phishing emails that are sent from the same mail server or offering different verification tools to help users distinguish a legitimate email from a fake one.
A recent victim was AT&T, which suffered a target phishing campaign earlier in the year. The phishing page was almost identical to that of the AT&T employee login menu. Fortunately, the company’s use of multifactor authentication was enough to save AT&T from a costly breach of security.
Spear-Phishing
The AT&T example is a good demonstration of spear-phishing, the targeted version of phishing. It will focus on one business or employee, tailoring the pretexting to a specific end. Spear-phishing requires significantly more work and effort than a normal attack, though.
The extra work also means that these attacks are significantly less conspicuous, and it's easier for an employee to fall for the ruse.
Watering Hole
Some social engineering attackers prefer victims to come to them. A watering hole is an attack where the hacker inserts malicious code into a commonly visited website (the watering hole) and waits for the victim to arrive.
Watering hole attacks are an excellent way for attackers to gain access to a company's computer systems. They only need to find vulnerabilities in a popular website and wait for the target to visit it. Once they have appeared, the attacker acquires a ‘back door’ into the target's device and can access all their personal information.
Whaling Attack
Another common example of spear phishing is CEO fraud, where the social engineer poses as the head of the victim's company. Some people refer to this as a 'whaling attack' since the perpetrator pretends to be a 'big fish' in the company.
Generally the email used is identical to the real thing, tricking employees and team members to provide the requested personal information or sensitive data and sending to the fake CEO.
Quid Pro Quo
Quid pro quo, or ‘something for something,’ isn't exclusive to cybersecurity. However, it is an extremely effective attack method that most companies don't factor into their cybersecurity or risk profile.
In the information security sense, quid pro quo is bribery or exchanging information for something valuable. As a common social engineering attack, it can be devastating for your organization. Think of the damage if you have a disgruntled IT specialist who is willing to trade your network architecture or physical location blueprints for money.
Social Engineering Prevention
Even common social engineering tactics have a huge impact on your company. Industry giants like Target can suffer from internal phishing attacks that leave their entire network vulnerable. Larger companies are generally more appealing to social engineering attackers, and the data will soon be open to the public.
Since most social engineering attacks rely on human emotion and psychology, it is extremely difficult to guard against them in a corporate setting. Even educated and security-conscious employees fall for these schemes as attacks become increasingly sophisticated.
Tips for Defending Against Social Engineering Attacks
The best way to deal with social engineering scams is to educate your employees at every level of the business. A business email compromise at the highest tier leads to CEO fraud, and users at lower levels should understand not to click on suspicious links or accept outlandish offers, no matter how legitimate the email appears.
Common social engineering tactics target everyone, including employees, individuals, and team members. Here are some of the best methods to defend against these deceptive techniques:
- View attachments with extreme caution. Email attachments are a hotbed of viruses, spyware, and malware. Hackers easily find an email address and use the contact list to distribute a malicious code to everyone on it. Unless you've specifically asked for an attachment, or it comes from a known source that you trust completely, don't open it; and delete the email as well.
- Keep your devices locked and protected. It might feel like a hassle to enter your password every time you want to access your device, but it's a security feature that's worth the effort. Unsecured devices are prime targets for attackers. Lock your workstation when you're not at your desk and keep all your anti-virus and firewall systems updated.
- Don't fall for miraculous opportunities. If it sounds too good to be true, stay clear of it. Social engineering relies on greed and inquisitive minds, so keep away from amazing offers that “only require you to give away your social media login details” and other cheeky requests.
- Never give away your username and password. Nobody legitimate will ever ask you for this kind of information. Don't trust any email that does, no matter how authentic it seems. If it asks for your login data or password, it is not a safe space.
- Use multifactor authentication. A username and password aren't enough to curb modern security threats, no matter how complicated you make the combination of words, letters, and symbols. User credentials are a prime target for social engineering attacks, and multifactor authentication presents a massive barrier for any potential infiltrator.
Multifactor authentication is an excellent way to curb the flow of malware and other dangerous schemes. Even simple, two-factor authentication adds a powerful layer of security. Even if a social engineering attack gets user credentials, it won't gain entry to the rest of your network when there are multiple hoops to jump.
Combining Threat and Vulnerability Management
Social engineering is only a small part of a comprehensive vulnerability management policy. Information security is about protecting data from unauthorized entry, which means understanding the threats that your network faces and the vulnerabilities in your current security solution.
Users and organizations face a shifting landscape of security and risk, which evolves daily. The era of the Nigerian Prince scam may be over, but people will still fall for obvious social engineering attacks. One solution is to educate users on recognizing these attacks—make sure your employees, friends, and family know when new attack methods surface.
Every company needs to be proactive in protecting their data and users. The best way to do so is to combine threat assessments with vulnerability management. Digital Defense’s vulnerability and threat management solutions can help your organization guard against new threats that emerge by actively searching these out before some malicious attacker takes action against you or your company.
Network Vulnerability Management
Cyber attacks can happen at any point in your network. Application vulnerabilities give attackers an entrance at the front door of your network, but there are also plenty of ways for attackers to sneak through a back door.
Digital Defense network vulnerability management focuses on preventing access via the back door, evaluating firewalls, anti-virus programs, and threat detection systems. However, it won’t be enough if these systems ignore their users and the influence that social engineering plays in their networking weak spots.
The best way to make sure your data is safe is a comprehensive simulation. For example, penetration tests address every aspect of your organization's network, allowing your security team to identify weaknesses and explore the consequences of data loss should these attacks succeed.
Conclusion
You can have the most robust cybersecurity solution in the world, but if you don't pay attention to social engineering, you will still leave your company exposed to attacks.
Security is vulnerable to the human element, which is why it's so important to keep social engineering in mind. Users inadvertently give away an email address or user credentials, and one slip will give unwanted intruders access to your network and important data.
While education and constant reinforcement help users discover and respond to social engineering threats, you should also consider alternatives to protect your data. Install multifactor authentication, limit user access to vital data, and be sensitive to employee mood, especially among employees with elevated access to important systems.
Digital Defense is the premier security consultancy for organizations of every size in the United States and beyond. We understand the human component of cybersecurity and how it interacts with other protections you have in place.
If you're concerned about security, we're the company to call. Find out how to better protect your data with Digital Defense—follow us on Twitter, check out our blog, or drop us an email.
About Digital Defense
Our cloud-based SaaS platform supports Fortra Vulnerability Manager, Web Application Scanning, and Active Threat Sweep that together provide:
- Asset discovery and tracking
- OS and web application risk assessment
- Targeted malware threat assessment
- Machine learning features that leverage threat intelligence
- Agentless & agent-based scanning
- Penetration testing for networks, mobile applications, and web applications
- Compliance management. One of the world’s longest tenured PCI-Approved Scanning Vendors
The Fortra VM platform virtually eliminates false-positives associated with legacy vulnerability management solutions, while also automating the tracking of dynamic and transient assets and prioritizing results based on business criticality. Learn more.
Contact us at 877-871-8045 and get a quote today!
About the Author
Mieng Lim, Vice President, Product Management has served as a security expert for Digital Defense, Inc. since 2001. Mieng takes a consultative approach to security having held prior roles in Operations, Quality Assurance and Sales Engineering. Mieng seamlessly blends technical expertise with real world scenarios to provide an entertaining and educational cyber security perspective. Mieng serves a mentor and STEM advocate encouraging young women to pursue careers in security and technology and volunteers with BSides San Antonio as a staff member. Mieng holds a Bachelor’s Degree in Computer Science with Minor in Sociology from Trinity University.
