Social Engineering In The Digital Age

Posted: December 11, 2013 in Articles
Tags: , , ,

Social Engineering

Social Engineering

Social engineering is perhaps one of the oldest tricks in the book and one of the easiest ways to undermine security, yet it often requires little in the way of technical knowledge.

It is practically a confidence scam used to gain information that can be used in an attack or security breach. Like all cons, it takes many shapes and forms.

Common Forms of Social Engineering

Phishing is one of the most common ways of tricking users into providing information, and it usually involves emails designed to target specific businesses and look legitimate in the process. Phishers often go to great lengths to make their emails look and feel legit, making them difficult to detect. If they are not custom designed for an individual target, phishing emails can often be identified by some simple investigative research on your part or even simply by a Google search, as there are bound to be past instances of similar attempts documented in cyberspace.

Baiting is an even more direct and targeted form of social engineering. However, in most cases it can’t be pulled off remotely, as it requires the attacker to leave an infected flash drive or DVD in a location where employees will find it – and come up with an intriguing label. For example, the disc could look like it contains salary information, an employee will pick it up without telling anyone and try to look at the contents, getting attacked in the process. Identifying baiting attacks can be very difficult, but basic security training can lessen the risks dramatically.

Another direct form of attack that usually involves plenty of research is pretexting. It is basically an elaborate lie designed to engage employees in conversation or email exchange using an invented pretext. The exchange can yield valuable information. Attackers can impersonate coworkers, tech support, authorities or assume just about any identity.

Other common techniques involve diversion, piggybacking stolen ID cards or entering restricted areas thanks to the carelessness of other employees, cracking private emails in order to gain information on the target, and creating hoax threats such as fake viruses. An attacker could even gain valuable information by rummaging through trash. Of course, multiple techniques can be used in a single attack and the attacker can even come up with an entirely new technique designed for a specific target.

phishing

How Can You Protect Yourself?

As social engineering usually involves research and a hands-on approach, it can be difficult to put in place effective countermeasures.

  • Education and training are vital in combating social engineering. The human is the weakest link in every security system and social engineering is supposed to exploit this weakest link.
  • Employees must be made aware that social engineering is a real risk and that an attack can come at any time, in many forms.
  • Employees must be properly trained to recognize commonly used social engineering tactics and report them as soon as they get suspicious – even if one employee didn’t fall for the trick, other employees could.
  • Sound security protocols must be put in place, making it clear to employees that the use of a simple USB stick found in the parking can lead to an attack.
  • Testing, testing, and more testing – all the safeguards mean nothing if they are not put to the test. Security outfits provide such services and you’d be surprised how many people fall for the old “executive salaries” disc trick.

Of course, all the protocols need to be reviewed from time to time, either to address shortcomings identified in tests, or to meet new challenges and threats. Once the attack is identified by the company, it is usually too late, so employees must be encouraged to share information, even if it involves reporting their own embarrassing mistakes. Social engineering is a mind game and it plays on people vanities, among other emotions.

Author Bio:

Katie Morris is an experienced writer working in the technology, secuirty and computer threat fields.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s