However strong the protection around computer systems, there is always the human element to be considered and often it is accidental mistakes or deliberate oversights by people that lead to or make possible data breaches, hacking and other assorted security problems.
“Social engineering” is often the first step in malicious hacking. It can enable attackers to gain physical access to a target's devices and networks or get login and password details etc.
“Social engineering” simply means tricking a person into giving you the information or access you want – generally without their realising what they’ve done and what the consequences could be. This normally through some form of deceit – an email claiming to be from the CEO or a caller claiming to be IT support etc.
This normally requires the scammer to spend time learning about his victims – by accessing social media, news articles, making calls and asking questions of people who know the intended victims, but for the scammer it is often easier than direct systems hacking.
People are usually a company’s weakest link, in terms of security e.g. in 2007, a man took 28 million dollars in diamonds from the ABM AMRO bank. He achieved this by posing as a successful businessman and over a year gained the trust of the employees until they gave him what he wanted –access to the security boxes and he took the diamonds.
Threats from outside of the business are most people’s idea of cyber-attacks and these can information gathering, without giving the game away that there is a breach or could be straightforward attacks. Sometimes these can last for many months until the hackers have exactly what they want. This information helps the attacker construct emails and call scripts with which to encourage the victim to divulge the information wanted.
Threats from inside the business can be a bigger risk than external threats.
The Information Security Forum conducts research and surveys to keep up to date on what’s happening in security. (https://www.securityforum.org/) Their classification of insider breaches identifies three basic types of insider behaviour that can lead to security problems. The categories are:-
· Malicious: Malicious insider behaviour combines a motive to harm with a decision to act inappropriately. An example is the disgruntled or conniving employee who turns over sensitive proprietary information to a competitor after being terminated or for payment
· Negligent: Negligent behaviour can occur when people look for ways to avoid restrictions they feel impede their work. While most have a general awareness of security risks and recognize the importance of compliance, their workarounds can be risky. The same applies to responding to phishing messages, careless password management, misplacing devices containing privileged information, visiting an infected website.
· Accidental: ISF members report that completely inadvertent breaches are more common than malicious ones
According to a worldwide survey of ISF members, the vast majority of those insider-originated network openings are created without any intention of harming their employer.
e.g. the high ranking military man or woman who takes home confidential files, unwittingly making it easier for someone to steal them.
A typical accidental breach might involve misspelling an email address (often compounded by the autocomplete feature), which results in the message and its attachments going to the wrong person.
Social Engineering Techniques
Social Engineering can be face-to-face, by telephone, letter or online. If online, it is likely to want to persuade you to click on a link, open an attached file, install malware or visit a website setup to con you into giving up confidential information e.g. login and password, date of birth, credit card details etc.
If it is about installing malware – this could be a virus or a Trojan which pretends to be something harmless but contains a payload that can get your information e.g. a keylogger that once installed records every key press on the keyboard and sends that data to the scammer or could be some other software that enables the attacker to gain access to your systems.
Social Engineering appeals are designed to appeal to people in multiple ways, such as:-
· Ego “You’re a winner”, “You’re one of a limited number of recipients of this special offer” , “Lose 20 ibs with no effort”
· Caring “Everyone needs to know about this new cancer cure”, “Help the poor islanders swamped by the tornado”, “I am giving you this huge sum of money to donate to good causes”
· Financial desires “All your financial problems are solved”, “You can join the experts in this opportunity”, “Your dreams will come true”
Social engineering can be carried out by phone – usually known as Vishing, by text message, by email or in person.
Often, to carry out a scam, the criminals will investigate their victims and learn about them through social media, official records, phone calls pretending to be someone in authority, bin diving etc. we all have a lot of information about us easily accessible via the Internet.
Scammer in Person
You may think of people who do this as con artists or confidence tricksters e.g. the person who blags their way past security to get into a building to steal purses or documents or computer devices etc., the person who investigates employees then makes a fake ID card to get into a secure building etc. or even the simple on the street frauds where you are approached by someone in uniform claiming you dropped litter and have to pay £100 fine immediately or go to jail.
How to Protect Against Social Engineering Attacks?
Education is the key to better protection. All staff need to be educated on how scammers operate, phishing scams, social engineering and how to deal with potential attacks
No matter how secure a network, device, system, or organization is technically, humans can often be exploited, manipulated, and taken advantage of and organisations should plan to deal with such eventualities.
Individuals should be vigilant regarding emails, unsolicited phone calls, or in-person interactions that attempt to get people to reveal personal or sensitive information, or require going to an unfamiliar website or installing an unfamiliar program.
If you have any experiences with scammers, spammers or time-wasters do let me know – go to the About page then Contact Us.