Non-technical Security Threats: Social Engineering

Posted by Tobias Eichenseer Thu, 13 Nov 2014 15:44:00 GMT

Consider this common business scenario: a business has invested in network firewalls, modern authentication techniques, latest encryption technology, and other security technologies, but a social engineering attack could bypass all these defenses. A firewall cannot protect against users being tricked into clicking on a malicious link they think came across from an old friend.

What is Social Engineering?
The term “social engineering” refers to the non-technical type of intrusion that mainly relies on human interaction and commonly involves tricking people to break normal security procedures. In simpler words, social engineering can be regarded as a scam or fraud – people are scammed into giving away valuable data, including passwords. 

Social engineering is normally considered the easiest and most successful type of attack, and can come in several forms.

In the office
Social engineers may easily physically enter the organization’s building without provoking suspicions. A common practice used by social engineers to enter a secured building unnoticed is to hang out in the smoking area and wait to be let in by an unsuspecting employee.

On the phone
One of the most traditional methods is to call a person and ask them questions - a social engineer might pretend to be a trusted authority. Phone-number spoofing is another common practice amongst social engineers – a different number shows up on the target’s caller ID. The criminal could be calling from his/her home, but the number that shows up on the caller ID seems to come from within the company.

Criminals also take advantage of the Internet. When someone types in a URL that is only one letter off, instantly they can end up with unintended consequences. Rather than going to where they intended, unsuspecting users who make typing errors land on a fake site that has one of the following aims: to sell something, to steal something, or push out malware.

Why do People Fall for Social Engineering Tactics?
Social engineering has been proven to be a very successful method for a criminal to “get inside” an organization. Social engineering works because people want to be helpful and/or benefit themselves. By exploiting human psychology, social engineers find innovative ways of gaining access to buildings, systems or data. Successful phishing attacks generally warn that, “Your bank account has been breached! Click here to log in and verify your account.” This ploy takes advantage of human fear of having a compromised bank account. This psychological trick also helps social engineers to succeed with their criminal activities.

Awareness Training
People are fooled everyday by these fraudsters because they have not been sufficiently informed about social engineers. Keeping a watchful eye for social engineering is also part of personal responsibility to prevent cyber attacks. Since social engineering tricks are constantly evolving, awareness training has to be maintained. For instance, as social networking sites continue to grow in popularity, so do the scams social engineers try to use there, targeting Facebook, Twitter, LinkedIn and other social sites. Links that ask “Have you seen this video of you?” take advantage of both human fear and curiosity, making it impossible to resist unless the user is aware that it is a social engineer looking to trap the user into clicking on a bad link. 

From small pieces of information, a social engineer can compile an entire profile of a target. This makes the social engineer well poised for an attack to gain access to a facility or sensitive data. 

Security is all about knowing what risks there are and how to avoid falling victim; not all threats come from the online front or use technical means to exploit network vulnerabilities. The weakest link in security is the human factor. Social engineering should be seen as a very serious risk and preventative measures should be in place. Prevention involves educating people about the worth of information, training them to protect it, and increasing people's awareness of how social engineers function.

no comments |

You must be registered in order to write comments. To register as a new user click here.

If you're already registered, please leave a comment here

Leave a comment