Posted on Mar 7, 2018

What Social Engineering Means Today

When you think of web security, cyber security, or anything else related to securing technology, you probably don’t think about psychology or sociology. Instead when most people think about web security they think about things like encryption, software vulnerabilities, password protection, access levels, or other technical limitations. But normal human vulnerabilities, fears, weaknesses, and foibles can cancel out the most complex security infrastructures through a process known as social engineering.

Here are some examples to illustrate the point:

  • Hackers used phishing emails to breach the networks of Sony Pictures in 2015. The breach led to intellectual property and personal employee details being leaked online.
  • In 2015, Ubiquiti became a victim of employee impersonation, and was duped into handing over almost $47 million to overseas accounts they thought belonged to current vendors.

 

You can also find examples of social engineering in the offline world. In 2007 a robber stole millions of dollars’ worth of diamonds fromthe ABN Amro bank in Antwerp in Belgium. He didn’t use guns. There were no tunnels involved. And he didn’t scale the building like you see in the movies. Instead he used social engineering by creating a fake identity and earning the trust of the bank.

What Is Social Engineering?

The fact that social engineering is now being used in technology is a natural progression, as it has been around for millennia. For example, one of the most famous stories in Greek mythology is an example of social engineering – the Trojan Horse.

Trojan Horse

Social Engineering involves an attacker scamming or tricking their target(s) into to divulging information, or taking a specific action. Let’s look at the Trojan Horse example. In the story the Greeks were laying siege to the city of Troy. The traditional way of winning the war would have been to use spears and swords to force their way in, but they didn’t do that. Instead they pretended to give up and sail away, leaving the statue of a horse behind. The Trojans celebrated and brought the statue into the city as a trophy, unaware that Greek soldiers were hiding inside. In other words the Greek soldiers managed to get inside the city walls by social engineering – they tricked the Trojans.

Social engineering in the modern world works remarkably similar to the ancient Greek example, involving sophisticated and complex forms of trickery. In practice hackers deploy social engineering attacks in many different ways, including installing malicious software, or getting access to passwords.

Kevin Mitnick is a hacker turned author and security consultant who spent almost four years in prison for his hacking. He said: “Social engineering is using deception, manipulation and influence to convince a human who has access to a computer system to do something, like click on an attachment in an email.”

That covers those emails from Nigerian princes asking for your bank details then, but it goes much deeper than that. It can include emails that play on fears, or phishing attacks where the hacker pretends to be someone they are not in order to get a user to divulge personal information.

It is not always anonymous either, where the net is spread widely in the hope of catching out a handful of users. Hackers go after single companies too by targeting individuals. They win the trust of those individuals, usually by playing to their vanity, greed, or fears. Then they strike by getting that user to “do something.”  

Image Source: Pixabay

Securing Against Social Engineering

Technology is only a small part of the solution to preventing social engineering attacks. Social engineering is successful because humans make mistakes. This is primarily because a vulnerable person somewhere in the chain can compromise any solution – a person who gives out a password, or who installs a piece of software, or clicks on an email attachment.

Countering social engineering attacks typically involves three strategies.

The first is improving the quality of passwords. Passwords are often the weakest link in network security. We all have experience with the complex, but necessary password requirements. At a minimum a password should be 8 characters, including a mix of letters, numbers and special characters. Avoid using personal information, or real words for that matter. Use a unique password for each account. Your security team should also consider implementing two-factor authentication for added security (it will prevent access in case a password is divulged). And NEVER give out your password.

The second strategy involves making sure individuals who have access to your information and networks are aware of the risks. Let’s go back to the earlier examples to illustrate the importance of simply educating those involved. The bank robber got access to the diamonds in Belgium simply by earning the trust of the bank staff. The Ubiquiti hack occurred because employees responded to a message they thought was coming from a co-worker. And several Sony employees were duped by a fake Apple ID verification email that eventually promoted them to enter login credentials.  

The third strategy to combat social engineering attacks is to carry out penetration testing where security consultants try to break in using similar techniques. They do this not to highlight technological vulnerabilities, but instead to identify individuals who might be susceptible to a trick.

This final option is not available to everyone because it can be expensive. Education and making people aware of the risks, therefore, are the primary defenses. If you run a business or manage employees, you should consider creating a easy to follow, and enforceable Security Policy that defines password rules, identifies sensitive information, and educations on how to identify questionable emails. Be sure to update the policy to include information on the latest scamming and malware techniques. And review the policies regularly so that everyone remains diligent.

 

Editor’s note: This blog was originally published on June 9, 1025, it has been updated for relevancy and accuracy.

Comments