What is Social Engineering?
-
Author
Christopher Fields -
Published
February 2, 2022 -
Word count
816
WHAT IS SOCIAL ENGINEERING?
Social Engineering is the exercise of obtaining detailed information of personnel in private and corporate settings by the use of Open-Source Intelligence, Human Intelligence, and psychological methods.
Open-source Intelligence is the process of gathering personal information on a subject or individual through internet searches, Social Media, or public records.
Human Intelligence is the process of gathering personal information of an individual by observing traits, language, mannerisms, surroundings, clothing and more.
This information is then used to exploit and compromise the credentials of organizations and individuals, primarily for financial or personal gain to the attacker.
WHY IS SOCIAL ENGINEERING USED?
The process of Social Engineering is to gather as much information about a person or organization. Once this information is compiled, an attacker will attempt to emotionally hijack an individual in order to gain sensitive information. Most commonly, personal information will be used to access online accounts, passwords, and entry into secured areas at the workplace.
Unfortunately, many companies forget that the first step of “hacking” any organization begins with the human, first.
In fact;
• Over 60% of businesses are targeted by Social Engineering each year
• Approximately only 25% of companies provide Social Engineering Awareness Training
• Over 90% of Cyber attacks rely on Social Engineering
• Social Engineering attacks cost companies between 3 to 6 trillion dollars each year (worldwide)
• The average cost of each attack is roughly $130,000
• 45% of employees open suspicious emails, 60% being new hires
MOST COMMON SOCIAL ENGINEERING ATTACKS?
-
Pretexting – The act of disguising a name, occupation, or intention in order to gain access or secured information
-
Spear Phising – Attacks, commonly email, that are directed toward specific recipients and include detailed information
-
Vishing – Voice Phishing is a phone-based attack used to obtain sensitive information, or have the victim carry out a specific act.
-
SMS Phishing – Attacks that are initiated via mobile text message in order to gain sensitive information from the recipient.
-
QUID PRO QUO/BAITING – Primarily conducted online, these attacks promise the victim rewards or services in exchange for their personal information.
HOW TO SAFEGUARD AGAINST SOCIAL ENGINEERING
There are many ways to combat against Social Engineering attacks. Though I would agree that you can never be too “secured”, unfortunately, it can become somewhat of a headache. This is even more true when trying to balance Customer Service skills with potential or existing clients.
Therefore, I have listed common, yet effective, measures to practice to ensure the safety of your personal and company information.
DON’T BECOME A TARGET – Trust me, if our highest Intelligence Agency can be hacked by individuals across the world, then so can you. Essentially, no one is 100% safe. The significant difference between you and government agencies is that you don’t stick out nearly as much. As they say, “out of sight, out of mind”. This is the best preventative advice you can take when combating against future attackers. You can take small steps by removing identifiable information from your social media accounts; Birthday, place of work, city you live in, etc. Most importantly, be VERY weary of people or accounts that ask for your personal information. As soon as they have just a small piece of your personal information, everything else becomes like “pulling a thread”.
SECURITY PROTOCOLS – Most companies have security policies already in place. However, skilled Social Engineers understand how to breach these “standard security measures”. Understanding that humans are the first line of access for a Social Engineer, it’s important to equip them with basic language analysis training. Secondly, remember that “complacency kills”. Complacency with visitors, conversations, unlocked doors, and unattended computers can all become a very serious issue for a company. Maybe your company chooses not to require ID badges or scanning technology. No worries. Though it can be helpful to employ technology to secure your building, it’s not necessary. You can start by keeping all doors secured at all times, while funneling all traffic in through one entrance. While adding trained reception personnel to this method, you can prevent 90% of all physical, unauthorized access hacks.
PENETRATION TESTING – A rare and valuable source to any business is hiring a third-party, Pen-tester. Pen-testers are skilled Social Engineer Consultants that test a company’s security vulnerabilities. This process includes Open-source Intelligence research of the company and their employees, security assessment of the company’s facility, as well as in-person testing of accessing their location with voluntary help of individual employees. Hiring Penetration Testers can prevent future civil suits, enormous monetary loss, and tighten the physical/digital security of an organization.
Overall, there is no perfect way to understand or prevent from Social Engineering. Each individual and company are different from the next. In addition, Social Engineering attacks are always evolving to the next best, vulnerable way.
Nevertheless, if you stick to the “basics” in terms of security and identifying threats, you’ll always be one step ahead of preventable attacks.
Christopher Fields
SE Consultant, CBFI
This article has been viewed 1,216 times.
Source link