In our time, we know that socializing has a very high importance and that every person (almost) has a basic need to maintain certain “connection” by “networking” and having interactions with other people, but what are the disadvantages of this? let’s talk about Social Engineering.
Since we have already concluded that socializing is a basic need of every person, we know that today there are many ways in which this need can be fulfilled :
- Social Media / Networks – such as Facebook, Instagram, Twitter and so on, which allow us to be updated in a moment with everything that our families or friends are experiencing every day.
- Chatting Apps – allowing us to establish and maintain conversations with people who are sometimes on the other side of the planet as if they are here next to us. For example WhatsApp, using “FaceTime” and so on.
- Outgoings – these days, there are clubs, parties, festivals and so on. Allowing large (or small) groups of people to meet up and socialize with each other.
Why am I telling you this?
That’s because, like everything in life, there is good and there is bad.
And just like an architect engineers buildings, some people will abuse the need of people to socialize to engineer the same people. A thing called Social Engineering.
In a computer system there are two types of objects – people and computers and hence there are four types of communications :
- Human to human.
- Human to computer.
- Computer to human.
- Computer to computer.
We’ve talked about failures and other mistakes computers can make. But eventually a machine is only as perfect as the person who created it, therefore, it’s us humans, that make mistakes.
Social Engineering is a concept from the field of security, and in particular from the field of information security, which means the utilization of a person’s psychological qualities, which may lead him to comply with the hacker’s requests. That’s why social engineering is one of the most common techniques in cyber warfare. This method makes it possible to bypass certain security mechanism technologies (such as antivirus, firewalls, etc.), and it is based on the fact that all information systems are designed to provide services to users, and those users have the means to access the information that the attacker wants to obtain.
All social engineering techniques are based on the ability to influence the decisions of the human mind. This concept is called “cognitive biases“.
There is really no protection for the main weakness – the human factor.
Common Social Engineering methods
All the methods and whether they’ll work or not depends mainly on decision making.
- Phishing – this is an attempt to steal sensitive information achieved by impersonating. The information may be, among other things, usernames and passwords or financial details. Phishing is carried out by pretending to be a legitimate party interested in receiving the information. Usually, the impersonator sends an instant message or e-mail in the name of a known website / organization, in which the user is asked to click on a link. After clicking on the link, the user arrives at a fake website where he is asked to enter the details that the impostor wants to steal. This method is very passive, because here the attacker relies on the victim “falling into the trap” and giving the desired information himself.
- Temptation – ever got on of these “Congratulations! You are our millionth user, click here to claim your prize!”. This method relies on enticing the user to click on malicious links or giving away his details in order to receive a certain reward.
- Socializing – similar to temptation, the attacker could “lure” an employee from a certain company, getting close to him, only to extract information from the employee at a later stage.
- Disguising – the attacker could also pretend to be a person with an “innocent appearance” such as a maintenance guy. Since some “doors” require a keycard or any other means of identification, he can simply ask you to open this door while he claims to be who he really isn’t.
So what can be done? How do we avoid being “socially engineered”?
The most effective way today to protect against social engineering attacks is to increase employee/user awareness and their attention to details.
- Creating a framework of trust between the organization and it’s employees and defining the situations in which it is permitted/prohibited to transfer sensitive information to specific parties, if at all.
- Identifying the sensitive information in the organization and assessing its exposure to social engineering attacks.
- Preparation of policies and procedures that handle the use of sensitive information.
- Training employees based on their positions, their position in the organizational chain and the level of sensitivity of the information they work with.
- Monitoring attempts to leak information from within the organization.
- Strict procedures for physical security and increasing the awareness of the security factors.
Just imagine that you are the one who accidentally leaked information worth millions to the company you work(ed) for. Social Engineering is scary.
Stay safe, choose Kayran.