In our article on organizational doxing we mentioned social engineering with a promise on detailing this subject. The connection is straightforward – malicious digital entities use doxing as part of their social engineering maneuvers. However, what does social engineering mean?
Social engineering in its modern version represents the act of psychologically manipulating someone for cyber-attack purposes, using specific information on that person – data usually gathered online, via social media or by breaking into personal online accounts. Once the collected data allows the psychological portraying of the target, an attacker uses manipulation to trick it into erroneous behaviors that facilitate the access into the digital system – the real goal of such an attack.
Social engineering originates offline – it is one of the “confidence” tricksters’ abilities. Some possess it intuitively and others learn it. Taken by itself, it is nor good nor bad, just an ability to read people and estimate their cognitive biases. Yet using this method for a malicious purpose turns the ability into a fraudulent tool. Hackers have turned this ability into an art, and the targeted unsuspecting online victims rarely have the necessary knowledge and inspiration to protect themselves from a state-of-the-art social engineering campaign.
That is why, when running an enterprise with various types of employees, any professional should establish a company security policy to implement, or assign this task to the IT department chief – and make sure that part of this policy involves training all the employees on how to stay protected from social engineering techniques.
How does social engineering work?
Because it may take various forms and shapes, social engineering knows many classifications related to the attackers type of approach.
Thus, social engineering may be passive, non-present, present but not aggressive and both aggressive and present in the same time. It all has to do with how much the attacker is willing to invest in terms of time and dynamics – but nevertheless the same fundamental principles stay behind any of the four cases: all people are willing to help when solicited; all people tend to trust their interlocutor; everyone finds it hard to refuse when requested apparently un-harmful operations and, ultimately, everyone is less vigilant when praised.
The most common methods used are phishing (obtaining private information by false pretenses), baiting (using the target’s curiosity by placing a malware- infected device or file somewhere the target is most likely to find it and respond by introducing it into the system) and simple pretexting – when the attacker obtains crucial information on the targeted system inducing the impression that he is a different persona, e.g. an IT repair man a co-worker, a bank employee or some other kind of figure the target perceives trustworthy.
The persons who are specialized in social engineering prepare for their attempts – so that the target would be positively surprised by technical knowledge, or by their intricate information on how the company works or what the hierarchy is inside a team. Casually volunteering bits of researched information when approaching their target, the hackers induce the impression that they are part of the group and that their activity is exactly what they claim it is – computer specialists, banking personnel, internet provider staff and so on. Here are some examples of how such an approach might look like.
The chronological stages of social engineering would be the following:
- Information gathering;
- Pretexting (setting up the chosen scenario and putting it into practice);
- Influence, persuasion and rapport-building (in order to determine the victim to take action to the advantage of the attacker).
Security researchers have studied all these elements and psychology experts contributed with their expertise in establishing patterns that are useful in planning a defense strategy. Although the usual potential target might be just anyone having access to a targeted system, and there is beyond the usual work schedule and sometimes beyond the comprehension to envisage explaining all the details to every employee from an enterprise, the mandatory thing to do is raise employees awareness on this matter. In addition, there are simpler ways to do this, in a reasonable amount of time.
Researchers have identified six levels of influence that can be engaged by the attackers in a social engineering exploit:
- Reciprocation (or quid-pro-quo: the target is inclined to offer a counter-service when service has been offered to him/her previously);
- Scarcity (an impeding urgency rearranges priorities and may determine skipping the usual precautionary measures altogether);
- Consistency (the attacker appeals to the good nature of the target and creates the obligation of promise fulfillment);
- Liking (charm might be dangerous in such situations – both ways; a malicious interlocutor may charm its target or may create the impression that the target is likely to charm him/her only by complying to the requests he forwards);
- Authority (this influencing technique is very successful in formal workplaces, ironically, among people who tend to respect the rules and professionalize their actions;
- Social validation (when peer behavior, or the impression of a certain behavior being adopted by a majority of colleagues acts as the ultimate convincing step).
How to protect your company against social engineering in five steps
Empower your employees by keeping them informed. All those involved in your business should apply the protective measures once these are thoroughly known, in a way that becomes their second nature.
- Make your employees aware of their position and their status once they are part of your team – they might represent targets as an effect of their professional status and of their inherent access permissions;
- Construct a work mindset, whereby all team members train to be legitimately suspicious and inquiring when confronted with external or unusual interlocutors altogether; teach your employees to respect the business rules and avoid any over-helpful course of action;
- Implement a set of good practices to be applied by all, such as: locking the laptops/devices when away from workstations, maintaining the cyber-security routine measures up-to-date (updates, reporting any unusual notifications), double-checking the validity of emails or other communications prior to opening (via phone call, or via another email address of the person seemingly sending the email);
- Make sure you have achieved staff awareness by internal methods or by using the services of specialized companies that offer training and/or testing for employees (role-playing, spoofed attacks to see how the people apply what they were taught and so on; when conducted internally, these trials should be carefully prepared to avoid any misguided elements and unwanted results – the goal is to improve and not humiliate or shame those who are having a harder time assimilating the cyber-security information);
- Double the human defense by using technical prevention and detection software or software services; have your IT department or personnel keep everybody up-to-date with the latest alerts.
As in all attack-and-defense situations, stepping out of denial would be the first think to do. Social engineering may target any company – regardless of size or field. Some may not even be aware of their target status- they might be important due to connections to the second-level targets for the attackers. It is better to assume a cyber-attack might happen and be prepared.
From there on, it is all about knowing your enemy and developing best practices that will prove useful in any circumstance. Training your employees provides them with new skills and makes your company a better cyber-protected and modern economical identity.