With the rise and rise of digital technology in our day-to-day activities, we have become more and more exposed to cyber attacks by malicious individuals. These malicious individuals also make use of the technology to carry out their criminal acts, however, to get the best results they might need very expensive tools and techniques which are not likely available to the common everyday criminal; probably only very well-funded criminal organizations or nation states would be able to afford such technology. Hence, the criminals devise techniques that can afford them access to unauthorized information assets that can enable them to achieve their malicious goals; deceit, persuasion – social engineering.
So what is social engineering?
Social engineering as far as IT security is concerned is a technique used by a malicious individual to obtain information or data that they are not authorized to have by way of manipulating and deceiving the custodian of such information or data into revealing it to him.
Due to the high cost of getting tools to compromise victims, like hacking tools, malicious attackers have found that it is easier to compromise custodians of confidential information or data that can give them access to victims’ systems, rather than hack networks and information systems, they hack those who manage them instead.
It has been said that a system is as strong as its weakest link. Humans have proven to be the weakest link in information systems; hence they become the easiest targets for malicious attackers. That is why it is very necessary and important for organizations to train their employees and create awareness on information security to minimize the risks of compromise arising from an employee being “social engineered”.
How social engineers compromise individuals and organizations?
Social engineers take full advantage of inherent weaknesses present in human beings like curiosity, willingness to help due to inbuilt human kindness, greed, lust and fear. Taking advantage of human weaknesses helps social engineers to successfully manipulate individuals. Some notable methods used by social engineers include pretexting, the notorious email scams, phishing, baiting and so on.
Pretexting involves deceiving individuals by pretending to be someone else, like IT helpdesk, then calling an unsuspecting individual informing them that there might be a routine upgrade going on requiring the employee’s logical access. The employee (whose most likely has access to crucial parts of an information system, like a systems administrator) may unsuspectingly offer such to the malicious social engineer who can then use it to compromise the organization. This takes advantage of the victim’s willingness to ensure efficiency in his workplace.
Some variants could also involve calling pretending to be someone of higher authority ordering for such access like the passwords, which the victim obediently responds to out of fear of possibly being queried by a superior.
Probably the most well-known form of social engineering is the scam email, where the attacker would claim to be a wealthy person whose wealth is trapped somewhere and requires the help of the potential victim to access the wealth with a promise to reward the victim for the assistance. The assistance the victim is to offer would usually involve sending funds that will be used to process the release of the funds that the reward will be offered for in addition to refund of the “processing fee”.
Once the “processing fee” is paid, if the social engineer doesn’t ask for more; that will probably the last time the victim will hear of the engineer. This takes advantage of the willingness to help and also greed on the part of the victim.
Phishing uses deception to gain access to sensitive data from victims by mimicking a well-known recognized authentic source. This could come in the form of email, SMS, voice messages or any other multimedia message leading to something like a link that looks like an authentic link (for example like that of an online banking site), a clone of a well-known site. The message would usually require entering confidential access details like username and password for online banking, the message could be requesting a change of password or entering to upgrade the online banking account or something similar.
Baiting, as the name suggests, uses bait to trick unsuspecting victims into getting compromised. The bait could come in the form of a link or a labeled document or something physical like a flash drive. The link could be something urging and attractive – like “click here to win something”, “click here for something free”, or things of pornographic nature.
The bait could be in the form of a document (whether on a system or as an attachment) labeled in such a way that a victim would be enticed to open like claiming to contain some business secrets or naked pictures or things like that, opening of which could compromise a system usually in the form of malware. Similarly, a flash drive, optical disk or any other memory disk may be left lying around with such enticing labels, leading victims to try and access on their systems which would infect their systems with malware that will compromise a system.
Similarly, a flash drive, optical disk or any other memory disk may be left lying around with such enticing labels, leading victims to try and access on their systems which would infect their systems with malware that will compromise a system.
Social engineering has become rampant in this day and age as a result of its being a cheap and easy way of getting to compromise victims. Social engineering techniques like phishing and baiting have been used as a stepping stone to initiate vicious attacks like the Stuxnet, recent attacks that have been hitting the financial sector worldwide, and even ransomware.
The best defense against such social engineering and social engineering-initiated attacks is awareness. This is because social engineering takes advantage of the human element which is the weakest link in information and systems security, so having all the best software and hardware for security becomes futile is the human element is not secured; as was previously stated your security as good as your weakest link.