Hacking has evolved into a form of art. With the significant growth of the internet over the last couple of years, malicious developers continue to look for ways to bypass organizations’ security and so far social engineering has borne many dividends.
Since many companies are aware of pending cyber-attacks, they have invested heavily in tightening security and putting in place policies that work to minimize security threats. This has been achieved by preventing data theft using encryption, firewalls and security appliances. However, with all that in place, there remains the human element in the business. Hackers are taking advantage of this element and using human flaws to bypass the layers of security.
What is social engineering?
Social engineering has existed for a while. Since technology is getting better every day and becoming harder to hack, these malicious persons target the one thing that doesn’t change; human propensity for trust. Usually, a social engineering attack is not the main one. It’s generally in preparation for the main attack. Most hackers use social engineering as a way to scout systems and gain access. The Email Security: Social Engineering Report by Agari clearly revealed that 60% of the surveyed security leaders did, in fact, say their organization was a victim of at least one targeted social engineering attack which resulted to employees’ credentials being compromised. Additionally, about 17% of the said attacks resulted in breaches of financial accounts.
What social engineering excels at is the psychological manipulation of people into doing something or releasing confidential information. In social engineering, the human risk will be manifested in two main ways;
- The disgruntled employee who uses his/her access to steal company secrets and confidential information or disrupt systems that will result in losses for the company.
- The loyal employee who unknowingly divulges classified information or gives an outside party access to internal systems.
Information security culture
Employee behavior has a huge part to play when it comes to information security in a company. As such, the culture of the organization towards information security is critical. Information security culture can then be defined as the patterns of behavior that contributes to the overall security of all kinds of information. Research shows that employees do not feel as part of the security efforts on information and as such regularly do things that ignore the best interests of the organization’s information security efforts. To mend the broken culture, here are a few things an organization should do.
- Pre-evaluation: to better capture the current state of affairs, evaluation of employees and policy is in order.
- Strategic planning: using the results from the pre-evaluation, you can determine what needs to be done regarding awareness. Here, clear targets must be set since they will act as benchmarks when review time comes.
- Operative planning: achieved by setting up proper policies and training programs. These will ensure that all persons in the organization are aware of the security culture and what to look out for.
- Implementation: this is where the policies and training will be executed. Implementation should be rolled out periodically and retraining done after every few months to keep everyone up to date.
Social engineering techniques
All the best and effective social engineering techniques result from cognitive biases on the part of human decision making. Psychologists sometimes refer to these cognitive biases as flaws in human nature. These methods are used to gain access to privileged information such as logins to a system. So, what are the different forms of social engineering?
Pretexting as a means of getting information has been around for centuries and is quite effective. In pretexting, the malicious person will create and use a made-up scenario (the pretext itself) to establish communication with the target in a way that will increase the odds of the target divulging the required information. Mostly this is an extensive lie that requires a bit of research on the hacker’s part to use for impersonation purposes. Although it does take a lot of cunning to pull off, it is quite an effective strategy. Criminals frequently use pretexting to trick businesses into releasing private information.
Appearing among the most popular social engineering methods; phishing has existed since the advent of websites. Phishing is basically getting your target to release private information without them realizing they have. One of the most common phishing is where the victim receives an email that is purportedly from a legitimate business. The email will often ask you to “verify” some information on your account with severe consequences if you don’t. This email will have a link which when clicked, will take you to the phisher’s website which by all means will look the same as the legitimate website. The target victim will then attempt to log in by inputting the correct credentials which will then be stored in the hacker’s database. The hacker can later gain access to your private accounts and manipulate them as seen fit.
Defenses against social engineering
Educating the employees
Proper education and training are the front lines of defense against cybercriminals who use social engineering as their weapon of choice. Once the employees know how these attacks are orchestrated, they will be more cautious.
Be stingy with information
Personal information should remain just that; personal. Employees shouldn’t divulge sensitive information via social media platforms. It’s important to note that some emails might be from legitimate businesses. However, the mail recipients should be able to distinguish between legitimate websites and fake ones.
Regularly update software
These days’ browsers are more intelligent than they used to be. Companies have created lists for potentially malicious websites and those that are known to phish information. As such, you will get some warnings when you are headed to such sites. That is why it’s important to always keep your software up to date. What’s more, current software programs are being created with a security first approach. This means that most updates are usually security patches to previously known bugs.