top of page

What is Social Engineering?


Social engineering is conning people using computer screens!

It is officially defined as “the art of convincing people to reveal sensitive or confidential information”, which may give it a gloss it does not deserve!

Social engineers pray on the fact that those they are targeting are unaware of how valuable the information that they have really is and using their lack of awareness to grant them access to an organisations network and data. Social engineering attacks are particularly difficult to counter because they are designed to play on natural human characteristics such as curiosity, respect for authority and willingness to help others. Malicious individuals will try several different ways to gain access but often favour trying their luck against what is arguably the weakest link in the line of defence…people! A well configured firewall, antivirus and updated system can provide a rather tricky challenge to cybercriminals, so they often pray upon the staff of the target organisation deploying several different techniques to try their luck. Many of these are low risk high gain and their success is dependent on the personnel of the target rather than the systems.

There is considerable scope for conning people through a web page. In recent years, the browser companies have developed ways to highlight dangers of, for example, not using proper https on a URL. Being vigilant about browser cues will be the subject of my next post.


What are the stages of a social engineering attack?

Social engineering attempts typically consist of the following phases:

Research a company or individual – usually by dumpster diving, analysing websites, researching employees etc.


Select a target – Identify the most suitable employee, either disgruntled or those with perceived lack of security training for example.


Develop a relationship - Attackers will deploy several different methods to develop a relationship with the employees.


Exploit the relationship – Collect sensitive account, financial information, gain access to the network etc.


For those in the know such as security personnel and admin, implementing security throughout the system and shoring up the defence is part of their everyday job. They have had plenty of training and are therefore aware on what to look out for. However, this cannot always be said for those whose everyday doesn’t concern security matters, who carry out their duties without really giving the systems they use a second thought, apart from when they go wrong. Attackers will seek to exploit this, what they perceive as the weakest link. It is vital that there is sufficient training for all so that everyone has the knowledge to confidently deal with any social engineering attempts thrown their way, strengthening the weakest link.

Social engineering comes in many different forms, they can be technical and non-technical in nature. For example, a technique could be anything from a forged email from admin containing a suspicious link also known as phishing. Another could be an individual impersonating a member of the tech team asking for you to update your password or even someone rummaging through your company’s garbage to see what they can find. Not every technique from social engineering involves electronics or is highly sophisticated, they may even be as brazen as to try to run in behind someone authorised entering the building, also known as tailgating.

It is also important to be very careful what employees share online, even on their personal accounts because attackers will scour social media for any nugget of information that they can use against them, even to work out how to appear more legitimate when they approach and gain their trust. Do not include any information on company websites that isn’t necessary as this can be harnessed to build a more complete picture of the company and build a strategy of attack. If an attacker is successful the impact of an attack could lead to severe consequences such financial losses, legal ramifications, reputational damage and loss of custom!


What can I do to protect myself?

Unfortunately, there is no sure-fire way, or one method fits all approach. There are however a few things you can do to reduce the risk of falling victim to such an attack.

Be Vigilant. Always remain vigilant and take note of who is hanging around the building entrances, who is coming and going when going about your day to day. If you see someone suspicious raise the alarm.


Check for ID. Anyone wanting to enter the building who is not of your team must have ID or clearance from security personnel for being there. Check their ID or with management to ensure they have been authorised to be there.


Dispose of waste properly. It is critical to ensure that all waste is disposed of correctly, either by shredding or another secure method not just idly thrown away in the bin.


Staff awareness training. Ensure that each and every staff member is trained regularly on what to look out for and implement some kind of test or quiz to determine that the training is being understood, not just as a tick box exercise.

Enforce a security policy. It is important that each member of staff signs a well detailed security policy holding them accountable for their actions whilst using company systems or discussing company business. This may seem a little unnecessary but by doing so you are covering yourself and ensuring that all personnel are aware of the consequences of their actions. In turn this ensures that they take greater care with security mitigating the risk of a successful social engineering attack. Additionally, conduct some research of your own to familiarise yourself with what to look out for and the methods you can use to protect yourself. It is always best to be prepared.


Remember organisations need to get it right every time; attackers only need to once!

16 views0 comments

Comments


bottom of page