Why Social Engineering is dangerous to you?
Imagine, you have harden your network with the most powerful tools possible. You have carefully checked your web applications for vulnerabilities and eliminated all weak points. So now you can breathe out and say: “I am totally safe“, right?
The answer is “No” until you will have not closed the most widespread path for attackers – social engineering minds of your employees. Social engineering is not about attacking computers — it is about attacking people and hacking human minds. As statistics says, more than 90% of modern cyberattacks include using of social engineering.
Why this kind of attack is so popular among criminals? The reason is it is much easier and faster than attacking a well-hardened technical infrastructure. Breaking into an organization with social engineering can be as easy as sending one e-mail with infected document to employees. If one of them clicks the bait, the attacker gets inside your network and your assets are at his will.
Thus, your employees turn into a tool of perpetrators. Affecting people’s minds, perpetrators make people commit self-destructing actions like giving away secret information, running malware or providing access to restricted areas. For that purpose, the attackers use techniques of deception and psychological manipulation.
How Social Engineering works
Social engineering may come in different flavors. Here is the most widespread types of social engineering for today.
Physical impersonation. Imagine a person comes to your office and says she is a fire inspector and needs to make some check. In reality, it’s a criminal or a spy trying to get access to your assets and steal information, install malware or cause some other kinds of damage. Of course, perpetrators can impersonate anyone – from a cleaner to a police officer, but their aim stays the same: Got physical access to your assets with malicious purposes or extract confidential information from your employees.
Phishing. You definitely faced this digital form of Social Engineering many times. It comes in form of an email “from a bank, Google security, a court subpoena, DHL, your dearest friends” and… you can extend the list with other entities that you trust enough. If you buy it and click on the link or file in the email, you are trapped. Phishing is aimed at elicitation of your credentials or making you install malware on your computer. As always, the main tools for it are deception and manipulation tricks.
Spear-phishing is a subversion of phishing, aimed at a particular individual, mostly CEO or other influent person. Attackers gather plenty of information about the person before starting the attack, so the malicious email sent to the target looks very plausible.
Vishing. That is a kind of social engineering implemented by phone. Perpetrators call you and, impersonating themselves as some authority person, try to make you commit some self-harmful action. Usually, they pretend to be a “bank security service” and make efforts to extract your secret bank information like PIN and CVV code.
Smishing (SMS phishing) is another infamous flavor of phone-based social engineering. In this case, perpetrators use SMS and instant messengers to send a malicious link or involve the victim into other kinds of malicious activity.
How to protect from Social Engineering attacks
The hardest thing about protection from social engineering attacks is that they use natural vulnerabilities of human brain. Many reactions are wired in our brains to run automatically, so an experienced social engineer manages this reactions – and thus people’s behavior. It looks like he has a remote control in his hands and just push the buttons until a victim becomes compliant and commit malicious self-destroying actions.
The main factor to mitigate risk of Social Engineering attacks is raising awareness of potential victims. You can’t set a firewall in your employees mind but you definitely can educate them to detect Social Engineering attacks and resist them.
How exactly?
I elaborated many anti-social engineering methods and programs, including the special course «The Missing Part of OSINT: Social Engineering». Check it out first and then get back to me if you need even more knowledge.