Social Engineering

Social Engineering is defined as follows: The art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data.

Social engineering happens in both the physical world and the digital world. We are going to briefly discuss examples/methods of both. In later posts we will go into further detail of different varieties of social engineering attacks.

Step 1: Often, attackers will go to social media sites like LinkedIn or Facebook to find all of the users that work at a company and gather plenty of detailed information that can be used to further an attack. They can then move on to Step 2.

Step 2: Attack users, utilizing any of the below methods:

Physically:

  • “Can you hold the door for me? I don’t have my key/access card on me.” How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
  • Clever criminals will also sometimes impersonate delivery drivers or caregivers with too many items in their hands to open the door. They are taking advantage of our innate urge to help others. This is often called piggy-backing or tailgating.

Digitally:

  • Call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor).
  • Impersonate an IT professional to ask for either a user’s credentials or for the user to uninstall antivirus software. The latter allows the attacker to install malicious software that could do anything ranging from logging keystrokes to gaining access to the entire network.
  • Customize phishing attacks to target known interests (e.g., favorite artists, actors, music, politics, philanthropies) that can be leveraged to entice users to click on malware-laced attachments.

Defend Against Social Engineering

Security awareness training is the number one way to prevent social engineering. Employees should be aware that social engineering exists and be familiar with the most commonly used tactics. But it isn’t just the average employee who needs to be aware of social engineering. Senior leadership and executives are primary enterprise targets.

Dan Lohrmann of csoonline.com offers the following advice:

  1. Train and train again when it comes to security awareness.
    Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyber threats. Remember, this is not just about clicking on links.
  2. Provide a detailed briefing “roadshow” on the latest online fraud techniques to key staff.
    Yes, include senior executives, but don’t forget anyone who has authority to make wire transfers or other financial transactions. Remember that many of the true stories involving fraud occur with lower-level staff who get fooled into believing an executive is asking them to conduct an urgent action — usually bypassing normal procedures and/or controls.
  3. Review existing processes, procedures and separation of duties for financial transfers and other important transactions.
    Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalyzed given the increased threats.
  4. Consider new policies related to “out of band” transactions or urgent executive requests.
    An email from the CEO’s Gmail account should automatically raise a red flag to staff, but they need to understand the latest techniques being deployed by the dark side. You need authorized emergency procedures that are well-understood by all.
  5. Review, refine and test your incident management and phishing reporting systems.
    Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.

Are your employees armed to defend against social engineering attacks? We have partnered with Infosec, which specializes in cybersecurity awareness training and simulated phishing attacks. Give us a call at (504) 372-1372. We’ll give you and your employees the ammunition you need to withstand the ongoing cybersecurity battle.

Leave a Reply

Your email address will not be published. Required fields are marked *