This should really be called “anti-social” engineering. A good definition is “social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter.”
My article on Wednesday will give an example of phone based social engineering – the fake tech support call. This is one example. It is often the easiest way to gain unauthorized access to a computer network, because it is low cost and will generally defeat any technological security solutions that the network security administrator may have implemented. On Friday we will take are look at phishing. Phishing, or sending a convincing email to trick the recipient into doing something unwise, is also a social engineering attack, and is the most common (90-95%) ways that attackers gain access.
Social engineering is a straight-up, old school, confidence game. Typical types of social engineering gambits are:
- Baiting. Leaving a malware-infected physical device, such as a USB flash drive, in a place it is sure to be found, like an entry or parking lot. When the “lucky” finder take the flash drive and plugs it into his or her computer, this will install the malware. Other bait includes CDs, “free” downloadable apps, torrented music files, and cute cat videos.
- Phishing. A fraudulent email is disguised as a legitimate email, often purporting to be from a trusted source. The message is designed to trick the recipient into clicking on a link or opening an attached file. This usually results in the capture of personal information like user credentials or credit card numbers, or the installation of remote access malware.
- Spear phishing. Spear phishing is an email approach that is custom tailored for a specific individual or organization. In many cases the attacker will have done considerable advance research in order to get to know the victim and make the exploit a plausible as possible.
- Spam. Unsolicited junk email can be used as a broadcast method of phishing or malware distribution in an attempt to find people who are trusting or gullible, and susceptible to social engineering.
- Pretexting. When the exploiter lies to the victim to access to personal data. For example, a pretexting scam could involve an attacker who pretends to need personal or financial data in order to confirm the identity of the target.
- Quid pro quo. When an attacker requests personal information from a party in exchange for something desirable. For example, an attacker could request computer access in exchange for help or something of value.
- Tailgating. When an unauthorized party follows an authorized party into an otherwise secure location, usually to steal valuable property or confidential information. This bypasses keycard access to a secure building or area by quickly following behind an authorized user. Often props, like a stack of packages or a briefcase or two will encourage victims to hold the door for the attacker.
The best defense against social engineering is to develop a healthy suspicion. Be skeptical. Verify the sender of an email. Never use provided links in an email, instead go to the website directly. Question persons asking for access to buildings, or networks. Cybersecurity awareness training can help educate your staff of the risks and give them some ideas about how to recognize a social engineering approach and challenge it.
- Logrhythm blog article on Social Engineering
- TechTarget article on Social Engineering
- Cybrary – free Social Engineering and Manipulation course
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com