Combatting Social Engineering – The Invisible Threat

By Brendan Horton, Security Analyst at FoxPointe Solutions

Cybersecurity is often associated with technical vulnerabilities and sophisticated defenses. However, one popular cyber-attack method known as social engineering leverages human psychology to gather information and perform attacks instead.

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. This invisible threat poses serious risk to today’s organizations.

The following represent key social engineering principles and techniques to be wary of, as well as best practices for fortifying your organization against these dangerous attacks:

Social Engineering Principles

A key concept of social engineering is understanding how humans react, and how stress or pressure can be leveraged to meet a desired action. As a result, attackers generally leverage seven key principles when engineering an individual – often combining multiple principles into a single attack. Understanding and learning to recognize when these principles are being utilized is the first step in guarding against these psychological cyber-attacks.

Authority

This principle relies on employees complying with a request from an individual who they perceive to be in charge or in a position of power, regardless of whether they actually hold any influence.

Intimidation

Intimidation tactics are used by hackers to scare an individual into taking the desired action of the social engineer.

Consensus

Most people want to do what others around them are doing, and cyber-criminals use this tactic to persuade unsuspecting people to act in the same way.

Scarcity

Scarcity exploits the perception of limited resources or opportunities to make something appear desirable.

Familiarity

Cyber-criminals leverage positive feelings towards the social engineer or the organization they claim to represent due to an existing bond.

Trust

Social engineers work to build a connection with the targeted employee.

Urgency

Urgency creates a false feeling of time-sensitive pressure to prompt individuals into making hasty decisions.

Social Engineering Techniques

Social engineers may use a variety of techniques – both technical and nontechnical – to implement the above principles when performing an attack.

Technical Techniques

One of the most common technical techniques an attacker may use is phishing. Phishing is a broad term that describes the fraudulent collection of information, often focused on usernames, passwords, credit card numbers, and related sensitive information. While email is one of the most common avenues for phishing, other methods include smishing (phishing via SMS), vishing (voice over IP phishing), spear phishing (targeted phishing), and whaling (senior employee phishing).

One of the best ways an organization can defend against phishing attacks is through employee awareness training. A phishing attack can occur to anyone at an organization, so it is crucial that all employees are taught how to recognize and respond to phishing attacks.

Other technical cyber-attack techniques may include website attacks which redirect traffic away from a legitimate website to a malicious one. This is referred to as pharming. Typo squatting is another common website attack. This attack relies on a user misspelling a URL and ending up at a similarly named malicious site. For example, a social engineer may deploy a website named googl.com, attacking individuals who have accidentally misspelled the popular website google.com.

Nontechnical Techniques

Tailgating is a common physical entry attack that relies on following someone into a building or restricted area after they have opened the door. In some cases, unsuspecting employees may even hold the door open for the individual walking behind them. Much like phishing, tailgating is best prevented through awareness training as well as through implementing security measures such as requiring each employee to use their own badge or credentials to access protected facilities.

Similarly, shoulder surfing is the process of looking over a person’s shoulder to view and capture credentials being entered. Contrary to its name, it is important to note that attackers may use a variety of methods, other than simply peering over someone’s shoulder, when deploying this technique. Instead, they may also look in mirrors or through windows. To safeguard against this technique organizations should consider installing privacy screens in addition to encouraging employees to stay vigilant of their surroundings when entering sensitive information.

Social Engineering Training

Social engineering is one of the most challenging cybersecurity threats to protect against, as it targets individual reasoning. The best way an organization can fortify against these attacks is through conducting comprehensive, periodic social engineering training. This training should not only educate employees on the common social engineering principles, techniques, and attacks covered in this article, but also equip them with the necessary tools and knowledge to identify and proactively avert potential attacks.

About the Author

Brendan Horton is an analyst in the FoxPointe Solutions Information Risk Management Division of The Bonadio Group. As part of the IRM division, Brendan provides services in internal and external auditing of information technology and information security practices and controls. He provides services across multiple industries, including both public and private companies, healthcare organizations, tech companies, and school districts to ensure that client controls are functioning. Brendan engages in consulting services, conducts audits and information technology assessments in accordance with regulatory compliance standards.

Brendan can be reached online at [email protected] and at our company website https://www.foxpointesolutions.com/