One of the most popular attacks now is social engineering attack. Such attacks help cybercriminals gain effortlessly access to the network. The victim of the attack transfers all the keys into attacker’s hands.
Social engineering in the context of cybersecurity is the process of obtaining people’s personal information by deceiving them. There are many types of social engineering attacks: infected emails with links to malicious sites, a phone call from a cybercriminal who pretends to be a helpdesk and extorts confidential information etc. Social engineering is used not only in the digital realm, but in any other areas where specific information is required from the victim for malicious purposes.
Cybercriminals use social engineering techniques to hide their real identity. To do this, they present themselves as reliable organizations or individuals. The purpose of these actions is to obtain the necessary personal information to access the target network through deception and manipulation. Social engineering is used as the first stage of a major cyberattack to infiltrate a system, install malware, or expose sensitive data. The popularity of the method is due to the implementation ease. It is much easier to undermine cybersecurity using human weaknesses than using network vulnerabilities.
To carry out such an attack, it is necessary to collect targeted information (information about the corporate structure, internal operations, third-party vendors etc.). Public employees’ profiles in social networks can also become a target for malefactors. After data collecting, the cybercriminal chooses his first target to strike. Most often, this target is a low-level employee who is being manipulated into gaining access. It is rarely possible to instantly use confidential resources. Attackers roam the network to discover credentials with a higher level of access. Their activity is usually hidden behind legitimate processes to avoid detection by antivirus.
At the core of all social engineering tactics are aspects of human interaction and decision making known as cognitive biases. Such biases can be called vulnerabilities in human software, which are used to obtain the necessary access.
Basic social engineering principles:
- Reciprocity. Distribution of free samples is popular in marketing. This is due to the desire of people to return the favor. Therefore, attackers can provide the victim with a free service and then request access to sensitive information.
- Commitment and consistency. For example, an employee fulfills an attacker’s request for credentials, agreeing with this initially, although he understands that this should not be done.
- Social proof. People tend to repeat the actions of others, to do what others do. To do this, the perpetrator may provide false evidence of cooperation with victim’s colleague forcing him to comply.
- Authority. People often submit to more authoritative personalities and perform even undesirable actions. This explains the success of spear-phishing campaigns that pose as CEOs and target lower-level employees.
- Sympathy. People tend to succumb to influence and persuasion if they like the person.
- Scarcity. Perceived scarcity increases demand. This tactic makes the attacks relevant.
Ways to prevent social engineering attacks:
- Training employees on security issues, responding to hacking attempts, requests for personal information, etc.;
- Establishing a security policy that describes employees’ actions in certain incidents;
- Studying information. Employees should develop the habit of checking every email they receive and the device they plug into their computer;
- Security protocols establishment – an information risk management program with security protocols, policies, and procedures that describe data security;
- Testing resistance to attacks – organization testing, conducting controlled social engineering attacks as a test, sending pseudo-phishing emails, training employees who succumb to such provocations;
- Regularity of test attacks to increase stability;
- Checking protocols for responding to attacks, improving and supplementing them;
- Use of secure services for managing unnecessary information to prevent its use by criminals;
- Multi-factor authentication usage;
- Operational security methods (OPSEC) usage;
- Implementation of a third-party risk management system for processing large amounts of information that allows to identify a person;
- Detect data leaks by regularly scanning data for exposure and leaks.