USA Flag Icon +44 01865-600-733

USA Flag Icon +1 713-636-5656

Armament Logo

The Threat of Social Engineering Attacks (1/3)

What is a Social Engineering Attack?

Social Engineering Attack

Social Engineering AttackAccording to Wikipedia: ”Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.”

Social Engineering is the art of manipulating others’ trust. It is an old gig with a fresh name, because its core principles are hardly new. After all, grifters, fraudsters, and confidence tricksters have existed in human society since the very beginning.

In the 21st century threat ecosystem, however, these traditionally face-to-face manipulation techniques are increasingly used remotely by criminals, to gain access to corporate networks in order to steal secrets, funds, or confidential/personal information. This type of intrusion attempt now accounts for 65% of all successful cyber security breaches¹, because it’s usually far easier to exploit the human tendency to trust than it is to hack past a company’s cyber defenses.

How does it work?

Social Engineers accomplish their goals by either gaining the confidence of authorized company personnel or by stealing those users access credentials in order to breach corporate computer networks (or physical company locations), impersonating legitimate employees. Since it’s a form of Confidence Trick, social engineering most frequently relies on the exploitation of most humans’ natural inclination to be helpful, or by exploiting common personality weaknesses.

Social Engineering Attacks usually involve Four Phases:

  1. Intelligence Gathering
    The criminal will initially investigate the intended victim and the target company, compiling the background information necessary for the attack. This information can include potential entry points, nature of and weaknesses in corporate security protocols, departmental structure and staff, etc.
     
  2. Relationship Building
    Having gathered the required intelligence, the attacker moves in on the intended victim to gain trust and set up the situation, ready for the next phase.
     
  3. Exploitation
    Once the victim has a measure of trust in the attacker, the criminal provides ”an emergency situation” or other reason in an attempt to get the victim to break security protocols or procedures.
     
  4. Execution
    If the victim complies, the criminal moves on to the execution phase and fulfills the attack’s intended purpose, such as stealing corporate information, planting malare, or stealing funds.
     

The Social Engineering Attack Lifecycle

Oftentimes, attackers will spend considerable amounts of time ”researching” their victims online, through social media, or in real world scenarios, by eavesdropping on conversations in public spaces such as food courts, office lobbies, or bars.

The intelligence gleaned in this manner is then used to throw the victim off guard when the attack is made.

Here's a Quick Example

Social Engineering Attack on a Personal Assistant

Social Engineering Attack on a Personal AssistantA social engineer may call a victim’s personal assistant, posing as Bob the System Administrator and claiming to require immediate access to Sandy’s (The Victim) company network account, due to an emergency situation in the server room. All that’s required for this type of attack are two staff-member names and the personal assistant's extension number, which could easily enough be found online in most cases.

The Motives are Simple

Planting malware, conducting corporate espionage, and stealing funds are the most common reasons for launching intrusion attempts at the corporate level, with phishing and spear-phishing constituting by far the most frequently used attack vectors.

Up to 17% of Employees fall for Phishing Emails - 33% fall for Spear-Phishing Emails²

A study by security software provider Positive Technologies¹ found that an average ten to fifteen percent of untrained staff are vulnerable to phishing emails, depending on the subject and type of email they were confronted with. These findings highlight both the inherent security weaknesses at the human level of any corporation, as well as the need for greater security awareness among staff and management.

What can be done to Reduce the Risks

Corporate cyber attack prevention is an all-or-nothing undertaking. Only if every staff member is aware of his/her day to day security responsibilities and well versed in recognizing social engineering attacks, such as phishing and spear-phishing, does a company’s human security structure become hardened to these types of attack. With this in mind, the most effective way to combat social engineering attacks is a thorough cyber security awareness training program for all members of staff.

There are also a number of things which can be done at the Information Technology level, to prevent malicious intrusions. We will cover these in Section 3: Defenses & Risk Reduction

Next up: Section 2: Real World Social Engineering Attack Scenarios and Techniques

WE ARE YOUR Armament Solutions Limited Logo

Sources:



 Standards

NFPA 1600 & NIST 800 Standards

Armament Solutions Limited

3315 Rice Boulevard

Houston, TX, 77005

United States of America

USA Flag Icon +1 713-636-5656


 

International House, 61 Mosley Street

Manchester, M2 3HZ

United Kingdom

USA Flag Icon +44 01865-600-733