The Threat of Social Engineering Attacks (1/3)

What is a Social Engineering Attack?

Social Engineering is the art of manipulating others’ trust. It is an old gig with a fresh name, because its core principles are hardly new. After all, grifters, fraudsters, and confidence tricksters have existed in human society since the very beginning.

In the 21st century threat ecosystem, however, these traditionally face-to-face manipulation techniques are increasingly used remotely by criminals, to gain access to corporate networks in order to steal secrets, funds, or confidential/personal information. This type of intrusion attempt now accounts for 65% of all successful cyber security breaches¹, because it’s usually far easier to exploit the human tendency to trust than it is to hack past a company’s cyber defenses.

How does it work?

Social Engineers accomplish their goals by either gaining the confidence of authorized company personnel or by stealing those users access credentials in order to breach corporate computer networks (or physical company locations), impersonating legitimate employees. Since it’s a form of Confidence Trick, social engineering most frequently relies on the exploitation of most humans’ natural inclination to be helpful, or by exploiting common personality weaknesses.

The Social Engineering Attack Lifecycle

Oftentimes, attackers will spend considerable amounts of time ”researching” their victims online, through social media, or in real world scenarios, by eavesdropping on conversations in public spaces such as food courts, office lobbies, or bars.

The intelligence gleaned in this manner is then used to throw the victim off guard when the attack is made.

Here's a Quick Example

A social engineer may call a victim’s personal assistant, posing as Bob the System Administrator and claiming to require immediate access to Sandy’s (The Victim) company network account, due to an emergency situation in the server room. All that’s required for this type of attack are two staff-member names and the personal assistant's extension number, which could easily enough be found online in most cases.

The Motives are Simple

Planting malware, conducting corporate espionage, and stealing funds are the most common reasons for launching intrusion attempts at the corporate level, with phishing and spear-phishing constituting by far the most frequently used attack vectors.

Up to 17% of Employees fall for Phishing Emails - 33% fall for Spear-Phishing Emails²

A study by security software provider Positive Technologies¹ found that an average ten to fifteen percent of untrained staff are vulnerable to phishing emails, depending on the subject and type of email they were confronted with. These findings highlight both the inherent security weaknesses at the human level of any corporation, as well as the need for greater security awareness among staff and management.

What can be done to Reduce the Risks

Corporate cyber attack prevention is an all-or-nothing undertaking. Only if every staff member is aware of his/her day to day security responsibilities and well versed in recognizing social engineering attacks, such as phishing and spear-phishing, does a company’s human security structure become hardened to these types of attack. With this in mind, the most effective way to combat social engineering attacks is a thorough cyber security awareness training program for all members of staff.

There are also a number of things which can be done at the Information Technology level, to prevent malicious intrusions. We will cover these in Section 3: Defenses & Risk Reduction

Next up: Section 2: Real World Social Engineering Attack Scenarios and Techniques

WE ARE YOUR

Sources:

• ¹ Symantec 2018 Threat Report
• ² PT Security 2018 Report