According to Wikipedia: ”Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.”
Social Engineering is the art of manipulating others’ trust. It is an old gig with a fresh name, because its core principles are hardly new. After all, grifters, fraudsters, and confidence tricksters have existed in human society since the very beginning.
In the 21st century threat ecosystem, however, these traditionally face-to-face manipulation techniques are increasingly used remotely by criminals, to gain access to corporate networks in order to steal secrets, funds, or confidential/personal information. This type of intrusion attempt now accounts for 65% of all successful cyber security breaches¹, because it’s usually far easier to exploit the human tendency to trust than it is to hack past a company’s cyber defenses.
Social Engineers accomplish their goals by either gaining the confidence of authorized company personnel or by stealing those users access credentials in order to breach corporate computer networks (or physical company locations), impersonating legitimate employees. Since it’s a form of Confidence Trick, social engineering most frequently relies on the exploitation of most humans’ natural inclination to be helpful, or by exploiting common personality weaknesses.
Oftentimes, attackers will spend considerable amounts of time ”researching” their victims online, through social media, or in real world scenarios, by eavesdropping on conversations in public spaces such as food courts, office lobbies, or bars.
The intelligence gleaned in this manner is then used to throw the victim off guard when the attack is made.
A social engineer may call a victim’s personal assistant, posing as Bob the System Administrator and claiming to require immediate access to Sandy’s (The Victim) company network account, due to an emergency situation in the server room. All that’s required for this type of attack are two staff-member names and the personal assistant's extension number, which could easily enough be found online in most cases.
Planting malware, conducting corporate espionage, and stealing funds are the most common reasons for launching intrusion attempts at the corporate level, with phishing and spear-phishing constituting by far the most frequently used attack vectors.
A study by security software provider Positive Technologies¹ found that an average ten to fifteen percent of untrained staff are vulnerable to phishing emails, depending on the subject and type of email they were confronted with. These findings highlight both the inherent security weaknesses at the human level of any corporation, as well as the need for greater security awareness among staff and management.
Corporate cyber attack prevention is an all-or-nothing undertaking. Only if every staff member is aware of his/her day to day security responsibilities and well versed in recognizing social engineering attacks, such as phishing and spear-phishing, does a company’s human security structure become hardened to these types of attack. With this in mind, the most effective way to combat social engineering attacks is a thorough cyber security awareness training program for all members of staff.
There are also a number of things which can be done at the Information Technology level, to prevent malicious intrusions. We will cover these in Section 3: Defenses & Risk Reduction
It is indisputable that the average company's staff are the weakest link in its security chain. With a comprehensive cyber security awareness training program these employees can be turned into a business' best line of defense. Find out more...