Cybersecurity has become an increasing concern for corporations and individuals. Corporations have been attempting to mitigate cyber risk by implementing security controls such as firewalls, and multi-factor authentication, or by purchasing services like cyber insurance. While these can help reduce the impacts of cyber attacks, they cannot stop them. Cyber attacks vary in complexity, some are highly sophisticated and others are shockingly simple. Social Engineering, one of the most dangerous cyber threats, can be done by individuals with little technical skill and everyone is vulnerable to it.
What is Social Engineering?
Social Engineering is a form of manipulation that relies on human error to trick humans into performing a desired task. This can be good or bad depending on the use case. For example, a doctor social engineering a patient to take medicine is a good thing. However, in the context of cybersecurity, it is bad. In cybersecurity, bad actors use social engineering to trick users into giving up information that can be used for malicious activities. A good example of social engineering is phishing emails. These emails are designed to impersonate legitimate organizations so that an unsuspecting user will provide valuable information like login credentials or payment information.
Some Different Forms of Social Engineering:
Spearphishing: A more personalized version of a phishing attack.
Tailgating: When an unauthorized user follows an unsuspecting authorized user into a secured area.
Baiting: The attacker uses false promises to extract sensitive information from them.
Scareware: Designed to scare individuals who don’t know better into clicking/going to malicious websites.
Why is it Dangerous?
Traditionally, Social Engineering is thought of as manipulating users who lack the proper technical knowledge of computers. Older people are usually targeted because they are less current with technology trends. Social Engineering can be dangerous to more technologically savvy individuals because attackers sometimes tailor these attacks toward you, also known as Spearphishing. For example, if you’re an avid user of a particular service an attacker may take notice of that and send you emails from that service so that you will lower your guard. Always verify the sender of email addresses and be cautious when opening attachments or clicking links, if an offer is too good to be true it usually is. Also if you receive an alert requiring immediate attention and you are unsure if it’s legit, reach out to the sender and verify with them directly that they sent it.
Social Engineering does not always take place behind a screen. It can take place in person as well. A technique mentioned earlier was called “Baiting” which is the act of someone who is not authorized following an authorized individual into a secure zone. An example is when an authorized person walks into a server room, a place for authorized users only, and before the door shuts an unauthorized person walks in behind you. While it’s common courtesy to hold the door for someone, attackers will use this to their advantage and use it as an opportunity to strike. Once present in a secured area the attacker can shut down services from the inside or inject any malicious files directly into the servers or other crucial systems.
Defense Against Social Engineering:
Defending against Social Engineering is difficult because it’s not like deploying a patch on a system and it’s fixed. Social Engineering exploits human nature which cannot be secured as easily. Security controls like role-based access can help mitigate risk, but they cannot be the only thing relied on. Social Engineering can cost organizations millions of dollars. With one wrong click the entire organization’s IT infrastructure can be demolished.
Proper awareness training can help mitigate Social Engineering. While some things can be obvious for some users it may not be for others. An example of this would be not to hold doors for others. While it’s true holding doors is a common courtesy, you should not be holding doors that lead into a restricted zone for anybody. Anybody who needs to get into the building should be able to do so on their own and if they do not have the proper credentials to enter, they shouldn’t be there. Having a good cybersecurity awareness program could make all of the difference. Organizations are only as strong as the weakest link. In other words, everybody needs to be aware of current cyber practices whether it’s in their organization or their home.
Tips:
- If you still have access to your account be sure to hit logout from all your devices to terminate all active sessions.
- If something seems too good to be true it likely is.
- Verify the sender of the message.
- If you see suspicious activity say something.
- If your work machine is impacted contact your IT Department right away.
- Have Anti-Virus software on your home computer to mitigate risk.
- If you click on a link, run an Anti-Virus scan and reset your passwords.
- Enable 2FA/MFA whenever possible.
- Even with all of the security tools in the world none of them can replace good judgment.
- Always have backups of your data.