What is Phishing?
Data breaches, viruses, and other malware commonly make security headlines. An entire industry of network and computer security has evolved to mitigate these threats. However, most organizations overlook the weakest component of the security system – the human element. Criminals, and others with malicious intent, are exploiting this weakness via social engineering.
There are quite a few definitions of social engineering, but it is simply a term to describe the process of convincing someone to perform a specific action. As defined by Wikipedia, “Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.
Although social engineering is a relatively new name, social engineering is not a new concept. Throughout history, deception has been used to manipulate human behavior. In today’s environment, the risk from social engineering is significant. There are several reasons why social engineering is so popular and will continue to grow. The primary reason is due to a significant reliance on distributed computer systems to conduct commerce. Because of the pervasive use of online systems, the payout from a social engineering attack is extremely lucrative. As such, there is an ever-increasing risk of financial loss due to fraudulent transactions. In addition, other financial impacts would include expenditures to recover from data breaches, and decreased sales from negative publicity or lost competitive advantages.
The motivation for conducting a social engineering attack is generally classified into one of three categories. These categories and corresponding examples are detailed below.
Overall, it is difficult to state the actual cost of a social engineering attack. The cost includes direct financial losses due to fraudulent transactions; decreases in sales due to lost competitive advantages; and direct expenditures to recovery from data breaches or to eradicate malicious software.
Social engineering attacks can take many forms. However, there are three basic modes of social engineering attacks. Depending on the motivations of the attacker, a social engineering attack may include one or more of the following methods:
Although many people are unaware, social engineering is commonly used to propagate malicious software, such as ransomware. A significant portion of malicious software needs user interaction to be installed or activated. Social engineering is a common method to get the user to perform such action. For example, a phishing email may include an attachment that contains ransomware. An attacker may trick and employee into opening the malicious attachment by masquerading it as an invoice or other relevant document.
Although there are technical controls that can be implemented to mitigate or compensate for some social engineering tactics, the human element of security is often considered the weakest component in the security system. It is often easier to use social engineering tactics to bypass a control rather than trying to hack or penetrate the control directly. For example, it is easier to ask someone for his or her username and password to a web-based application than it is so obtain the password file and try to crack or decipher a user’s password.
Why is it so easy to get people to perform certain actions, such as giving up their passwords? Human nature. The innate behavioral traits within most people allow them to be manipulated. The partial list below outlines some of these traits.
Because of these traits, a social engineer may use many tactics to elicit the desired response from the target. Although an organization may have strong passwords, firewalls, and other security measures, all of these controls may be circumvented by an employee’s lack of security awareness. As stated before, the human element is the weakest component in the security system.
If a company has not been the target of a social engineering attack, it is just a matter of time. The severity and sophistication of the attack will depend on the ultimate value to the attacker. However, no company or employee is immune. The tactics may change, such as the content of the message or request, but all companies and employees are susceptible. During social engineering testing, is has been documented that all types of personnel, from hourly workers to high-paid executives, can and will fall victim. Through basic social engineering testing, over thirty-three percent of targets tested will comply with the requests presented during the testing.
The same techniques used by attackers can be used to test and train employees about social engineering. As stated earlier, electronic means such as phishing are a primary method of attack. The same reasons phishing works for the attacker make it good for auditors and security professionals. The beneficial attributes of electronic testing methods, such as phishing, include:
Testing and training are key controls for minimizing the impact from a social engineering attack. However, such testing and training should be part of a layered approach to security. As stated earlier, employees are susceptible to tricks and manipulation, but an organization’s other controls can lessen the impact of the human element. As such, the traditional concept of layered security still applies.
The last two factors of a layered defense, training and testing, are critical when it comes to minimizing the impact from social engineering. As stated earlier, only twenty-six percent of companies perform any type of social engineering prevention training, and of those, training is often limited to reading policy on the subject. Furthermore, training should be conducted that includes real-world examples of social engineering. Testing is critical and can be used to reinforce and tailor training initiatives. There are some key items to remember when presenting findings from social engineering testing. As it relates to social engineering test results, the following points should be considered when addressing end users.
Social engineering is the act of manipulating people into performing a certain action. From a security perspective, the risk from social engineering is significant since the human element of security is the most difficult to manage. Through social engineering tactics, and organizations controls are often circumvented rather than directly attacked. Although a layered defense involving technical controls can minimize the success of some attacks, social engineering awareness training and testing are primary prevention measures.