- Social Engineering : Behaviors Vulnerable to Attacks
- Social Engineering : Factors that Make Companies Vulnerable to Attacks
- Social Engineering : Why Social Engineering is Effective ?
- Social Engineering : Phases in Social Engineering Attack
- Types of Social Engineering
- Impersonation on Social Networking Sites
- Identify Theft
- Social Engineering: Countermeasures
- Identity Theft: Countermeasures
- Social engineering is the art of convincing people to reveal confidential information
- Common targets of social engineering include help desk personnel, technical support executives, system administrators, etc.
- Social engineers depend on the fact that people are unaware of their valuable information and are careless about protecting it
Social Engineering : Behaviors Vulnerable to Attacks
- Human nature of trust is the basis of any social engineering attack.
- Ignorance about social engineering and its effects among the workforce makes the organization an easy target.
- Social engineers lure the targets to divulge information by promising something for nothing (greediness).
- Targets are asked for help and they comply out of a sense of moral obligation.
Social Engineering : Factors that Make Companies Vulnerable to Attacks
- Insufficient Security Training
- Unregulated Access to the Information.
- Several Organizational Units.
- Lack of Security Policies.
Social Engineering : Why Social Engineering is Effective ?
- Security policies are as strong as their weakest link, and humans are most susceptible factor.
- It is difficult to detect social engineering attempts.
- There is no method to ensure complete security from social engineering attacks.
- There is no specific software or hardware for defending against a social engineering attack
Social Engineering : Phases in Social Engineering Attack
- Research on Target Company: Dumpster diving, websites, employees, tour company, etc.
- Select Victim: Identify the frustrated employees of the target company.
- Develop Relationship: Develop relationship with the selected employees.
- Exploit the Relationship: Collect sensitive account and financial information, and current technologies.
Types of Social Engineering
Human-based Social Engineering
Gathers sensitive information by interaction.
- It is most common human-based social engineering technique where attacker pretends to be someone legitimate or authorized person.
- Attackers may impersonate a legitimate or authorized person either personally or using a communication medium such as phone, email, etc
- Posing as a legitimate end user: Give identity and ask for the sensitive information.
- Posing as an important user: Posing as a VIP of a target company, valuable customer, etc.
- Posing as technical support: Call as technical support staff and request IDs and passwords to retrieve data.
Computer-based Social Engineering
Social engineering is carried out with the help of computers.
- Pop-up Windows: Windows that suddenly pop up while surfing the Internet and ask for users’ information to login or sign-in.
- Hoax Letters: Hoax letters are emails that issue warnings to the user on new viruses, Trojans, or worms that may harm the user’s system.
- Chain Letters: Chain letters are emails that offer free gifts such as money and software on the condition that the user has to forward the mail to the said number of persons.
- Instant Chat Messenger: Gathering personal information by chatting with a selected online user to get information such as birth dates and other details.
- Spam Email: Unwanted, and unsolicited email to collect the financial information, social security numbers, and network information
Mobile-based Social Engineering
It is carried out with the help of mobile applications.
- Using SMS
Impersonation on Social Networking Sites
- Malicious users gather confidential information from social networking sites and create accounts in others’ names.
- Attackers use others’ profiles to create large networks of friends and extract information using social engineering information using social engineering techniques.
- Attackers try to join the target organization’s employee groups where they share personal and company information.
- Attackers can also use collected information to carry out other forms of social engineering attacks
Social Engineering on Facebook
- Attackers create a fake user group on Facebook identified as “Employees of” the target company.
- Using a false identity, attacker then proceeds to “friend,” or invite, employees to the fake group “Employees of the company“
- Users join the group and provide their credentials such as date of birth, educational and employment backgrounds, spouses names, etc.
- Using the details of any one of the employee, an attacker can compromise a secured facility to gain access to the building.
- Identity theft occurs when someone steals your personally identifiable information for fraudulent purposes.
- It is a crime in which an imposter obtains personal identifying information such as name, credit card number, social security or driver license numbers, etc. to commit fraud or other crimes.
- Attackers can use identity theft to impersonate employees of a target organization and physically access the facility
Social Engineering: Countermeasures
- Good policies and procedures are ineffective if they are not taught and reinforced by the employees.
- After receiving training, employees should sign a statement acknowledging that they understand the policies
- Password Policies:
- Periodic password change.
- Account blocking after failed attempts.
- Length and complexity of passwords.
- Secrecy of passwords.
- Physical Security Policies:
- Identification of employees by issuing ID cards, uniforms, etc.
- Escorting the visitors
- Access area restrictions.
- Proper shredding of useless documents.
- Training: An efficient training program should consist of all security policies and methods to increase awareness on social engineering.
- Operation Guidelines: Make sure sensitive information is secured and resources are accessed only by authorized users.
- Access privileges: There should be administrator, user, and guest accounts with proper authorization.
- lassification of Information: Categorize the information as top secret, proprietary, for internal use only, for public use, etc.
- Proper Incidence Response Time: There should be proper guidelines for reacting in case of a social engineering attempt.
- Background Check and Proper Termination Process: Insiders with a criminal background and terminated employees are easy targets for procuring information.
Identity Theft: Countermeasures
- Secure or shred all documents containing private information.
- Ensure your name is not present in the markets’ hit lists.
- Review your credit card reports regularly.
- Never give any personal information on the phone.
- To keep your mail secure, empty the mailbox quickly.
- Suspect and verify all the requests for personal data.
- Protect your personal information from being publicized.
- Do not display account/contact numbers unless mandatory.