Masters of Computer Science Cyber Security

Social Engineering Explained in Simple Way

  • Social engineering is the art of convincing people to reveal confidential information
  • Common targets of social engineering include help desk personnel, technical support executives, system administrators, etc.
  •  Social engineers depend on the fact that people are unaware of their valuable information and are careless about protecting it

Social Engineering : Behaviors Vulnerable to Attacks

  • Human nature of trust is the basis of any social engineering attack.
  •  Ignorance about social engineering and its effects among the workforce makes the organization an easy target.
  • Social engineers lure the targets to divulge information by promising something for nothing (greediness).
  •  Targets are asked for help and they comply out of a sense of moral obligation.

Social Engineering : Factors that Make Companies Vulnerable to Attacks

  • Insufficient Security Training
  •  Unregulated Access to the Information.
  • Several Organizational Units.
  •  Lack of Security Policies.

Social Engineering : Why Social Engineering is Effective ?

  • Security policies are as strong as their weakest link, and humans are most susceptible factor.
  •  It is difficult to detect social engineering attempts.
  •  There is no method to ensure complete security from social engineering attacks.
  •  There is no specific software or hardware for defending against a social engineering attack

Social Engineering : Phases in Social Engineering Attack

  • Research on Target Company: Dumpster diving, websites, employees, tour company, etc.
  • Select Victim: Identify the frustrated employees of the target company.
  • Develop Relationship: Develop relationship with the selected employees.
  • Exploit the Relationship: Collect sensitive account and financial information, and current technologies.

Types of Social Engineering

 Human-based Social Engineering

 Gathers sensitive information by interaction.

  • It is most common human-based social engineering technique where attacker pretends to be someone legitimate or authorized person.
  •  Attackers may impersonate a legitimate or authorized person either personally or using a communication medium such as phone, email, etc
  •  Posing as a legitimate end user: Give identity and ask for the sensitive information.
  • Posing as an important user: Posing as a VIP of a target company, valuable customer, etc.
  •  Posing as technical support: Call as technical support staff and request IDs and passwords to retrieve data.

 Computer-based Social Engineering

 Social engineering is carried out with the help of computers.

  • Pop-up Windows: Windows that suddenly pop up while surfing the Internet and ask for users’ information to login or sign-in.
  • Hoax Letters: Hoax letters are emails that issue warnings to the user on new viruses, Trojans, or worms that may harm the user’s system.
  • Chain Letters: Chain letters are emails that offer free gifts such as money and software on the condition that the user has to forward the mail to the said number of persons.
  • Instant Chat Messenger: Gathering personal information by chatting with a selected online user to get information such as birth dates and other details.
  • Spam Email: Unwanted, and unsolicited email to collect the financial information, social security numbers, and network information
  • Phising

 Mobile-based Social Engineering

It is carried out with the help of mobile applications.

  • Using SMS

Impersonation on Social Networking Sites

  • Malicious users gather confidential information from social networking sites and create accounts in others’ names.
  •  Attackers use others’ profiles to create large networks of friends and extract information using social engineering information using social engineering techniques.
  •  Attackers try to join the target organization’s employee groups where they share personal and company information.
  •  Attackers can also use collected information to carry out other forms of social engineering attacks

Social Engineering on Facebook             

  • Attackers create a fake user group on Facebook identified as “Employees of” the target company.
  •  Using a false identity, attacker then proceeds to “friend,” or invite, employees to the fake group “Employees of the company‚Äú
  • Users join the group and provide their credentials such as date of birth, educational and employment backgrounds, spouses names, etc.
  •  Using the details of any one of the employee, an attacker can compromise a secured facility to gain access to the building.

Identify Theft

  • Identity theft occurs when someone steals your personally identifiable information for fraudulent purposes.
  • It is a crime in which an imposter obtains personal identifying information such as name, credit card number, social security or driver license numbers, etc. to commit fraud or other crimes.
  •  Attackers can use identity theft to impersonate employees of a target organization and physically access the facility

Social Engineering: Countermeasures

  • Good policies and procedures are ineffective if they are not taught and reinforced by the employees.
  •  After receiving training, employees should sign a statement acknowledging that they understand the policies
  • Password Policies:
    •  Periodic password change.
    •  Account blocking after failed attempts.
    • Length and complexity of passwords.
    •  Secrecy of passwords.
  • Physical Security Policies:
    • Identification of employees by issuing ID cards, uniforms, etc.
    • Escorting the visitors
    •  Access area restrictions.
    • Proper shredding of useless documents.
  • Training: An efficient training program should consist of all security policies and methods to increase awareness on social engineering.
  •  Operation Guidelines: Make sure sensitive information is secured and resources are accessed only by authorized users.
  • Access privileges: There should be administrator, user, and guest accounts with proper authorization.
  • lassification of Information: Categorize the information as top secret, proprietary, for internal use only, for public use, etc.
  •  Proper Incidence Response Time: There should be proper guidelines for reacting in case of a social engineering attempt.
  •  Background Check and Proper Termination Process: Insiders with a criminal background and terminated employees are easy targets for procuring information.

Identity Theft: Countermeasures

  • Secure or shred all documents containing private information.
  •  Ensure your name is not present in the markets’ hit lists.
  •  Review your credit card reports regularly.
  •  Never give any personal information on the phone.
  •  To keep your mail secure, empty the mailbox quickly.
  • Suspect and verify all the requests for personal data.
  • Protect your personal information from being publicized.
  • Do not display account/contact numbers unless mandatory.
About Author

ICT Byte