To protect their information, enterprises resort to a large set of technical measures: in the best case, a mix of detective and preventive ones. Current technologies come with embedded resources, which for instance can discover targeted data breaches with the help of machine learning, or detect malware by employing next-gen endpoint protection. But what if the attack targets people instead of technology? Or still worse, if your employees hand out sensitive data to the attacker, more or less willingly? You guessed – there is social engineering hidden behind. Read our experts’ tips on how to protect yourself effectively.
First of all, the cloud offers a whole host of advantages over conventional solutions. It's dynamic, agile, modern, available as DevOps and on-demand. The latter as needed in the dimensions of scaling, availability, time, etc. - and at clearly defined costs.
Man is the weakest link in the cyber security chain
Looking from the point of view of an attacker, the best way to sensitive data is invariably the one with the weakest resistance. If there is no technical vulnerability to exploit, there is always a worthwhile alternative: people.
That is exactly where social engineering picks up on. Man, and his innate “weaknesses”, are relentlessly exploited. Do you need a couple of examples of such vulnerabilities, with which an attacker can make himself busy and thus trigger specific reactions?
- Helpfulness: The attacker offers help in a problem that he created himself, but affects the victim. For instance, he “helps” the victim installing the newest antivirus software.
- Good faith: The attacker passes himself off as an employee of the HR department, who needs information on personal data.
- Creation of (financial) motivations: a hefty invoice is delivered to the victim, who is required to pay immediately. Often there is also the threat of sanctions.
- Emotions: A prize contest, with attractive awards, is a good example of a bait.
- Curiosity: The victim receives interesting data, for instance the assessment of some co-worker, or statistics on other employees’ online behaviour.
Grab the opportunity – but don’t waste time...
Want a real example? Jerry Careless finds in his mail a message that sounds attractive: “Win a trip to New York!”, promises the alleged HR team. But you have to hurry, because only the first 100 registrations will take part to the raffle. Sounds great! Who wouldn’t like to be one of the winners? Let’s go, then: it would be a pity to be the 101st. Just enter your user ID and password in this Web page… and just like Jerry, many other of the 500 recipients of the message do exactly the same…
For them, it was a blessing in disguise. Actually it was no real attack, but a social engineering audit done by our experts. However, the fear remains: you see how fast you can end up in the crosshair, and become the victim of an attack.
Why is Social Engineering so successful?
The huge advantage of social engineering attacks is that it doesn’t depend on the heterogeneous mix-up of technologies in the target enterprise. The attacker doesn’t have to invest any precious time in the identification and analysis of the enterprise’s IT components, and their potential vulnerabilities. Once the attacker has defined the target of his attack, off he goes. And people are incredibly helpful: under time pressure, often they forget the fundamentals of security behaviour.
An attack can be launched with the help of just a little information, which often is openly available on the target company’s Web site: e-mail addresses, telephone numbers. Social networks are good allies of social engineers: they carry information on enterprises and their employees, free for the taking, often for quite legitimate reasons.
Here’s how a social engineer works
Social Engineering can take place in the preparation of an attack, or the attack itself can consist of social engineering. So let’s start with looking into the actual phases of an attack:
- Information Gathering:
A skilled social engineer begins his attack by collecting information on his potential victim. Apart from the already mentioned, publicly available information, it cannot hurt if he puts together possibly more sensitive data on his target. This is exactly the first usage case for social engineering: that is, using telephone calls or targeted e-mails, the attacker can worm out internal information, such as contact data or organisational structures, which he will then use in the preparation of the actual attack, e.g. a CEO fraud (an attack targeted at soliciting a payment from the victim, who is usually at the management level of the enterprise).
- Preparation of the attack:
In this phase, the attacker prepares his tools for the execution of the attack. Depending on the method he chose, he will need e.g. a mail server to send out e-mails, or a Web server for the presentation of the Web site he prepared for the purpose.
- Execution of the attack:
The actual execution of an attack occurs after the preparation phase. As soon as the information has been collected, and the technology is ready, nothing is stopping the attack anymore. Social engineering can help in this phase too, for instance in its best-known form: the e-mail phishing. In our experience, however, a physical “visit” to the victim enterprise is also very promising. Often a simple pretext, for instance posing as a technician coming to fix the printer, can give easy access to the enterprise.
- Infection / Access:
The consequence of a successful attack, is that the victim’s network, and its sensitive information, are now accessible to the attacker. In the case of a phishing attack, the access can follow the use of the “phished” credentials, or the infiltration of a Trojan used in the attack. The latter may consist, for instance, of an “invoice”, that the victim receives in the e-mail, opens, and gets infected by.
- Conclusion and “Action on Objective”:This is where the attacker finds his actual benefit, and the victim the – often fatal – damage: for instance, reading or deleting data.
Do you suspect a social engineering attack? Here’s what you must do!
The most effective protection against social engineering consists of the security awareness of employees. Since people are at the center of this issue, people can stop this risk in the budding, by choosing the correct behaviour.
If a social engineering attack is suspected, you should never lose sight of the following points:
- Take a deep breath – even though at the time you feel put under strong pressure.
- Ask yourself: are my human weaknesses addressed? Or is a personal benefit being promised?
- Am I really communicating with the person, or the enterprise, with whom I believe I am communicating?
- If the answer to the second question is YES, and/or to the third one is NO: do not be afraid of telling the person straight away, that you are not giving away (or: are not allowed to give away) any sensitive information.
You can find even more tips for protecting yourself from social engineering in our free social engineering checklist. Download now!
The magic word is “Security Awareness”
Please never forget, that social engineering is totally independent from the underlying technology. The transport medium can be an e-mail, an SMS or a telephone call: it makes no difference. A healthy dose of scepticism can help uncover a social engineering attack.
An effective protection can only be achieved with the active support of employees, obviously including management. Therefore, it is important that the basic know-how is delivered through appropriate security awareness measures, to inform all personnel on possible dangers and risks, and make them consequently sensitive to the issues. This is the only way in which behaviours and settings can be changed with a lasting effect.
How much are you and your enterprise exposed to the risk?
Do you want to know what information about your enterprise can be found in the Internet, which can be abused in a social engineering attack? What “digital tracks” does your enterprise leave around, and how are they connected to company- and branch-specific threats?
Our Cyber Threat Intelligence Report provides you with a complete overview of your actual Internet-based threats. Call us now, and we will show you the view of an attacker on your company! You will be surprised, and ask yourself why you haven’t been attacked yet. Click here to take the offer:
Do you have questions about this post, or an actual problem? Then leave a comment or contact us directly. We are happy to hear from you, and we are ready to help you in all your needs with our professional expertise.