Head over to our on-demand library to view sessions from VB Transform 2023. Register Here
Social engineering is the very common practice of exploiting a human element to initiate and/or execute a cyberattack.
Human weakness and ignorance present such easy targets that fully 82% of the attacks in Verizon’s 2022 Data Breach Investigations Report were perpetrated, at least in part, via some form of social engineering.
In this article, we look at the forms of social engineering that are frequently used and best practices for limiting its effectiveness within the enterprise.
A dictionary definition of social engineering (in the context of cybersecurity) is “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”
VB Transform 2023 On-Demand
Did you miss a session from VB Transform 2023? Register to access the on-demand library for all of our featured sessions.
At the most basic, this includes the mass-market spamming of individual email accounts with a phishing attempt such as an offer for a free gift certificate from a well-known retailer. Consumers who click a link to a malicious website or open an infected file attachment and enter personal information may open themselves up to criminal exploitation.
For higher-value, enterprise targets, the technique can become quite a bit more elaborate — or remain stunningly simple.
Roger Grimes, data-driven defense evangelist at security awareness training vendor KnowBe4, calls it for what it is: a con, a scam. “It’s someone pretending to be a brand, company or person you would … trust more than if you know the message was being sent by a complete stranger trying to trick you into doing something that will impact you or your organization’s own interests,” he explained. “The desired actions are often to launch a malicious program, provide logon passwords, or to provide confidential content (e.g., social security number, banking information, etc.).”
The criminal uses psychological manipulation to trick the user into performing actions or divulging confidential information. Seven means of persuasive appeal, as outlined by Robert Cialini in Influence: The Psychology of Persuasion, are commonly cited in explaining why people are vulnerable to their application in social engineering:
Many social engineering attempts come via email, but that is not the only channel. Social engineering is also accomplished via SMS messages, websites, social media, phone calls or even in person.
As Manos Gavriil, head of content at hacking training firm Hack The Box, points out, “Social engineering is considered the number one threat in cybersecurity, as it exploits individual human error, which makes it very hard to stop, and even the simplest forms of attack can have a devastating impact.”
Social engineering is accomplished in a variety of ways:
These types of attack are often combined or tweaked to incorporate new wrinkles:
However, social engineering doesn’t have to be sophisticated to be successful. Physical social engineering usually involves attackers posing as trusted employees, delivery and support personnel, or government officials such as firefighters or police. Another effective ploy is to leave a USB stick somewhere labeled “bitcoin wallet” or even, in a company parking lot or building toward the end of the year, “annual raises.”
As Igor Volovich, vice president of compliance for Qmulos, shares, “Recently, a pair of social media figures set out to prove that they could get into concerts by simply carrying a ladder and ‘acting official.’ They succeeded multiple times.”
Follow these best practices to thwart social engineering attempts within an organization:
According to Grimes, “If you create the right culture, you end up with a human firewall that guards the organization against attack.” Well-executed training and testing can help to create a culture of healthy skepticism, where everyone is taught to recognize a social engineering attack.
Systems should make it easy for personnel to report potential phishing emails and other scams to the help desk, IT or security. Such systems should also make life easy for IT by categorizing and summarizing reports. A phishing alert button can be placed directly into the company email program.
Social engineering is often intended to trick users into compromising their enterprise email and system access credentials. Requiring multiple identity verification credentials is one means of keeping such first-stage attacks from going further. With MFA, users might receive a text message on their phone, enter a code in an authenticator app, or otherwise verify their identity via multiple means.
Once a malicious actor gains access to a network, the next step is often to seek an administrative or privileged access account to compromise, because that provides entry to other accounts and significantly more sensitive information. Therefore it is especially important that such accounts are given only on an “as needs” basis and are watched more carefully for abuse.
Along with MFA, additional authentication technology should be used to stop initial credential breaches from escalating to larger network intrusions. UEBA can recognize anomalous locations, login times and the like. If a new device is used to access an account, alerts should be triggered, and additional verification steps initiated.
Although not nearly perfect, secure email gateways cut down on the number of phishing attempts and malicious attachments that reach users.
Keeping current on releases, patches and upgrades cuts down on both the malicious social engineering attempts that reach users and the damage that occurs when users fall for a deception or otherwise make an erroneous click.
Short of that extreme, security personnel can become so paranoid that they institute a burdensome tangle of safeguards that slow down every process in the organization. A good example is the inefficient TSA checkpoints at every airport. The process has negatively impacted public perception about air travel. Similarly, in cybersecurity a balance between security and productivity must be maintained.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.
Were you unable to attend our live event in SF? Check out all of the summit sessions in our on-demand library now!
© 2023 VentureBeat. All rights reserved.