Search

Social Engineering

This Article Written by Trainee Rayan Alsuhaibani From King Saud University #KSU



What is Social Engineering?

  • The hacking of humans, using knowledge of human behavior to elicit a defined response.

Or

  • Manipulation of a user into revealing confidential information that are detrimental to that user or the security of our systems.

Why Social Engineering?

  • Approximately 98% of cyber attacks rely on social engineering.


  • Social Engineering is a component of the attack in nearly 1 of 3 successful data breaches, and it’s rising.



  • Social engineering attempts spiked more than 500% from the first to second quarter of 2018.

Common Attack Methods:

-Insider Threat.

-Pretexting.

-Dumpster Diving.

-Phishing.

-Enticement.

Insider Threat:

A person who works for or with an organization but has ulterior motives.

  • Might be one of the most dangerous threats to organizational security

  • An employee who steals information is an insider threat.

  • Data loss protection system can be used to help identify insider threats.

Pretexting:

Pretexting is a form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they use to try and steal their victim’s personal information.

  • Common as a fraudulent phone calls to unaware targets, such as (reception desks).

  • Might as well be used to setup other attacks, such as facility entry/break in or phishing.

  • Can be avoided by providing employees awareness or education programs and establishing policies to handle suspicious pretexters.

Dumpster Diving:

If not discarded in a proper way, sensitive information may be discovered by attackers in dumpsters or trash bins.

  • Printed emails, reports, credit cards receipts…etc.

  • Network/application diagrams, device inventory with IP addresses.

  • Can be avoided by using shredders for paper disposals and establishing proper disposal policies.

Phishing:

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity

  • The email might ask you to update account information.

  • Unfamiliar layout/design.

  • The hyperlinks provided are unfamiliar.

  • Common baits: “Sweet deals”, “free stuff” ,”Limited time offers”.

  • Can be prevented by using multi-factor authentication, and enforcing user training.

Enticement/Baits:

Common as an attacker leaves a USB thumb drive or a CD within the organization’s premises with a key word such as Confidential/Secret.

  • Humans are curious by nature.

  • Probably has a malware in it named (secret stuff), uneducated employees would open it without caution, thus affecting a workstation inside the local net, or the whole network.

  • If succeeded might be fatal to a network.

Helpful Tips:

  • Enforce strong disposal policies.

  • Limit facility ingress/egress points.

  • Implement proper technology to screen emails and websites for attacks.

  • User training and education plays a major role in preventing most social engineering attacks

References:

  • Wikipedia : https://en.wikipedia.org/wiki/Social_engineering_(security)

  • Purple sec: https://purplesec.us/resources/cyber-security-statistics

  • Pratum’s slide share: https://www.slideshare.net/IntegritySRC/what-is-social-engineering-an-illustrated-presentation-70347323