Social Engineering By Rayan Alsuhaibani

July 8, 2020

 

This Article Written by Trainee Rayan Alsuhaibani From King Saud University #KSU

 

 

What is Social Engineering?

  • The hacking of humans, using knowledge of human behavior to elicit a defined response.

Or

  • Manipulation of a user into revealing confidential information that are detrimental to that user or the security of our systems.

 

 

 

 

Why Social Engineering?

  • Approximately 98% of cyber attacks rely on social engineering.

 

  • Social Engineering is a component of the attack in nearly 

      1 of 3 successful data breaches, and it’s rising.

  • Social engineering attempts spiked more than 500% from the first to second quarter of 2018.

     

 

Common Attack Methods:

 

-Insider Threat.

-Pretexting.

-Dumpster Diving.

-Phishing.

-Enticement.

 

 

 

Insider Threat:

A person who works for or with an organization but has ulterior motives.

  • Might be one of the most dangerous threats to organizational security

  • An employee who steals information is an insider threat.

  • Data loss protection system can be used to help identify insider threats.

 

 

Pretexting:

Pretexting is a form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they use to try and steal their victim’s personal information.

  • Common as a fraudulent phone calls to unaware targets, such as (reception desks).

  • Might as well be used to setup other attacks, such as facility entry/break in or phishing.

  • Can be avoided by providing employees awareness or education programs and establishing policies to handle suspicious pretexters. 

 

 

Dumpster Diving:

If not discarded in a proper way, sensitive information may be discovered by attackers in dumpsters or trash bins.

  • Printed emails,            reports, credit cards receipts…etc.

  • Network/application diagrams, device inventory with IP addresses.

  • Can be avoided by using shredders for paper disposals and establishing proper disposal policies.

 

 

Phishing:

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity

  • The email might ask you to update account information.

  • Unfamiliar layout/design.

  • The hyperlinks provided are unfamiliar.

  • Common baits: “Sweet deals”, “free stuff” ,”Limited time offers”.

  • Can be prevented by using multi-factor authentication, and enforcing user training.