Social Engineering attack is an art of manipulating people into doing something, rather than by breaking into technical means. These attacks are not only becoming common but more realistic in nature as well. In fact, you might be a victim right now and you don’t it yet!
“People inherently want to be helpful and therefore are easily duped” – Kevin Metnick
The attacker pretends to be someone legitimate person and use communication medium like phone or email to impersonate an authorized entity. Consequently, the target reveals sensitive or confidential information to the attacker without being aware of it. US security firm FireEye analyzed 1.3 billion e-mails and detected an increase in three main types of Social Engineering attacks – spoofed phishing attempts, HTTPS encryption in URL-based attacks and cloud-based attacks. According to Cybersecurity statistics 2019, 98% of cyber-attacks are based out of Social Engineering. 60% of IT professionals claim that new hires are at high risk of these attacks. It also mentioned that half of all data breaches globally are predicted to occur in the United States. It is also said that spending in Cybersecurity will reach $1 Trillion by 2020.
Types of Social Engineering
- Quid Pro Quo
- Something for something – Call random numbers at a company, claiming to be from technical support.
- Fraudulently obtaining private information – Send an email that looks like it came from a legitimate business
- Real-world trojan horse – Attacker leaves a malware-infected cd or USB drive in a location sure to be found.
- Invented Scenario – Prior Research used to establish legitimacy.
- Diversion Theft
- A con – Persuade deliver person that delivery is requested elsewhere – “Round the Corner”.
Humans are the weakest link in the security chain, they are more vulnerable than computers. On Twitter and LinkedIn, we can see social engineering attacks in the form of job posts or other posts where people are encouraged to comment, like, retweet and share their phone numbers, email ids.
Social Engineering countermeasures
Follow password policies like periodic password change, avoiding guessable passwords, follow the complexity of passwords, the secrecy of passwords. Physical security policies like escorting the visitors, access area restrictions, proper shedding of useless documents, employing security personnel should be implemented. Proper security training is another important measure to be implemented. A disaster recovery plan should be properly planned and implemented. Social Engineering cannot be blocked by technology alone.
Remember – “It’s all about gaining access to information that people think is innocuous when it isn’t.
Contact LIFARS For Security Awareness Services!