Unlike a virus which uses malicious code, social engineering relies on human psychology. If used well, it can allow access to data, systems and even buildings. What makes social engineering particularly dangerous is the fact that it is based on human error and not on vulnerabilities in software and operating systems.
Social engineering is the term used to describe a wide range of malicious activities carried out through human interaction. It uses psychological manipulation to trick users into making security mistakes or passing on confidential information. Social engineering attacks take place in one or more stages. The perpetrator first examines the victim to gather essential information, such as potential entry points and weak security processes needed to launch an attack. The attacker then tries to gain the victim’s trust and provide incentives for further actions that break security practices, such as revealing confidential information or granting access to critical resources.
The purpose of social engineering research is twofold: to assess employees’ reflexes to determine the company’s vulnerability to attacks, and to make them aware of such attacks through specific situations that may impress them. Before this type of research, it is worth answering the following questions:
- What are the main threats to the company? (threat modeling)
- Is a blackbox (external attack) or greybox (internal or employee-supported attacker) approach preferred?
- For a greybox audit: who in the company has access to this information or permissions? What categories of workers are most at risk?
- Are there any specific limitations to the audit? (attack methods or scenario categories to be excluded)
- What is the preferred attack scenario: phishing, vishing or baiting?
Phishing is a form of social engineering. Phishing attacks use e-mail or websites to obtain personal information by claiming to be a trustworthy organization. For example, an attacker might send an e-mail ostensibly from a reputable credit card company or financial institution asking for account information, often implying that there is a problem. When users respond with requested information, attackers can use it to gain access to accounts.
Vishing is a social engineering method that uses voice communication. This technique can be combined with other forms of social engineering that trick the victim into calling a specific number and revealing confidential information. Advanced vishing attacks can take place entirely via voice communication, using Voice over Internet Protocol (VoIP) solutions. VoIP makes it easy to spoof the caller ID (ID), which may take advantage of the misconception of the attacker
As the name suggests, attacks use a “false promise” to arouse the victim’s greed or curiosity. They lure users into a trap that steals their personal data or infects systems with malware.
The most effective form of this type of attack uses physical media. For example, attackers leave the bait – usually malware-infected flash drives – in prominent locations where potential victims are certain to see them (e.g. bathrooms, elevators, target company’s parking lot).
Be suspicious of unsolicited phone calls, visits or emails from people asking for employees or other inside information. If the unknown person claims to be from a legitimate organization, try to verify their identity directly with the company. Do not provide personal data or information about your organization, including its structure or network, unless you are sure that the person is authorized to have this information. Do not reveal personal or financial information in e-mail messages and do not reply to e-mail messages that ask for such information. This also applies to following links sent in the e-mail. Don’t post sensitive information over the Internet until you’ve checked the site’s security. Please note the URL of the website. Look for URLs that begin with “https” – which indicates the pages are secure – rather than “http”. Pay attention to the closed padlock icon – this is a sign that your data will be encrypted. If you are unsure whether the email requesting information is genuine, try to verify it by contacting the business directly. Do not use the contact information provided on the website related to the request; instead, check previous statements for contact information. Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. Take advantage of any anti-phishing features offered by your email client and web browser. Enforce multi-factor authentication (MFA).
Related blog articles
Krajowy System Cyberbezpieczeństwa to wymagania dla operatorów usług kluczowych oraz usług cyfrowych. Czym są te wymagania opisane w dość oszczędny sposób w Ustawie? Co mówi sama ustawa o tym jak zapewnić bezpieczeństwo i ciągłość realizacji usług kluczowych?
Częstym problemem organizacji jest zapewnienie efektywnego i gwarantującego właściwą rozliczalność kanału komunikacji wewnętrznej, np. związanej z realizacją praw podmiotów danych, czy zgłaszaniem i obsługą naruszeń ochrony danych osobowych
Ile faktycznie zajmuje identyfikacja i realizacja praw podmiotu danych? Czy nasz rejestr czynności wspiera realizację praw? Czy potrafimy automatyzować procesy realizacji praw podmiotu danych?