By
Gigabit Systems
January 29, 2019
•
20 min read
With the help of the Internet, anything that we could ever ask for is attainable at the touch of the button. Yet at what point should we begin to ask ourselves - is this all too good to be true? This can very well so become the case if the Internet is not mindfully navigated.
Mindfully navigating the Internet means understanding its negative externalities. Among these include social engineering, which describes the practice of manipulating others to give up confidential information and/or make a security mistake. The term is broad and encompasses a wide variety of malicious activities, but with one thing in common - the intent to use psychological manipulation to trick users. In order for businesses of all sizes to place a firm halt on social engineering, organizations must understand how these processes flourish and fail.
The Prevalence of Social Engineering
How does social engineering take off? More importantly, how are attackers given a platform to identify and manipulate? In order to design a convincing attack, social engineering requires quite a deal of research on the intended victim. The attacker will gather necessary background information to determine a point of entry, or in other ways, just how they will gain the intended victim’s trust and legitimacy. Some examples of manifesting personal data to gain trust include an attacker introducing themselves as a life insurance salesman to a parent, or as a human resources representative to a young professional.
Attackers are often looking to gain any of the following from their victims: passwords, bank information, medical records, political affiliations, and the like. As previously stated, social engineering is rooted in psychological manipulation. This reliance on human error is an entirely unique layer of danger than the conventional cyber-hack; with this breed of attack, the victim is in the driver’s seat. By concluding what your implicit biases and internet patterns are ahead of time (via social media, public documents, and etcetera) attackers can effectively exploit your natural inclinations.
The Tactics of Social Engineers
Social engineering attackers often turn to e-mail use as a way to commit their crime. In this scenario, for example, let’s say there are two friends: Jane and Stephanie. The attacker has managed to access Jane’s entire contact list, and identified Stephanie’s information. Stephanie then receives a message with a download of pictures, musics, movies, documents, etc., or a link to a website that you’re curious to visit. If Stephanie clicks on any of the attachments that she thinks Jane sent her, she is now at risk of the same computer virus that Jane has. Falling into these traps can give the attacker access to your machine, e-mail, social network accounts, and etcetera, which can ultimately expose your entire network to the virus.
Another type of social engineering attack includes baiting. Baiting involves a false premise to scheme the victim into pursuing something they would presumably want. Digital bait can be found in peer-to-peer websites offering to download music and/or a movie, or a link to win a free vacation. If there is a purchase involved, victims might permanently lose the cost of that “item,” or in some extreme cases, their entire bank account. Physical baiting exists, too. Aside from enticing advertisements, some scenarios involve placing malware-infected flash drives in public. Similar to digital bating, physical bait is frequently labelled as something thought-provoking, i.e. salary information.
To begin the discussion of how best to halt social engineering, let’s first examine two very public examples: one involving BlackRock, and the other involving the Associated Press. Regarding BlackRock, the unidentified attackers sent a series of fake communications to convince employees of the world’s largest asset management firm that their company was making a huge shift in investment strategy. These communications included emails, press releases, and a detailed website all designed to “announce” CEO Laurence D. Fink’s dedication to environmental causes. In 2013, hackers gained access to the Associated Press’s twitter account. Tweets of fake frightening news catalyzed a tank the markets that confused investors, government leaders, and the general public. Both examples embody how any business, whether large or small, can fall short in defending themselves against social engineering attacks.
While one hacker’s motivation may vary compared to the next, there are a series of measures every organization can adopt to ward away social engineers. One tactic involves adopting best password practices. According to Bloomberg, 6 letter passwords with only lower case letters can be obtained by hackers within 10 minutes. Optimal password security should involve a mix of uppercase letters, lowercase letters, numbers, and symbols. It is also recommended not to use the same password for each and every one of your accounts, especially if you associate many different accounts with the same username/e-mail address. You may also want to maintain a physical copy of your username and password combinations as a means of staying organized and motivated to uphold password security.
How to Halt Social Engineering
Furthermore, living in the digital age means acknowledging just how far reaching social media has truly become. Social media gives anyone and everyone a platform (in fact, on several platforms) to broadcast everything they say, think, or do. The more information available on an individual, the more likely that an attacker can manipulate what they know about you and encourage a detrimental choice. When using social media, be careful what you share and with whom. Some measures include turning your accounts on private, limiting what you share and when you share it, and most definitely keeping your personal information to yourself.
Conclusion
Our world in 2019 is dependent on the Internet. With no sign of slowing down, consumers must be aware of how and why their data might be used against them. Social engineering, the process that an attacker uses to psychologically manipulate their identified victims, must be recognized and addressed through password security, mindful social media use, and education. By understanding the circumstances that enable social engineering attacks to thrive, coupled with the strategies used to curb similar attacks, Internet users may combat social engineering without having to sacrifice the World Wide Web.
Learn more about the latest in cyber security by subscribing to our blog; https://www.gigabitsys.com/news