As we mentioned in our blog about the top cyber security threats of 2016, proper employee training regarding security best practices is essential for avoiding social engineering attacks such as phishing. As it turns out, employee missteps that occur in many phishing incidents is a common occurrence. With the rapid pace of technological change and the fast paced lifestyle of many businesses, one factor seems to be constantly overlooked across the board: the human factor.
Addressing the fact that human error is a leading cause of security incidents should be a high-priority concern for businesses this National Cyber Security Awareness Month. In the realm of data/cyber security, people are usually the weakest links and often times it isn’t until there is a serious incident that we become aware of these shortcomings. Companies will put in place security policies that address every aspect of their cyber security landscape, but will either neglect or overlook how simple human error or misdirection can totally negate having such policies.
Social Engineering: The Human Key to Your Network
Social Engineering is possibly one of the oldest and craftiest ways to steal or gain access to confidential information. Even before the advent of the world wide web, people were using social engineering to lie, swindle, and steal whatever they wanted. In the context of information security, social engineering is a method of manipulating people into giving up confidential information and breaking security procedures hinging solely on human interaction.
Here’s how it works: a hacker (or social engineer) calls a company pretending to be an employee in need of confidential information, like financial credentials or a particular password. Social engineering relies on people’s willingness to be helpful, because it’s far easier to convince someone into giving you a password than it is to try and hack into an account. Often times, hackers will leverage information regarding an attack that they already have, like a personal address or the last four digits of a payment card. This makes it more likely for the victim of the attack, usually an unwitting employee, to give up the confidential information to the attacker posing as a trusted source.
Pro Tip: Often times, attackers will look to social media profiles first to obtain personally identifiable information of the individuals they’re targeting. Remember these security risks when posting personal information on social media.
The key here is the human factor. Think of it this way: many of us have a much different attitude when we work with people compared to when we work with machines; this is part of human evolution because we are inherently social animals so we respond to social cues. Most people probably don’t give a second thought to handing up on a robo-call without listening to the full message, but if another person is on the end, people will naturally pause and engage in some form of communication (nice or not).
In addition to fraudulent phone calls that heavily rely on human nature, there are other forms of social engineering attacks to which untrained employees become victims and wind up putting their entire business at risk:
Pretexting is a form of social engineering which involves the attacker making claims under a false pretext (i.e. lying) to gain access to sensitive data. The attacker creates a fake persona which may or may not use legitimate references to make the overall person seem legitimate. They then craft a lie to gain access to confidential information, for example, they may say they are in a rush and need the target to forward important financial information. The email message from the fake address may include an attachment that contains malware. Other times, the fake email involves the social engineer impersonating an individual known to a target company and asking for money.
Phishing attacks also involve the attacker sending an email from a seemingly legitimate email address. The purpose of phishing is to get the recipient to provide confidential data or tricking them into installing malware by clicking on an unsafe link or attachment. Spear phishing is when a social engineer targets a specific individual.
When an attacker leaves a physical device infected with malware for a person to find and connect to their computer, it is known as baiting. The social engineer intentionally leaves the physical device, like a flash drive, in an obvious place where an unsuspecting victim will find it. The victim, completely unaware of the nature of the device, allows their curiosity to get the better of them and plugs the device into their machine. Malicious code on the device will then execute itself once it has detected that it is connected, and proceed to infect, vandalize, steal, or destroy (USB’s known as “USB Killers” or “kill sticks” are specifically designed to fry whatever computer or port that they are plugged into) the victim’s machine.
Preventing Social Engineering Attacks
Making sure that current security policies are adequate to cover human error is only part of the issue because, ultimately, it requires at least some level of involvement from the people who are expected to carry it out. This calls for adequate employee training. According to the Global State of Information Security of 2017, 38% of businesses are making privacy training and awareness among employees a top priority because organizations that prioritize employee training will be better prepared to protect against common social engineering attacks. Don’t let human error impact your business: prepare employees about warning them against the signs and dangers of social engineering attacks.
by Paul (P-Rex) Kiripolsky
Paul graduated from UVM with a Bachelor of Science in Computer Sceince and works as a Security Engineer with NuHarbor Security. Paul is part of the managed services team and works closely with clients to help monitor, report, and build out their cyber security systems to make sure that they are aligned with their goals and needs.