In the business world, many corporations install sophisticated defense systems to guard their systems from unauthorized access. However, these defenses overlook the information security risk associated with social engineering. Certainly, the biggest threat to the privacy of information in the current world is not technology, but the interaction between employees of an organization and other personnel that eventually results to security incidences. Employees who are unaware of the risk may unknowingly share vital information of the company’s business system. In return, this may compromise the safety of the networks as malicious attackers may use them for personal gain. Employees have also used unethical means to extort vital company information which exposes the company data to malicious attack. These scenarios, together with other social engineering techniques, exposes corporations to information security risk, therefore, calling for education of employees to minimize security breach.
Social engineering is the psychological manipulation of individuals to divulge confidential information or performing certain actions. It is a type of confidence trick that purposefully targets fraud, gathering of information, or system intrusion. In a majority of instances, the hacker has no direct contact with the victim. Social engineering, though it may have varied definitions, involves exploitation of the common sense of individuals in order to acquire essential information such as passwords or IDs from employees who are unaware. It may involve a mere trickery or deception of an individual in order to reveal secret information that provides access to the private information of an organization. Hackers often resort to this technique in the cases where they have failed to gain access to the system through the available technical means (Ghafir et al. 2016, 145). It focuses on the psychology of human beings and the free will of being naturally helpful, therefore, easily acquiring the essential information from the victims.
Strategies of Social Engineering Attacks
There are several techniques that social engineering hackers use to advance their attack. These methods can be physical or psychological. One of these techniques is baiting in which attackers leaf a device infected with malware in a strategic place where it is likely to be found by someone else. These devices can be a USB flash drive which when found, the unaware victim is likely to load the device into their computer. In the process, the malware is installed giving the attacker an opportunity to intrude into the system network of the victim. The other technique is pretexting which involves the use of falsehood to compel a victim to give access to sensitive data or systems under strict protection. The attacker may impersonate as one of the company’s employee and in the process deceives the victim into divulging login credentials or enabling the attacker to gain access to the computer (Svehla et al. 2016, 1419).
Phishing is another social engineering technique mostly employed by hackers to gain access to a company data. In this method, the attackers make fraudulent communications which appear to be legitimate and from trusted sources with a victim. The recipient of the fraudulent communication permits installation of malware into their devices without their knowledge. They may also reveal some personal or financial information that helps the hacker to find a way to confidential information. The most popular mode of fishing is the use of email, but other media of communications such social media, mobile phones or websites designed to look legitimate are also used. Worst cases of phishing utilize the goodwill of the people, especially during tragedies and disasters. The attackers urge people to offer financial support towards a particular course by asking them to input personal as well as payment information.
The hackers may also use tailgating, a psychological, social engineering technique which involves people not authorized at certain places to follow the duly authorized individuals to such places. For instance, an individual being asked to offer a device such as a phone, or a computer to someone else in order to accomplish a certain task. In so doing, the attacker installs a malware into the system that will enable easy access into personal details. Tailgating aims at getting access to valuable information. It also utilizes the natural inclination of human beings to offer help to those in need (Ghafir et al. 2016, 145). Social engineers take advantage of this act of kindness and use it to gain entry into premises as well as corporate networks where they perform their malicious attacks.
Another psychological technique used by social engineers is the assertion of authority. This technique occurs with recruits or staff members at a lower level who fall victims to intimidation. An attacker may pretend to be an employee of a particular department or from a higher authority in the organization in order to acquire information regarding passwords. The attacker may authoritatively threaten to report the employee to the higher authority for the lateness in the completion of a particular task, therefore, compelling the employee to give out confidential information that will endanger the company systems (Ghafir et al. 2016, 146). The intimidated members have no otherwise but to expose the private information that the attacker needs. This technique is most useful in an organization that uses the hierarchical system.
Social engineers also use the reverse social engineering technique to acquire sensitive information from their victims. Human beings are known to reciprocate whenever something good is done to them out of courtesy. In this technique, the hacker creates a situation that leads the target to a problem, calling for the target to seek help from the hacker, which is more than willing to offer assistance. The victim then feels obligated to provide the requested information to the attacker as a reciprocation for the help provided.
Defense Against Social Engineering
As attacks from social engineering continue to be more sophisticated and frequent among companies, employee training and awareness are a better considered as the first line of defense. Most organizations lack the knowledge about cyber security, therefore making them prone to attacks related to social engineering (Shabut 2016, 40). Organizations need to take considerable steps towards ensuring that their employees are educated on the techniques used by social engineers. There are several social engineering mitigation technologies in the form of firewalls, email filters, and other data monitoring tools at the disposal of most organizations. However, an employee who is well-informed on the tactics employed by social engineers and who is capable of avoiding these them is a better defense to these cunning schemes.
Companies should create policies that govern the security of their information against social engineers. Employees should be trained on how best to handle data in order to detect suspicious activity. Organizations should focus on ensuring that their employees are compliant with the security policies set by the organization. Security policies should not be negatively framed only to define what the employees should not do to reduce the chances of risks. However, it should be broad enough to encompass things that must be done to protect the organization from malicious attacks from hackers (Burns et al. 2015, 3930).
Continuous and consistent training is significant in ensuring the employees are updated with the social engineering attacks. While training, the employees are to think like hackers in order to be in a position to enhance the security of their information (Esteves et al. 2017, 71). Skeptical employees can question whenever something seems not right to them. This quality is achievable through testing of the staff regularly on different social engineering tactics. These, coupled a constant awareness of being mindful of the social engineering attacks, encrypts a security culture in the company that makes it secure its information from looming attacks.
In conclusion, social engineering is a growing threat to information security in most organizations. Social engineers employ both physical and psychological mechanisms in order to gain access to vital information from their targets. The divisive and evolving tactics of social engineering require effective employee training and awareness that is not only continuous but that which is also embedded into the company culture.
- Burns, A. J., Bennett, J. Rebecca, Roberts, L. Tom, Courtney, F. James, Posey, Clay.2015. Assessing the Role of Security Education, Training, and Awareness on Insiders’ Security-related Behavior: An Expectancy Theory Approach. Paper presented at the 48th Hawaii International Conference on System Sciences, January 5-8, in Hawaii, USA.
- Esteves, José, Ramalho, Elisabete, and Guillermo de Haro. 2017. To Improve Cybersecurity, Think Like a Hacker. MIT Sloan Management Review 58, no. 3, 71-77. Accessed August 14, 2017. http://sloanreview.mit.edu/article/to-improve-cybersecurity-think-like-a-hacker/
- Ghafir, Ibrahim, Prenosil, Vaclav, Alhejailan, Ahmadand Hammoudeh, Mohammad. 2016. Social Engineering Attack Strategies and Defense Approaches. Paper presented at the IEEE 4th International Conference on Future Internet of Things and Cloud, August 22-24, in Vienna, Austria.
- Shabut, Antesar M., Lwin, K. T., AND Hossain, M. A. 2016. Cyber Attacks, Countermeasures, and Protection Schemes–A State of the Art Survey. Paper presented at the 10th International Conference on Software, Knowledge, Information Management & Applications, December 15-17, in Chengdu, China.
- Svehla, Zrinka, Lovric, Sedinic, Ivan and Pauk, Luka. 2016. Going White Hat: Security Check by Hacking Employees Using Social Engineering Techniques. Paper presented at the 39th International Convention on Information and Communication Technology, Electronics, and Microelectronics, May 30-June 3, in Opatija, Croatia.