Essay: Social Engineering

Social engineering is a term that is used widely today to refer to a broad spectrum of malicious activities that are undertaken in the context of social interactions. Through psychological manipulation perpetrators of social engineering attacks trick their targets to make security related mistakes or even give them information that is sensitive. Therefore social engineering can be described as a vector of attack relying on the interactions of people and manipulation so that people can break from their normal security procedures as well as the best practices they normally use giving the perpetrators access to either of the following; their systems, their physical locations, networks or affording them financial gains. Scholars Airehrour, Nair and Madanian (2018) describe social engineering attacks as being some of the most dangerous challenges faced today’s information age. Their assertions are based on the view that these attacks rely on psychological manipulation and are technically oriented. They also recognize the fact that execution of these attacks has been on the rise and with no possible end in sight.
Individuals who exploit threat opportunities use social engineering techniques to mask their true intentions as well as identities. Through these techniques they present themselves as people the targeted individual can trust and exploit the opportunity to manipulate, influence or trick them. The manipulation, trickery or influence ends up with the targeted individuals giving up access to an organization or very privileged information
In most cases perpetrators of social engineering attacks do not use force but rather depend on people’s good nature and willingness to help others. There are several phases involved in the process of social engineering attacks although some attacks can take one simple step. The most common phases involved in the process include the investigation phase where the perpetrator first gathers background information on the target. The second phase involves trying to gain their trust and trick, influence or manipulate them to break their security practices opening the door for them. The figure 1 illustrates the lifecycle of social engineering
Source: https://www.incapsula.com/web-application-security/social-engineering-attack.html
Figure 1: Social engineering Cycle
Social Engineering Attack Cycle
As illustrated in figure 1, the process of social engineering attack takes place in a cycle. This cycle is one of the many variations that have been made to express the process of social engineering attacks. However the first cycle depicting the process of social engineering was described by Mitnick (2003) who identified four phases namely research, developing rapport and trust, exploiting trust and utilizing information:
Research: In this phase Mitnick (2003) asserted that the perpetrators of social engineering attacks utilize this phase to gather all the information they can concerning the potential victim. The information that these parties are able to gather in this phase enable them to successfully undertake the other phases. How thorough a perpetrator is in this stage will determine their potential for success in the other phases.
Cultivating Rapport and Trust: In this phase Mitnick (2003) asserts that the perpetrator seeks to gain the trust of the targeted victim. The perpetrator uses the information gathered in the first phase to interact with the targeted victim and to present themselves as legitimate parties gaining their trust.
Exploiting Trust: in this phase, Mitnick (2003) asserts that the perpetrator uses the trust and rapport they had cultivated to manipulate the victim’s behavior manipulating them to make mistakes so that they can successfully steal the information they were targeting without the victim being non-the wiser. Trust can be exploited in a number of ways including installing malware in their system, using email spoofs, making scam phone calls and so forth.
Utilize Information: The fourth phase of the social engineering attack cycle is where the perpetrator of the attack cashes in on the information they have gathered from the previous phases. In this phase the attacker perpetrates the attack and tries to cover their tracks.
This cycle as described by Mitnick showcasing the process of social engineering has received attention from various scholars providing variants and other extensions. On the other hand, Software Engineering Institute (2014) indicates that although the process of social engineering attacks takes place in a cycle it can also be perpetrated in a single stage attack. This is where the perpetrator conducts the attack through one contact with the intended victim.
Software Engineering Institute (2014) further argue that different from a single phase attack, the multiple phase attack uses the information gathered to o undertake other attacks and can take place over a prolonged period of time going into months.
Social engineering has especially become a very dangerous challenge in the modern society. This is because unlike other cyber-security challenges which rely on vulnerabilities found within a system’s operating system or software and which can be corrected; this type of threat relies on error made by people. System related challenges can be identified and dealt with, however human related mistakes are hard to predict thus harder to safeguard against
There are various forms of social engineering attacks that perpetrators engage in. The following section will discuss the most common classifications of social engineering attacks perpetrated in the digital platform and how they are perpetrated.
Types of Social engineering attacks
Baiting
This type of a social engineering attacks relies on the use and exploitation of false promises to get the attention of the targeted party. The most commonly used strategy is pique the curiosity or greed of the potential victims, with that they then steal the victims personal information or release malware into their system
Some of the deliberate ways that social engineering attack perpetrators launch their operation includes baiting the victims to use certain physical media and in doing so infect their system with malware. An example is where a perpetrator can target a particular company, plants a flash disk in their parking lot, elevators and so forth where they can be easily seen with labels which look legitimate such as company payroll. The victim who is deceived by the legitimate looking disk will then log it into their system and by doing so, give the perpetrator access or launch malware
Baiting attacks are also undertaken in the online platform where the perpetrator can use such tricks as catchy advertisements which lure the victim to click on them and lead them to malicious sites. Another example is where the perpetrators use applications which once downloaded turn out to be infected with malware
Scareware
This a strategy used by social engineering attack perpetrators where they make the targeted victim believe that they face certain threats. They send the targeted party numerous alarms which warn them against various fictitious threats and prompt them to take action. In such a case the victims are deceived to believe that their system suffers from a malware infection and should therefore install certain software to deal with the threat. In truth the software they install is the real threat which aids the perpetrator in their quest.
An example of scareware .is when browsing through the internet, a person notices banners that keep popping up and informing the browser that their system has been infected and provides a solution to the challenge. Any of the options offered are aimed at exposing the system to malware either by downloading an infected application or visiting a site that infects the system.
Scareware also uses the tactic of spam email where thy send to the inboxes of potential victims messages that inform them of non-existent dangers and then offers product solutions which are worthless to the victim and harmful
Pretexting
This is an attack strategy where the scam perpetrator seeks to obtain the trust of their victim and gather sensitive confidential information. In this case the attackers are able to obtain information on the victim by employing lies that are cleverly crafted. In order to establish trust, the perpetrators can pretend to be the police, co-workers, bank officials, tax official or any other parties that the victims knows to possess similar rights and authority.
The process entails the perpetrator of pretexting asking the victim extensive questions which confirm their identities and gather personal data that is important. This kind of an attack is able to gather numerous information ranging from the personal addresses to the victims, their social security numbers, their phone contact information, their bank records, their vacation dates as staff and from an organization’s staff, they can gather security information for their various physical plants.
Tailgating
This is a social engineering attack which is perpetrated when a person who is unauthorized to gain access follows an authorized employee into an area that is restricted. An example is when the potential attacker pretends to be the mailman, lies and waits for an employee to use their security details and open the door then tells them to hold the door which enables them to gain access.
Phishing
Phishing attacks are some of the most commonly launched social engineering attacks. This is an attack that relies on the use of text or emails messages which seek to either invoke fear, curiosity or a sense of urgency in their victims. These messages further asks their targeted victims to either divulge information that is sensitive, download or open attachments which contain malware or use the links provided to gain access to malicious sites.
Phishing scams come in different formats and target victims differently. An example of these scams is when one receives an email informing them that they have violated certain policies and asks them to acts immediately such as by changing their passwords. Since phishers exploit the trust of their victims, they use legitimate looking websites and deceive the unsuspecting users to use a site which is illegitimate, type in their password details and change it and that information is relayed to the phishers. The consolation for potential victims is that phishing campaigns utilize similar or closely related messages for their scams. Therefore mail servers are in a position to identify these threats and block them.
Spear phishing
Spear phishing is another form of social engineering attack. This attack is similar to a phishing attack with the difference being that it is more targeted. In this attack the perpetrators do due diligence and target specific enterprises or individuals. In order to ensure that these messages are able to accomplish the task they have in mind, they tailor them to fit the enterprises or individuals based on their characteristics, their job positions as well as contacts which serve to make them less visible. In order to successfully pull of a spear phishing attack, the perpetrators have to invest a lot time and effort in it. The advantage of such an attack to perpetrators is that when they employ their skills effectively and patiently, they are hard to detect and come with higher success rates.
An example of a spear phishing attack is where a perpetrator impersonates a particular organization’s expert such as IT consultant. In that impersonated capacity they can communicate to one or more of the organization’s employee using an email. Having done proper background study, the perpetrator can successfully deceive the recipients of their identity by imitating the impersonated individual. Believing the message to be authentic and from their IT consultant, the targeted individuals would then go ahead and change their passwords, gain access to malicious sites through dubious links provided. With the targeted victims falling prey, their credentials are taken by the perpetrator and exploited for their own self gains.
Preventive Strategies for Social Engineering attacks
Saleem and Hammoudeh (2018) in their study identified various strategies that can be used to safeguard individual and organizational system from social engineering attacks. These include physical security, internal or digital security, implementing security policies and procedures which are efficient, penetration testing together with user training and security awareness.
Physical security entails having strong physical barriers safeguarding all the sectors of the organization. Additional installations such as CCCTV cameras should be used together with other physical restrictions. This will help protect the organization from a good number of social engineering attacks especially those that target physical access to their targets
Digital security on the other hand safeguards the internal structure of the organization such as their system through tools such as protection software. Examples of these digital securities include having a good firewall, an updated spam detector with blacklisted parties and so forth. However these strategies are not sufficient safeguards against all social engineered attacks such as tailgating or baiting.
Implementing efficient security policies and procedures: An organization should implement their security procedures and make them known to all their stakeholders in order to safeguard them from challenges. Good security policies and procedures within the organization inform all the employees what they are supposed to do and the rules they are required to adhere to. These procedures safeguard them from potential threats; however it’s necessary they be safeguarded from unauthorized parties because such knowledge can be exploited to by attackers.
Penetration testing- Even though an organization has implemented various security measures they should determine and ascertain their effectiveness by hiring penetration testers. These individuals can determine the effectiveness of the system, their weaknesses and vulnerabilities by using the same tactics a social engineer would. This information can enlighten the organization and enable them to strengthen their defenses. This is an important tactic because security breaches cost organizations dearly as Navigant (2014) reports the cost was $6,200,200 in the year 2013. Further a study by Mendelsohn. (2016) revealed that in the year 2015 more than 50% of UK businesses were victims of ransomware which was launched through a phishing attacks. The study by Ashford (2016) also indicated that attacks perpetrated using ransomware had caused 1/5 of businesses in the UK to close because they asked for more than the business could afford to pay, lawsuits they faced, the negative publicity that came with it or their loss of data.
User training and security awareness- Among all the areas that social engineers target is people who can be easily accessed ad exploited. This is because although a company can put up all their defenses and form an impenetrable fortress, the decision of whether this fortress will stand depends on the employees of the organization who are the weakest link. It is therefore essential for an organization to train their employees and increase their awareness on the threats posed by social engineering attacks and what they can do to stop step (Saleem and Hammoudeh 2018).
In totality the objective of social engineers is to take advantage of their victims through manipulations. These parties manipulate their targeted victims’ feelings of fear, curiosity, greed and so forth and entrap them. This is possible because these attacks primarily rely on the art of human interactions which as earlier indicated are unpredictable and thus hard to safeguard against. As an individual, in order to protect themselves from these attacks, it is essential to be vigilant and alert. Although one should never ignore security warning provided it is essential that one be wary of alarms on threats which come bearing solutions. They should also take precautions when they come across various digital media that seem to be lying around conveniently to be picked. Other ways to improve their vigilance against social engineering attacks include the following
Not opening emails and attachments whose sources are suspicious
As seen perpetrators of social engineering attacks use the email platform to gain access to their targeted victim’s system. Therefore to safeguard against these moves a person should not open an email whose source they do not know or is suspicious. Person who is vigilant against these attacks does not need to click on or respond to people they don’t know or sources they don’t trust. Where in doubt, a person can contact the sender of the mail if they know them through other means such as telephone before opening a suspicious mail, as its better to be safe than sorry.
Employ the use of Multifactor Authentication
Social engineering attackers seek the credentials of their victims and exploit them for their own benefits. In order to safeguard against this threat, individuals and organizations should use multifactor authentication systems which safeguards against such exploitation and protect a system or account in the event of credential compromise.
Be cautious of offers which appear too tempting
Perpetrators of social engineering attacks rely on human greed as one of the inroads to execute an attack. Therefore individuals should be very cautious of offers they are given on the digital platform. When an offer is too enticing one should take some time to consider it to avoid being blinded by greed. One way to determine its authenticity is by searching for information on the offer online.
Update all system protection (antimalware and antivirus)
Having the latest software and updating it regularly can help one protect their system from social engineering threats. One way one can accomplish this is by having their system set to receive automatic updates and from time to time and scanning the system to identify and route out potential threats.