Back
Social engineering Attacks : New way of hacking
- By Elite CIO
Feb 18, 2019
5
Social engineering has emerged as a serious threat in virtual communities and is an effective means to attack information systems.
Social engineering has emerged as a serious threat in virtual communities and is an effective means to attack information systems. The services used by today's knowledge workers prepare the ground for sophisticated social engineering attacks. As most of the CISO implement more effective technical safeguards to guard against cyber-attacks, it's important to consider the non-technical tools that cyber-criminals are using to infiltrate networks and obtain data and access.
Agari has released the results of a commissioned survey which examined the impact of social engineering on organisations across a range of industrial sectors in the US.
The results revealed that 60 percent of surveyed security leaders say their organisations were or may have been victim of at least one targeted social engineering attack in the past year, and 65 percent of those who were attacked say that employees' credentials were compromised as a result of the attacks. In addition, financial accounts were breached in 17 percent of attacks
What is Social Engineering Attacks :
Social engineering is anon-technical strategy cyber attackers use that relies heavily on human interaction and often involves tricking people into breaking standard security practices. The success of social engineering techniques depends on attackers’ability to manipulate victims into performing certain actions or providing confidential information. Today, social engineering is recognized as one of the greatest security threats facing organizations. Social engineering differs from traditional hacking in the sense that social engineering attacks can be non-technical and don’t necessarily involve the compromise or exploitation of software or systems. When successful, many social engineering attacks enable attackers to gain legitimate, authorized access to confidential information.
Examples of social engineering attacks, which are typically launched via email, include phishing, spear-phishing and Business Email Compromise (BEC).
According to the FBI, BEC scams have resulted in losses of £2.4 billion ($3.1 billion) as of May 2016.
What Does a Social Engineering Attack Look Like?
Email from a friend
If a criminal manages to hacker socially engineer one person’s email password they have access to that person’s contact list–and because most people use one password everywhere, they probably have access to that person’s social networking contacts as well.
Once the criminal has that email account under their control, they send emails to all the person’s contacts or leave messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends.
Taking advantage of your trust and curiosity, these messages will:
Contain a link that you just have to check out–and because the link comes from a friend and you’re curious, you’ll trust the link and click–and be infected with malware so the criminal can take over your machine and collect your contacts info and deceive them just like you were deceived
Contain a download of pictures, music, movie, document, etc., that has malicious software embedded. If you download–which you are likely to do since you think it is from your friend–you become infected. Now, the criminal has access to your machine, email account, social network accounts and contacts, and the attack spreads to everyone you know. And on, and on.
Sixty five percent of these social engineering attacks compromised employee credentials and 17 percent of these attacks breached financial accounts.
How organizations can prevent these attacks.
Create a targeted training program that addresses the most risky employees and/or prevalent behaviors first.
Empower employees to recognize potential threats and independently make correct security decisions.
Improve knowledge retention with short interactive training sessions that work easily into employees' busy schedules and feature proven effective learning science principles.
Show measurable knowledge improvement over time with easy-to-read reports for executive management.
Companies should promote apeople-centric security culture that provides ongoing training to consistently inform employees about the latest security threats. Fighting attacks against the human mind requires behavioral changes more than technology defenses.
Companies should use a combined approach of simulated social engineering attacks coupled with interactive training modules to deliver the best result.
Author – Ravinder Arora, CISO IRIS Software