When it comes to cybersecurity the human link is the weakest
Social engineering is a type of complex frauding system that differs from a traditional con way due to its complexity. It is how most of the cybersecurity attacks are happening these days as a human is the weakest link in a cyber security scenario. To mention an example a person in a company might get an email saying that they are giving away free software as a part of year-end sale. By seeing this the person might click the link and download the software and install it without knowing that the software is preloaded with malware to steal his official credentials. You might wonder where the social engineering work begins but here the attacker, might have got his/her personal email or phone number by contacting the person through a harmless phone call befriending the person earlier, this is a classic example of social engineering.
There are many ways to do social engineering and they are covered below
Phishing: It is the method of getting a user’s sensitive data through email, chat or website by creating a sense of false emergency situations and asking them to divulge in to giving their sensitive data and later stealing for monetary reasons.
Baiting: Similar to phishing except that the attacker tries to attract the user’s attention by increasing their curiosity to access an email or an unclaimed removable media lying in the work area, which is loaded with malicious software to exploits the user’s workstation and the network.
Quid pro quo: The act of tricking someone to give their sensitive data in exchange for a service. A good example would be the attacker masquerading himself like an IT representative from a reputed company and tries to get sensitive data in exchange for upgrading a software or service in the victim’s computer.
Pretexting: Equivalent to phishing except that it happens by creating a mutual trust between the attacker and the victim. Usually happens by impersonating an important person of an organisation that the victim knows and then asking for login credentials for performing an IT audit.
Piggybacking: Also, called as tailgating, happens when the attacker tries to ask an employee to open a door as he has forgotten his ID card in a large corporate or asking an employee to give his laptop for a few minutes to check his email while installing it with a malicious program to steal sensitive data for later.
Dumpster diving: The process of looking in to the trash of a company for sensitive information that has not been disposed properly.
Eavesdropping: It is nothing but eavesdropping in to a sensitive conversation that is happening between two employees. Most of the eavesdropping ways are carried out by tapping in to a conversation happening over phone.
The best way to counter social engineering is to get the employees trained in employees awareness program and how to respond appropriately and some of the countermeasures also include.
- Train employees to demand proof of identity over phone or in person.
- Define values for information that must be checked, greater the value higher the security for information like dial-in numbers, login credentials etc
- If someone wants privileged information, ensure that they have the authorisation to obtain it.
- Dispose of sensitive information by shredding or incinerating.
- Safe disposal of discs and investigating in to an anonymously found removable media in the office premises.
- Using bookmarked links to log in to websites that require sensitive data and not clicking on links in emails.