Skip to main content

What is Social Engineering ???

What is Social Engineering?

Social Engineering is the psychological manipulation of people into performing actions or divulging confidential information for the attacker. Social engineering is exploiting flaws in human beings, making the victim do things that they wouldn’t otherwise have done. Social engineering is an attack vector, a means to an end. It is not the goal but a way to get there.

Humans are the soft center within the hard shells of all modern security systems. Cracking the humans is often a lot easier than cracking these systems.
Firewalls:
Hardly any operating systems today come without a built-in firewall. You can find them in servers, in desktops and in routers. There are even dedicated firewall devices for protecting corporate networks. Security firms spend a huge amount of money on developing firewalls and for good reason. Firewalls form the first line of defense, the hard shell that a hacker must break through in order to gain access to a system.

Authorization Rules:
Your pins and passwords (and fingerprints) are what give you access to your devices and all your online accounts. Authorization is the cornerstone of digital security. Unless you can prove your identity you are denied access to the system, thwarting any attacks before they can even begin. This is what keeps your Gmail and Facebook accounts secure.

Anti-virus:
Anti-viruses have become a necessity on popular, commonly targeted operating systems such as Microsoft Windows. The job of an anti-virus is to know common malicious software patterns, to watch out for any suspicious files that matches these patterns and to catch them before any damage is done.

These three in particular are a rather common sight in almost all security systems. They are the default security controls in place on the vast majority of systems today. And this is where social engineering comes in. Within these hard shells are the vulnerable humans. The people inside the protection of these security measures who have legitimate access to use the protected system freely, potentially bypassing their otherwise impenetrable shields. Break the human and you break the system.

A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted.

Let us try to understand the concept of Social Engineering attacks through some examples:

Example 1:
You must have noticed old company documents being thrown into dustbins as garbage. These documents might contain sensitive information such as Names, Phone Numbers, Account Numbers, Social Security Numbers, Addresses, etc. Many companies still use carbon paper in their fax machines and once the roll is over, its carbon goes into dustbin which may have traces of sensitive data. Although it sounds improbable, but attackers can easily retrieve information from the company dumpsters by pilfering through the garbage.

Example 2:
An attacker may befriend a company personnel and establish good relationship with him over a period of time. This relationship can be established online through social networks, chatting rooms, or offline at a coffee table, in a playground, or through any other means. The attacker takes the office personnel in confidence and finally digs out the required sensitive information without giving a clue.

Example 3:
A social engineer may pretend to be an employee or a valid user or an VIP by faking an identification card or simply by convincing employees of his position in the company. Such an attacker can gain physical access to restricted areas, thus providing further opportunities for attacks.

Example 4:
It happens in most of the cases that an attacker might be around you and can do shoulder surfing while you are typing sensitive information like user ID and password, account PIN, etc.

Phishing Attack:

A phishing attack is a computer-based social engineering, where an attacker crafts an email that appears legitimate. Such emails have the same look and feel as those received from the original site, but they might contain links to fake websites. If you are not smart enough, then you will type your user ID and password and will try to login which will result in failure and by that time, the attacker will have your ID and password to attack your original account.


Quick Fix:
You should enforce a good security policy in your organization and conduct required training's to make all the employees aware of the possible Social Engineering attacks and their consequences.
Document shredding should be a mandatory activity in your company.

Make double sure that any links that you receive in your email is coming from authentic sources and that they point to correct websites. Otherwise you might end up as a victim of Phishing.

Be professional and never share your ID and password with anybody else in any case.

Comments

Popular posts from this blog

Polymorphic Malware

Polymorphic Malware Polymorphic malware is a type of malware that constantly changes its identifiable features in order to evade detection. Many of the common forms of malware can be Polymorphic, including Viruses, Worms, Bots, Trojans, or Keyloggers . The malware is designed to be unrecognizable to detection methods. Commonly altered characteristics include the file’s Encryption Key, File Format, or simply its name. The malware is widespread . According to research and study, 97% of malware infections use polymorphic techniques. While this isn’t a new trend – the tactic has been used since the 90s – recently new, highly aggressive waves of the malware have emerged. One notorious example of polymorphic malware is CryptoWall , a type of strain that encrypts files on the victim’s computer and demands a ransom payment in exchange for their decryption. The polymorphic builder used in CryptoWall develops what is essentially a new variant for every potential vict...

Why is Malware still a THREAT ?

Trojan Horse, Spyware, Viruses and Worms. All are likely familiar with some of the most common security threats in computing systems. Although they go by different names, they all fall under the same cyber security category —   Malicious Software , aka, “Malware”.  Understanding the nature of this threat to your Computer's Security is the first step to preventing malware from infiltrating and taking down your business. Let’s start with what is a Malware ? “Malware” is short form for “Malicious software” . It is a computer programs that is designed to infiltrate and damage computers without the user’s consent. Malware encompasses any software program created to perform unauthorized actions on another user’s computer, tablet, or smartphone. “Malware” is the general term covering all the different types of threads to your computer safety such as  Viruses , Spyware , Worms , Trojans , Rootkits and so on. Individual malware programs often include se...