Category: Social Engineering

Introduction

When thinking about the security of information systems, the predominant concern is with digital security. Performing evaluations and assessments to identify risks and vulnerabilities that may comprise the information stored within the system. However, often is the case the largest threat and easily exploitable vulnerability is overlooked, humans. Some of the biggest hacks of all time were made possible by social engineering. These breaches have caused financial, reputational, and social damage to both companies and individuals alike.

Social engineering is a threat that can expose even the most experienced technology user. Malicious intenders utilize the techniques of social engineering as an ingress method to breach, expose or gain desired data and information from their target. This essay will explore what social engineering is defined as and how it has been utilized as a successful exploitation method. Further investigating some historic examples of social engineering techniques and uses. This will lead to discussions of what the vulnerability social engineering targets, providing insight into how the technology continues to be enabled.

With this information, we will look to how to better understand the depth of social engineering and how it is used to achieve the intender’s goals. Exploring a greater understanding of the threat and exposure within the techniques. Providing context to classifying different methodologies within the cyber security scope of social engineering. With this established, we will lead into some of the notified breaches that have identified social engineering techniques as the initial point of exposure. Know what social engineering is, how it can and has been used, and where we are exposed, we will discuss methods and strategies for defending against the threat and potential exposure.

Social Engineering

Social Engineering is a concept that is commonly understood; however, continues to be one of the most successful exploit methods within the cyber and computing realm. It has been described “as tricking someone into doing something, often detrimental, to themselves or others” (Grimes, 2017, p. 27). Hadnagy further defines it as “any act that influences a person to take an action that may or may not be in his or her best interests” (Hadnagy, 2018, p. 7). Simply described, it is the exploitation of the most common vulnerability, people.

Although the terminology is ingrained into the cyber security arena, the exploitation of people or human nature does not see its origins within the computing environments. Con-artists and fraudulently motivated people have used techniques to persuade other people into action or outcome to the benefit of themselves and their objective. People like Frank Abagnale Jr., from the United States, known for his check forgery and impersonations later becoming FBI consultants, his life was portrayed in the movie Catch Me If You Can (Spielberg, 2002). However, it is or has not simply been used solely for malicious intent. Psychologists and Medical professionals may utilize techniques to obtain further information to assist in diagnosing, or treating, for favorable therapeutic results. Law enforcement leverages social engineer practices and techniques to enable favorable outcomes for their investigation to stimulate the revelation of evidence, although the criminal offenders may not identify the ‘favor’ of this.

Accounts and evidence of exploiting people and their social trust are documented within history. From the Bible, Genesis, when Jacob disguises himself as his brother Esau, taking on habits and behaviors to trick his father, Isaac, to receive his blessing (Hadnagy, 2018). To Greek mythology with the famous ‘Trojan Horse’. The mythic fable depicts a long and unsuccessful siege by the Greeks against the city of Troy. Appearing to finally give up, the Greeks leave behind a giant wooden horse. Watching the Greek’s departure, The Trojans, believing it to be an offering to God for the Greek’s safe passage home, wheel the horse inside the city gates. Little did they know that a small party of Greek soldiers where inside waiting. Night fell and while the Trojans sleep, the Greeks open the city gates and the awaiting Greek army conquer the city (Avecto, 2016). Some may say that these examples are not social engineers, but the explanation is in the social aspect of the understanding. Merriam-Webster defines social as “of or relating to human society, the interaction of the individual and the group, or the welfare of human beings as members of society” (Merriam-Webster, 2019). The Greeks exploited the social conventions of the Trojan society and their beliefs for sacred offerings to the gods. There is compliance to religious beliefs and directives.

Returning our focus to the cyber security side of social engineering, this ‘non-technical’ method to obtain information or data from a target group or individual remains as the most successful vector for a malicious intender. This is due to most people being polite and good in nature, for example, holding a door for a colleague or allowing someone with less items to go before you in the Aldi check-out, social engineering exploits this very nature in people (Walker, 2016). Whipple (2016) explains the four emotions exploited by social engineers:

• Helpfulness. People’s willingness and desire to help other people.
• Greed. The intense and selfish desire for something, predominantly wealth or power.
• Obedience. Compliance to an order, directive, or request, is usually posed from authority.
• Fear. Imposing the belief that someone or something is dangerous, with the implication or threat to cause pain or harm.

Understanding the target vulnerability of social engineers, we can investigate the method of how an intended attacker can exploit it. Social engineering attacks are not a spur-of-the-moment, point-and-shoot event, like most things there is a process to enable a successful outcome, obtaining the desired information, data or result. Kevin Mitnick (Mitnick & Simon, 2003) describes this process as a ‘Social Engineering Cycle’. This cycle is defined by four distinct stages:

• Research
• developing rapport or trust
• exploiting trust
• utilizing trust

Like initializing and performing a penetration test, the research or reconnaissance that is performed can define and determine the success of the activity. Practices of dumpster diving, coffee shop chatter, and eavesdropping, although remain effective, have been assisted with the continuous growth and use of the World Wide Web.

The Internet has and continues to provide a user of the services a vast and growing source of knowledge, data, and information. Phishing and other web-based techniques continue to become more complex and authentic in content and appearance to increase the likelihood of success. With the evolution in popularity and availability of cloud-based social media services like Twitter, Facebook, and Snapchat. Enabling users at no expense or experience, linked with the growth in accessibility to the information superhighway, with the ability to post, share, tweet, snap, like and provide countless amounts of information on themselves, their friends, families, colleagues, and workplaces.

The term ‘overshare’, “to share or reveal too much information” (Merriam-Webster, 2019), characterizes the growing state of play when it comes to people’s use of social media platforms. Yet despite the convenience to divulge this information to any whom care to indulge it, it is an enablement tool for those with more sinister intent. An Eckstrom Consulting blog articulates, “With the right research, a social engineer can compile an unnervingly comprehensive profile of a business, its employees, its operations, and more” (2018). Social media platforms are a buffet filled with information to consume. The growth in both use and availability social media enables attacks to gather and digest countless bytes of information on a particular target or subject, without the target’s knowledge, making them powerless to prevent it. Making the advantages of social media also its sin.

Social media does not just provide social engineers a platform for your stored information; but, a mechanism to probe for more. Let us consider, “Which Disney Princess Are you?”. Brower (2010) highlights the use of “What Type of Personality are You?” quizzes within social media applications and services as a growing vector for social engineers to gather and profile information based on the response of the target. With this information, an attacker can now have an informed approach to establishing and developing trust with a target, exploit and utilize that trust. Proving Krombholz, Hobel, Huber, & Weippl “social engineering is one of the most powerful tools a hacker can utilize as even the most secure systems can be affected” (2013, p. 28).

So, where to from here? An individual or organization cannot begin to develop a defense strategy without knowing the attack scope and methodology. Krombholz, Hobel, Huber & Weippl (2013) presented a taxonomy of social engineering, exhibiting threat model tabled with a number of common attack types, the form or channels these attacks can take, as well as the categorized approach they reside. They categorized the attacks into four distinct approaches or types:

• Physical: the attacker performs a physical action or acts to obtain and gather information on an intended target. Methods include:
• Shoulder surfing – direct observation to obtain the information; like looking over the shoulder of a target when entering their pin code.
• Dumpster diving – obtaining information from documents in bins, recycling stations, shredders, and perhaps even secure document disposal services.
• Baiting – enticing a target with a ‘dropped’ or lost USB storage device with files embedded with malware or malicious content.
• Social: these attacks drive the sociopsychological techniques with attackers trying to develop a rapport with the target prior.
• Reverse social engineering: attacker flips the approach, trying to make the victim ask the attacker for help. Appearing within a three-phased approach, sabotage, advertising, and assisting.
• Sabotage – attacker causes a disruption to the target computing environment
• Adverting – attacker promotes their ability to fix the issue
• Assisting – the victim asks the attacker to resolve the problem while the victim complies to their information requests.
• Technical: Attackers utilize technology services, mainly the Internet, to gather and capture information on the target or future victims. Examples of these are Search engines (Google, Bing), Social Media (Facebook, Twitter, etc.), and data mining tools (Maltego, Rattle, DataMelt, etc.). Others include:
• Waterholing – The attacker compromises a website that the target is likely to engage with and waits for the target to interact.
• Socio-Technical: This approach sees the attacker deploying a combination of techniques and methods to capitalize on their efforts more effectively and efficiently.

Table 1: Classification of Social Engineering attacks Krombholz, Hobel, Huber & Weippl (2013) taxonomy

(Krombholz, Hobel, Huber, & Weippl, 2013, p. 32)

Although each of these approaches and techniques have the ability for an attacker to gain the information or desired outcome, evidence shows that combinations of these can produce a more potent weapon for the attacker (Krombholz, Hobel, Huber, & Weippl, 2013). How effective? A number of recent breaches have confirmed that the vector of ingress were social engineering methods, causing significant impact and exposure.

RSA SecurID Phishing Attack, 2011, four employees within RSA’s parent corporation, EMC were sent an email from a spoofed address claiming to be at a job recruitment website. Attached was an Excel document titled ‘2011 Recruitment Plan’. When the employees opened the document, a zero-day Flash exploit buried in the spreadsheet installed backdoor access to their work machines, enabling the attackers to steal the keys to RSA’s SecurID services (Zetter, 2011).

Yahoo Customer Account Compromise, 2013, three (3) billion accounts were compromised from a successful spear-phishing message. A semi-privileged engineer fell victim to the campaign enabling the attackers to compromise every customer account. Although the initial breach was disclosed in 2013, approx. 500,000 accounts, the full quantity of the breach was not realized until 2017. (Perlroth, 2017).

Sony Pictures Hack, 2014, a North Korean group of hackers successfully conducted a phishing attack against Sony Pictures. Believed to be politically motivated, due to the coming release of the feature ‘The Interview’. Sony suffered considerable financial losses, releasing the film online for free, as well had several other pictures leaked. Along with a significant amount of employee data (Peterson, 2014).

Ubiquiti Networks Scam, 2015, posing as the company’s Hong Kong subsidiary, the attackers crafted and sent an email to the accounting department with instructions requesting funds redirection to different accounts they thought belonged to current vendors. Without verification, the instructions were followed and 47 million dollars was transferred. Only 8 million dollars was able to be recovered (Krebs, 2015).

These breaches highlight the devastating results of a well-planned and formulated social engineering attack. Analysis of these or similar breaches identify risks that business, corporation or services encounter and provide information to potential mitigations to prevent or lower the risk. A mitigation and prevention plan (Hadnagy, 2018, p. 257) is a strategy to lower or remediate risk. In the context of social engineering, humans are the vulnerability, this means that the focus of the plan to mitigate and prevent should be targeting people and process more than technology. This is not to say that technology does not have a role to play, this requires a multilayered approach, but addressing and delivering a positive staff development and awareness program is key to successful prevention.

Administrative controls are described as “the process of developing and ensuring compliance with policy and procedures” (Northcutt, 2009). Developing a well-formed information security policy can be an effective administrative control within a mitigation and prevention plan. Establishing clear and detailed expectations for all staff to follow and understand. The policy should also provide details on if there is a concern or potential issue and how users can report or notify an appropriate officer or person to review, investigate or follow up. A good policy is realistic, giving clear direction on what actions to take and not to take (Hadnagy, 2018).

Education and awareness programs can be a useful and effective tool in preventing, identifying, and combating cyber security risks, threat or attacks. Simply put, the more educated or aware a person is on the subject, the more they are able to identify when something is not right. Similar to structured schooling or educational services, there is a developed curriculum, defined objectives, and milestone expectations for delivery. Security awareness is no different, Spitzner (2018) observes that the ‘number one reason awareness programs fail is due to lack of a plan. Training being delivered in an ‘Adhoc’ or unstructured format with no clear or defined goal, frameworks, or analysis of topics nor effectiveness on information delivery (Spitzner, 2018). A successful awareness program should be designed around a “framework to identify what topics you will communicate and how” (Spitzner, 2018). This does not just mean in content and structure but in delivery and method.

Most awareness programs are a mandatory expectation, which can set a tone of a ‘burden’ or ‘chore’ for employees or users. It is important to ensure the training is engaging in both content and delivery, enabling great retention and involvement from users and staff, remember, nobody likes ‘death by PowerPoint’. The method to assist with this is to have feedback and consultation with staff and users throughout the program’s lifecycle. Identifying likes and dislikes, what worked and what didn’t, and having an understanding of current skills or people’s prior knowledge will help tailor the program’s success. It is valuable to have the ability to measure the effectiveness of the training program. Performing regular check-ups and tests of the users provides insight to the effectiveness and retention of the training (Hadnagy, 2018). The analytics for the testing results will assist in directing the focus for the program’s future deliverables.

An awareness and education program mitigates human vulnerability, but there are technical aspects within a social engineering attack that can prevent and assist in the identification and response to potential attacks. Controls such as antivirus, spam filters, proxy ingress/egress whitelisting, etc., when implemented and managed effectively can prevent many security threats and risks including those associated with social engineering. Herley and Pieters accurately highlight though, “If resources were unlimited, or countermeasures were costless, then, of course, we could take action against every possible scenario we could think of” (2015, p. 113). In reality, there are limits to resources, tools, services, and financial support. Having an understanding of the technical control’s capabilities and the resourcing availability can help prevent planning for the impossible. This does not mean you are hamstrung. Place your focus on how to best utilize what you have, looking to implement a continuous improvement cycle, not configuring for a ‘set and forget attitude.

Finally, it is important to understand that this is a campaign and program to drive change within user bases understanding an ability to identify and notify social engineering attempts. Change, to be successful and lasting needs to be positive. A positive culture lays the foundations for positive practices. This needs to be driven from the CEO down to the frontline user. Security is not solely the responsibility of an individual or security team. In a corporate environment, a positive and supportive security culture will amplify the success of the outcome.

Conclusion

Unless, someone has studied the ways of the Vulcan culture and purged all emotion from themselves (CBS Entertainment, 2019), the hackable vulnerabilities within all humans will continue to enable the success of social engineering in whatever form it comes in. Techniques used to exploit a human vulnerability are not restricted to cyber security, with evidence discovered well before any digital technology. Validating the ‘non-technical’ emotional exploit of human emotion and the ingrained nature within social behaviors.

Mitnick’s ‘social engineering cycle’ shows that malicious actors follow a strategic approach to ensuring the success of their endeavors. Similar to penetration testing processes, the more and better the information of your target system and potential weaknesses the more effective the results. However, with the internet, combined again with the condition of human nature, social media platforms enable greater ease for malicious actors to discover information to expose their intended targets. Giving a suitable basis to understand the approaches and methods within a social engineering attack.

Reviewing the anatomy and construct of techniques and methods within social engineering, categorizing the taxonomy of social engineering, and establishing a framework and understanding of the threat. Validating that a combination of methods provides greater impact and effectiveness of the attack. The exposure of RSA, Sony, Yahoo, and Ubiquiti validates just how effective social engineering can be. Like a social engineering attack, the defense of it requires research and information, the understanding the vulnerability, how it is exploited, a taxonomy of methods and techniques, along with data from notified breaches, we can build a suitable strategy to defend against potential social engineering attacks. We know that technical controls can enable avenues for defense; however, it is the focus on an interactive security awareness campaign that will provide the best defense approach. As Ford (2018) states, “Social engineering attacks exploit misplaced trust, not stupidity”, so ensuring a positive security culture is the final key.

There is no ‘fool-proof’ or one-way approach to security. However, with research into contemporary methods and notified breach data, a suitable defense strategy developed. Focused technical controls and a well-planned security awareness program, coupled with a positive security culture, will make it more difficult for a Social Engineer to successfully exploit an organization or the people within it.

Bibliography

1. Avecto. (2016). Know your threats series: Social engineering. United Kingdom: Avecto.
2. Brower, J. (2010). Which Disney© Princess are YOU? (Web 2.0) Social Engineering on Social Networks. SANS Institute.
3. CBS Entertainment. (2019). Vulcans. Retrieved January 2019, from www.startrek.com: http://www.startrek.com/database_article/vulcans
4. Eckstrom Consulting. (2018, February 16). What makes social engineering attacks so effective? Retrieved from www.eckstromconsulting.com: https://www.eckstromconsulting.com/blog/what-makes-social-engineering-attacks-so-effective
5. Ford, N. (2018, August 31). 5 ways to mitigate social engineering attacks. Retrieved from www.grcelearning.com: https://www.grcelearning.com/blog/5-ways-to-mitigate-social-engineering-attacks
6. Grimes, R. A. (2017). Hacking the Hacker: Learn from the Experts Who Take Down Hackers. Indianapolis, IN: John Wiley & Sons, Inc.
7. Hadnagy, C. (2018). Social engineering: the science of human hacking (Second edition.). Indianapolis, IN: John Wiley & Sons, Inc.
8. Herley, C., & Pieters, W. (2015). “If you were attacked, you’d be sorry‿: Counterfactuals as security arguments. New Security Paradigm Workshop (NSPW) (pp. 112-123). New York: Association for Computing Machinery (ACM). https://doi.org/10.1145/2841113.2841122.
9. Ivaturi, K., & Janczewski, L. (2011). A Taxonomy for Social Engineering attacks. International Conference on Information Resources Management (CONF-IRM) (p. 15). CONF-IRM 2011.
10. Krebs, B. (2015, August 07). Tech Firm Ubiquiti Suffers $46M Cyberheist. Retrieved from KerbsonSecurity.com: https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/
11. Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2013). Social engineering attacks on the knowledge worker. Proceedings of the 6th International Conference on Security of Information and Networks (pp. 28-35). Vienna, Austria: https://www.researchgate.net/publication/262393147.
12. Merriam-Webster. (2019, January 14). Dictionary: Overshare. Retrieved from merriam-webster.com: https://www.merriam-webster.com/dictionary/overshare
13. Merriam-Webster. (2019, January 11). Dictionary: Social. Retrieved from merriam-webster.com: https://www.merriam-webster.com/dictionary/
14. Mitnick, K. D., & Simon, W. L. (2003). The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons.
15. Northcutt, S. (2009, September 1). Security Controls. Retrieved from sans.edu: https://www.sans.edu/cyber-research/security-laboratory/article/security-controls
16. Perlroth, N. (2017, October 03). All 3 Billion Yahoo Accounts. Retrieved from www.nytimes.com: https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html
17. Peterson, A. (2014, December 18). The Sony Pictures hack explained. Retrieved from www.washingtonpost.com: https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/the-sony-pictures-hack-explained/?noredirect=on&utm_term=.8fb5e2fdc713
18. Spielberg, S. (Director). (2002). Catch Me If You Can [Motion Picture].
19. Spitzner, L. (2018). Top 3 Reasons Security Awareness Training Fails. Retrieved January 2019, from www.sans.org: https://www.sans.org/security-awareness-training/blog/top-3-reasons-security-awareness-training-fails
20. Walker, M. (2016). CEH: Certified Ethical Hacker All-in-One Exam Guide, Third Edition. New York: McGraw-Hill Education.
21. Whipple, A. S. (2016, May 13). Hacker psychology: Understanding the 4 emotions of social engineering. Retrieved from NetworkWorld from IDG: https://www.networkworld.com/article/3070455/cloud-security/hacker-psychology-understanding-the-4-emotions-of-social-engineering.html
22. Zetter, K. (2011, August 26). Researchers Uncover RSA Phishing Attack, Hiding in Plain Sight. Retrieved from www.wired.com: https://www.wired.com/2011/08/how-rsa-got-hacked/

Abstract

While an image of a person with high technical skills exploiting the system has been used many times to demonstrate a hacker, a new type of attack is changing that, it’s called the Social Engineering attack. This paper will go deeper into explaining what Social Engineering is and the principle behind it. Popular attacks based on Social Engineering will be mentioned and explained in detail how one attack is executed. The appearance of Social Engineering in our surrounded digital environment from home to work will also be discussed. The severity and the scale of these attacks are rising and are threatening the cyber world from individuals to corporations, to contribute a small tribute in making Social Engineering attacks less effective, this paper is hoped to raise the awareness of the readers and to give adversaries a hard time to attack.

Keywords: Social Engineering, phishing, vishing, cyber world, principal.

Social engineering’s definition and its impact on the society

Cyber-attacks have been a very hot topic in a world where technology is advancing briefly, everything is being automated. When cyber attacks are mentioned, many people imagine a talented hacker in front of his devices exploiting and breaching the system in no time. But what if a single phone call is enough to execute an attack, these types of attacks are called Social engineering attacks and it is on the rise. This paper will provide information about Social engineering attacks, its appearance, and their impacts on society. Social engineering can be confused with the term social engineering people who are not familiar with information technology which is used to show their negative views. For example, “the government engineering its people through social means” (Security through education, n.d.). To clear the confusion, this thesis will only focus on Social engineering in information technology.

Social engineering is a form of the technique employed by cybercriminals designed to lure unsuspecting users into sending them their confidential data, infecting their computers with malware, or opening links to infected sites (Kaspersky Lab, n.d.). For more than 90% of successful attacks, human is the “kill switch” (Frumento, 2018). This means that without human error the attack won’t start. As one data has stated above, human errors contribute almost in all Social engineering attacks. To understand and explain why this happens, more definitions need to be looked at. Manipulating people’s mind plays a key role in Social engineering attacks which can define success or failure and nearly all vectors are built around it. Without this, there is a high chance a hacker will fail to impersonate and expose themselves as if the target’s thinking cannot be predicted by the attackers, they would have a hard time extracting information from them. There are many tactics an attacker can execute. One way is to play around with the victim’s mind. For example, by applying reciprocity, the attackers can try to help the victims at solving something, for example, fixing technical problems in return of flavors which usually is telling them to do things that will trigger the attack. Another way is to make a fake threat, victims would usually try to cooperate to solve the problems and if attackers spot this, they would try to extract information on the way. With vectors building around this ideology, Social engineering attacks can be used in nearly every corner of the internet, from a person’s social networks to their bank account which makes it a threat even toward an experienced person. There are many Social engineering vectors and nearly all of them exploit the victim’s behavior. The most popular vectors are Phishing, Vishing, and so on. Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication channels. The attacker uses phishing emails to distribute malicious links or attachments that can perform a variety of functions, including the extraction of login credentials or account information from victims (Rouse, Phishing, 2017). Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing but does not always occur over the Internet and is carried out using voice technology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone (Rouse, vishing (voice or VoIP phishing), 2008). The two vectors above all use impersonating tactics to gain advantages from the victims. This tactic can be applied in nearly every field of the world making Social engineering one of the most used techniques. More reason that makes these attacks so widely known is that the technical skills needed to execute it are not as required as other attacks, moreover, these attacks have the ability to target an individual, attackers can now choose their victims based on the weaknesses they have spotted on them. For example, a non-technical person would obviously be a better target for a hacker than a person who works in the IT industry. These reasons significantly increase the success rate of social engineering attacks.

SE attacks are on an increase and has already been lurking around in daily life. Online services are the perfect environment for it as distant unphysical exchanges can create a middle man who in this situation can easily act like a legitimate side to gain trust from the opposite and make them give out the information a third party should not know. As more and more companies are shifting and offering their services online to reduce cost and for the sake of convenience, the attack surface is increasing at a proportional rate, which means criminals can knock on anyone’s cyber doors. The information the attackers usually aim at are very sensitive which can turn their life upside down if exposed. For example, bank account information, personal identity, confidentiality, and so on. The exposed information can then be used for personal gain, they can cash out money in the victim’s bank account, sell the identity online, and blackmail the victim to not publicize the confidentiality. In the early days of the internet boom, social engineering was not a very big problem, logics and tactics defined were usually by IT experts or specialized hackers whose major does not fit the concept of SE attacks. But time changed and so as this, a new force have joined the race, the people majored in a psychology-related field. In another word, the upgrades they brought to SE attacks make it extremely hard to spot. One of the best ways to avoid this is to not react in human nature reaction, this can be used to dodge set traps if an individual follows a mediocre path. For example, a normal person when being confronted with a fake problem related to their bank account from a self-claimed banker would try to seek help from the claimed banker, this would make them likely to fall into the trap the impersonator has set up for them to extract information to help solve the fake problem. A different and unusual but effective approach is instead of seeking help immediately, the reliability of the side should be checked first to confirm for its legit, in this situation, hang off the call and redial straight to the bank instead. This procedure can be applied and executed in nearly every online service making it an effective defense.

Who is to blame for the rise of these attacks? Technical flaws, a new exploiting technique? According to Kevin Mitnick(Mitnick, 2002), “The biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall. In fact, the biggest threat could be you “. Today, only about 3% of malware tries to exploit an exclusively technical flaw. The other 97% target instead users through Social Engineering (SE). (Frumento, 2018). The statistic above can be used to demonstrate which tactics hackers prefer. Individual targeting outnumbered finding security flaws. Understanding why one choice overwhelms the other should not be difficult, hackers can either find flaws and holes in the security shied of a company that has spent a fortune on to protect themselves by outthink the in-charged experienced security specialists or try to compromise one individual in thousand employees there to breach through. Yahoo! Security Breaches (Gonsalves, 2012) was one of the worst SE attacks that has happened to a company, the tactic used was to send baits in a form of emails with malware inside in this case. It then be sent to a selected group which was the privileged Yahoo employees. Although choosing a specific group sounds unnecessary and inefficient, this can keep the attack low-profile and avoid any effective solutions being used against it. The plan worked, someone caught the bait and exposed Yahoo’s inner network to malware. The hackers could then have access to Yahoo’s user database which at the time was a staggering number of 500 million users including their usernames, phone numbers, security questions and answers, password recovery emails, and cryptographic values associated with each account. This attack can be used to describe the situation companies are facing. There is no doubt that a big company like Yahoo must have some serious security defenses being set up, but it was not this that brought havoc, it was in fact from the company’s employees which the defense sphere cannot reach. In another word, security sectors in a company need to solve a non-technical problem related to employees which is beyond their field. The story also shows how one single weak mind in a big human chain is enough to bring a company to a crisis. Solutions are urgently needed since these attacks have proven to have both high success rates and are very devastating. Most published solutions try to solve the problems by aiming at employees’ mindsets in technology. Some which many companies have adapted to them can be mentioned are setting up procedures, creating security-awareness courses, and so on. Having procedures means to create restrictions to filter unwanted stuff. For example, always double-check an email for its validity before opening, do not use the internet for personal things rather than work-related usage as this can exposes the company’s inner systems to outside threats and so on. Security awareness courses on the other hand teach employees to spot potential threats and ways to deal with it. But both solutions have the same issue, they need to rely on human factors which means in other for these to work, rules need to be strictly followed and employees need to always be alert for threats, also many procedures and courses are very lacking impression that help reminding employees to remember what they learned. With the drawbacks these solutions are facing, many specialists are creating more solutions.

Social engineering has had making an impact on nearly all parts of our life. From one wrong click to trusting the wrong person, these can all get you in trouble in the cyber world. But if you are always on alert mode, attackers would have a hard time perpetrating. At work, a sense of danger on the internet will also be needed as you are now part of the security and one wrong move can be exploited as the bridge for an attack to breach into and make your company lose a fortune, this should never happen. Social engineering attacks will remain and expand its impact in the cyber world, being always alert would be a very great weapon against it as it can help you avoid making mistakes which is the main causes that lead to attacks successfully executed.

References

1. Becker, K., & Pape, S. (2016). A Serious Game for Eliciting Social Engineering Security Requirements. 2016 IEEE 24th International Requirements Engineering Conference (RE) (pp. 16-25). Beijing: IEEE.
2. Frumento, E. (2018, May 14). Estimates of the number of Social Engineering based cyber-attacks into private or government organizations . Retrieved from DOGANA Project: https://www.dogana-project.eu/index.php/social-engineering-blog/11-social-engineering/94-estimates-of-social-engineering-attacks
3. Gonsalves, A. (2012, July 12). Yahoo security breach shocks experts. Retrieved from CSOOnline: https://www.csoonline.com/article/2131970/yahoo-security-breach-shocks-experts.html
4. Kaspersky Lab. (n.d.). Social Engineering – Definition. Retrieved from AO Kaspersky Lab: https://usa.kaspersky.com/resource-center/definitions/social-engineering
5. Mitnick, K. (2002, October 14). How to hack people. Retrieved from BBC News: http://news.bbc.co.uk/2/hi/technology/2320121.stm
6. Rouse, M. (2008, February). vishing (voice or VoIP phishing). Retrieved from TechTarget: https://searchunifiedcommunications.techtarget.com/definition/vishing
7. Rouse, M. (2017, October). Phishing. Retrieved from TechTarget: https://searchsecurity.techtarget.com/definition/phishing
8. SECURITY THROUGH EDUCATION. (n.d.). Social Engineer, Inc. Retrieved from The Social Engineering Framework: https://www.social-engineer.org/framework/general-discussion/categories-social-engineers/governments/

Introduction

Social engineering refers to the collection of techniques that are used to influence people towards performing certain actions or divulging other people’s confidential information. One aspect of social engineering is phishing, which involves the attempt to obtain personal and sensitive information such as usernames, passwords, and credit card details, through unlawful and deceitful means, by camouflaging oneself as a reliable entity in electronic communication. Usually, it’s carried through instant messaging, email, and even phone contacts, (Ollmann, G. 2006).

The most common targets of phishing include online banks which regulate the transfer of money via the internet, e-bay which involves the buying and selling of goods via the internet with the means of credit card transactions and Paypal which is also an online company concerning the transfer of funds involving credit card details and other confidential details of clients. Phishing is usually performed through emails or instant messaging services. (Tan, Koon. Phishing and Spamming via IM (SPIM)) by directing the consumers to reveal information at a website. In this way, Phishing is an example of social engineering technique that is effectively employed to fool users convincingly. To deal with the increasing number of phishing occurrences there should be additional cyber laws, user training, and public awareness programs to guide and inform the internet users about the technical manner in which phishing is usually carried out.

Phishing techniques

Phishing may be performed using several ways including website forgery, link manipulation, filter evasion, and phone phishing. (Ponnurangam, K. 2006).

Website forgery

Websites are effectively forged by the criminals by altering the address bar using javascript commands which can be easily accomplished by placing the picture of a legitimate URL over the address bar, or alternately closing the original address bar and opening a new one with the legitimate URL (Mutton, Paul. ‘Fraud Watch International’). Once the victim visits the website, the invader may use the flaws of the website’s scripts against the prey.

He can attack the victim using the ‘cross-site scripting’ which is on the whole very tricky, for the reason that they direct the user to ‘sign in’ at the web page of their bank or service, where the appearance of everything including the web address or the security certificate seems accurate. The craftiness of the invader lies in creating a link to the website to successfully carry out and accomplish such an attack, which is very complex and cannot be easily recognized (Krebs, Brian Flaws ‘Financial Sites Aid Scammers’).

There are anti-phishing systems that can scrutinize websites for phishing-related text but even phishers have devised newer ways to avoid even these. They use websites that are ‘flash based’, looking like real websites but hides the text in multimedia objects (Miller, Rich, ‘Phishing Attacks Continue to Grow in Sophistication’).

Manipulation of links

This method involves the designing of various types of technological tricks to create a link or connection in an email which appears to the victim as belonging to the spoofed or sketched organization. This can be easily accomplished by the phishers by employing the use of wrongly spelled URLs or alternately using subdomains. An additional method of doing this is by linking an anchor text that seems valid when in reality the link would straightaway enter the site of the phisher. A more traditional method of cheating is by the use of links which include the character ‘@’, which was formerly put to use for the inclusion of a username or even a password (Berners-Lee, Tim. IETF Network Working Group).

For instance, the link could easily mislead a casual surfer to suppose that the link would open the page of the yahoo website which is actually ‘www.yahoo.com’, but in reality will direct the browser to the page, ‘members.mail.net’, which has the potential to open even if the username is not provided.

Filter evasion

Even though the filtering techniques devised to block phishing are now improved, the spammers send more messages without any extra costs being levied on them as the major cost of the emails is borne by the recipient and rather than the sender. By doing so, even if some fraction of their messages are being blocked, they recompense by sending that many more messages. Another way the spammers can evade filtrations is by using various techniques to avoid spam detection approaches such as having a massive set of emails that have been constantly refreshed or by misspelling to use confusing words or even by the creation of exclusive copies in each campaign.

Phone Phishing

This is a very simple method used for phishing because it does not necessitate the existence of a website and can be easily achieved over the phone. And it is very difficult to find the source of the attack. This method is generally used before hacking to establish the background of the attack by acquiring the required information over the phone. The hacker usually presents the self as the support of the company or the administrator.

It is therefore essential to think before answering since the answers can reveal more than is required. The attack could also be in the form of a simple message from a bank instructing them to dial a phone number to clarify certain problems regarding their bank accounts (Gonsalves, Antone, ‘Phishers Snare Victims With VoIP’), and subsequently asking them to enter their account numbers followed by the pin codes, consequently achieving the desired results. The calls are even answered by fake persons claiming to be the staff or personnel of a reputed company. (‘Identity thieves take advantage of VoIP’, Silicon.com)

How phishing works and how we can prevent/protect ourselves from it

Several stratagems can be employed to combat phishing attempts by criminals. The best way is to train and educate people to identify and deal with such attempts when noticed, which can be done by creating awareness programs by the websites and agencies on the internet. (Ponnurangam Kumaraguru, 2006) Initiatives should be taken by the web users and internet surfers themselves by the conscious modification of their regular browsing practices. In the event of being contacted about requiring the verification of an account or for any other purpose, it would be wise to first confirm the legitimacy and source of the company from which the email has originated.

In all cases, the use of hyperlinks must be avoided and regular practice of typing the genuine website address of the company into the address bar of the browser must be adopted (Hex View, Anti-Phishing Tips You Should Not Follow).

Web-users and regular web surfers must be active at all times to notice any difference in the emails that they receive from companies as almost all company email messages to their respective customers comprise some piece of information that is seldom readily available to the phishers. For example, Paypal always addresses its customers by their usernames in the emails that it sends to them. So if a customer gets an email generated in a common fashion such as “Dear Paypal customer”, the recipient of the email must instantly realize that it is an attempt of phishing (Protect Yourself from Fraudulent Emails, PayPal).

Internet browsers and surfers must be regularly alerted and warned about deceptive websites by technical internet companies. The use of spam filters can also additionally aid in reducing the number of phishing emails that are likely to reach the inboxes of the victims. In case of recognition of a phishing attempt, they report the incident to the volunteer and/or industry groups (Schneier, Bruce 2006. PhishTank. Schneier on Security).

The damages of phishing are plenty and can result not only in the loss of access to personal emails but also in a monetary rip-off. The simplicity with which information such as credit card numbers or security PINs can be retrieved from individuals via the internet or email makes phishing a rather simple activity to make big money, making cyber theft a rather easy way to commit a crime. It has been estimated that phishing has been the cause of loss to approximately 1.2 million computer users in the United States of America alone between May 2004 and 2005, resulting in losses of nearly $929 million and for every 20 users, 1 has claimed to have been misled by phishing (The Phishing Guide: Understanding and Preventing Phishing Attacks – TechnicalInfo.net).

Conclusion

In the previous few years, there has been a considerable emergence of technology to prevent spam and phishing attempts by these spammers. A considerable amount of mailboxes are nowadays well protected from spam messages causing the spammers to use alternative frantic measures to maintain prosperity in the emerging world of emails. New technology is more focused on the identification and the validation of the email senders making it exceedingly complicated for the spammers to now conceal themselves who now face a continuous risk reprisal.

Since the process is getting more and more difficult, very many have given up these notorious activities as the profit margins are on a decline owing to the growing awareness among the users regarding such occurrences. However, one must at all times be at guard and remain alert to any abnormal phishing activities which can take place with anyone anytime anywhere.

References

Aaron Emigh, Radix Partners Anti-Phishing Technology, Report in conjunction with the United States Secret Service San Francisco Electonic Crimes Task Force, 2004.

Berners-Lee, Tim 2006 ‘IETF Network Working Group’ Email Address Harvesting: How Spammers Reap What You Know, FTC Consumer Alert.

Gonsalves, Antone 2006 ‘Phishers Snare Victims With VoIP’.

Hex View, 2006 ‘Anti-Phishing Tips You Should Not Follow’ ‘Identity thieves take advantage of VoIP.

Krebs, Brian Flaws 2004 ‘Financial Sites Aid Scammers’.

Matthew Prince, Project Honeypot, The Third Spam Conference, MIT Jan 2005.

Michael Pastore, Phishing is Up and It Has Consumers Down, Inside ID, 2004.

Miller, Rich, 2007 ‘Phishing Attacks Continue to Grow in Sophistication’.

Mutton, Paul, 2006 ‘Fraud Watch International’.

Ollmann, G. 2006 ‘The Phishing Guide: Understanding and Preventing Phishing Attacks’.

Tan, Koon. Phishing and Spamming via IM (SPIM).

Ponnurangam, K. 2006 ‘Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System’.

‘Protect Yourself from Fraudulent Emails’, PayPal 2006.

Schneier, Bruce 2006, ‘PhishTank – Schneier on Security’ ‘The Phishing Guide: Understanding and Preventing Phishing Attacks’ TechnicalInfo.net.

Introduction

Social engineering refers to the collection of techniques that are used to influence people towards performing certain actions or divulging other people’s confidential information. Phishing is defined as the attempt to fraudulently and criminally gain private names such as passwords, credit card details, and usernames with the offender standing out in electronic communication as a trustworthy entity. The common targets include PayPal, eBay, and online banks. Usually, it’s carried through instant messaging, email, and even phone contacts, Ollmann, G. (2006).

Examples of phishing techniques

These include website forgery, link manipulation, filter evasion, and phone phishing, Ponnurangam, K. (2006).

Website forgery

In some of these scams, a website’s address bar is altered using JavaScript commands. This could be done by either opening up a new address bar using the legitimate URL after having closed the original one, or by having a legitimate URL picture on the address bar. Cross-site scripting is also applied by the attacker within a trusted website’s own scripts. The website’s link is usually crafted in such a manner that the user is directed to sign in at their service’s own web page or at their bank where security certificates and web addresses appear correct. PayPal was a victim of this in the year 2006. Phishers have now begun to make use of Flash-based websites that hide text within a multimedia object but still appear as the real website. Ponnurangam, K. (2006).

Manipulation of links

This kind of deception mostly makes an email link as well as the spoofed website that it ends up leading to appear to be from the spoofed organization. The common tricks used here are like use of subdomains or misspelled URLs. Phishers can also make the anchor text used for a link to appear valid when indeed it leads to the phisher’s site. The use of a link with ‘@’ symbol is one of the old methods of phishing where victims are deceived into opening sites that seem familiar to them because they carry a common link such as //[email protected]. The page opens up in members.com website using www.google.com as the user name.

Despite the username supplied, the website opens normally. Although these URLs are disabled in the Internet Explorer, Opera and Mozilla prefer to show a warning message and the option to continue or cancel the operation.

Filter evasion

In this approach, phishers use images in place of text in order to avoid the anti-phishing filters that commonly detect text applied in phishing.

Phone phishing

Also called vishing (voice phishing). In this kind of fraud, messages that are purported to be coming from a trustworthy organization such as a bank direct the users to call a certain phone number for solutions on their accounts. When the phone number that had been provided to the phisher by a Voice over IP is dialed, users are directed to enter their PIN and account numbers. Vishing may sometimes use fake caller-ID data so as to give the call an appearance like that of a trustworthy organization, Ponnurangam, K. (2006).

Financial losses and denial of access to email and bank accounts are some of the damages caused by phishing fraud. There are both technical as well as social measures that can be taken to avoid phishing. Some of these technical responses include; software that helps users identify legitimate sites, augmenting password logins, monitoring of websites, eliminating phishing mail, and legal responses. Socially, people should be trained to recognize and deal with phishing attempts, Stuart, S. (2007).

Conclusion

United States businesses alone could be losing up to US$2 billion every year as its citizens become victims of phishing. The precautions from banks and other organizations for customers to take serious precautions is one not be avoided. Information security processes of ongoing training, protection, assessment, monitoring and detection, response and repair as well as a review of documented incidences should be enhanced. People can avoid being conned through phishing by modifying or changing their browsing habits. This could be a simple step of verifying the information they have been asked to provide directly from the company.

Reference

Ollmann, G (2006). The Phishing Guide: Understanding and Preventing Phishing Attacks. Technical Info.

Ponnurangam, K., Yong, W., Rhee, A. A., Lorrie, C., Jason, H. and Elizabeth N. (2006.). Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. Technical Report CMU-CyLab-06-017, CyLab, Carnegie Mellon University.

Stuart, S., Rachna, D., Andy, O. and Ian, F. (2007). The Emperor’s New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies. IEEE Symposium on Security and Privacy.

Introduction

In modern times, one of the most common ways of manipulating the security of information of an organization or individual is through social engineering. The successful application of techniques in this technology has enabled attackers and hackers to access information that is sensitive and crucial from computer and network systems.

Social engineering is a method of accessing data, systems, or buildings by making the best use of human psychology instead of using complicated methods for hacking or breaking in. The attackers manipulate individuals to provide or reveal the information that they need to gain access to secured systems. In most cases, the victims never realize that they have been tricked, manipulated or their systems have been hacked (Hardnagy, 2010).

The common reasons for social engineering are getting access to information or network systems without authorization, committing fraud, theft of identity, industrial espionage, and disruption of a network or system.

Social engineering trends and ways

Attackers use different methods in social engineering. One of the methods is exploitation of familiarity. The attackers get trust from the individuals they want to exploit by familiarizing with them. An attacker may impersonate someone who is in authority and request for sensitive information through emails and phone calls. Pretending to be someone well known by other employees, the attacker may send emails directly to the employees’ email accounts with intention of obtaining some sensitive information. An attacker may also access important organization’s documents from the organization dumpster. An attacker may come up with pop-ups, hack into an individual search web, and direct the search to their own page (Williams and Sawyer, 2012). The hacker may also send an online form to his targets portraying that there is a sweepstake competition and request for the individual’s details. Once this information is availed, they would use it for their intended purpose. Another complicated method used by the attackers is reverse social engineering. The hacker impersonates someone in authority and the employees find themselves asking him questions. This last method needs adequate planning, research and execution for it to be successful (Tolman, 2008).

The attackers use tactics that convince their targets to trust them and eventually provide crucial and private information. The attackers also ensure that they never ask for too much information from one individual but ask for little information from several people.

Impact of social engineering and prevention

Social engineering in most cases impact negatively on an organization especially with regard to information security. It may lead to hacking of employees’ email accounts and retrieving vital information that the attacker could use to gain access to an organization’s financial information. Gaining access to such information may result to lose of revenues, reduction of productivity and loss of reputation by the organization.

Fighting or preventing social engineering should be an organization’s priority. One of the strategies would be deploying strict security rules at all levels and securing organization’s network. Employees with high positions and authority in an organization should have access to minimum sensitive accounts. Only those who must access the accounts and specific resources of importance require the accounts. These powerful accounts would need regular audits and strong authentications. It would be important to do regular audits on both successful and unsuccessful attempts of accessing company information (Mann, 2012).

An organization should also have in place systems for detecting and investigating potential attacks. It should also deploy virtual teams able to counter the attacks by detecting targeted areas and the resources compromised. The team would also counter any attack that is in the process without interfering with the company operations and establish ways of preventing such attacks in future. There should be a determination on whether the company policies and technology have loopholes that may make it vulnerable to such attacks. The company should make it a priority to alter or minimize the use of such processes or technologies.

Putting in place courteous policies to ensure secure actions among the employees and the organization’s partners without having a feeling of being offended would be of great help. To access information or locations considered sensitive would require approval from the concerned authorities. Program awareness is critical especially in the policies, processes, and technology. A guidance to be established should be realistic, durable, memorable, proven to be effective, consistent and concise (Mann, 2012).

Social engineering can also occur through opening of malicious files. The organization should therefore ensure that they train their employees on matters regarding opening untrustworthy emails sent though their email addresses so that the organization is not too vulnerable to the attacks.

It is very important for an organization to ensure security of its information. To do this the organization would need to train their employees on security awareness and use ways that are creative to ensure there is an understanding of the threats posed by social engineering to the organization. Employees should also be educated on the skills and methods that the attackers use, the roles they have to play in the protection of the organization and given advice on how to ensure they do not become victims of the attacks. There ought to be regular updating and refreshing of the available information on how to uphold security. The meaning and importance of the message needs continuous refreshing to avoid people losing sight (Mann, 2012).

There should be emphasis on enforcement of good behaviors where necessary. The attackers in most cases take advantage of the positive social norms and qualities that people posses in carrying out their attacks. Behaviors that encourage asking individuals to clarify their reasons for intending to access specific locations or information from an organization or individuals need to be encouraged. At times, organizations or individuals need to emphasize that saying “no” to some requests may not be an offense or a way of denying one any right. This would restrict access to the specific locations and information. Policies that ensure practice of safe behaviors by users or individuals in realistic ways also need enforcement when the necessity arises. The users or individuals should be aware that the necessity of such measures would help in protecting them and the organization from the consequences caused by attacks through social engineering.

References

Hardnagy,Christopher. (2010). Social Engineering: The Art of Human Hacking. New York: John Willey & Sons

Mann, Ian. (2012). Hacking the Human: Social Engineering Techniques and Security Countermeasures. Aldershot: Gower Publishing

Tolman, William H. (2008). Social Engineering. South Carolina: BiblioBazaar

Williams, Brian & Sawyer, Stacey. (2012). Using Information Technology 10e Complete edition, 10^th edition McGrew-Hill higher education. A. Kindle Edition.

In the era of rapid data digitalization, the notion of cybersecurity has become an extremely important matter in terms of enterprises’ data storage, privacy, and confidentiality. In order to make themselves feel more protected, companies make great financial contributions to cyber engineering and IT data protection. However, in order for the investment to be efficient, it is mandatory to anticipate all kinds of information leak probability, along with the appropriate attack response rate. Considering these peculiarities, one might reach the conclusion that the most crucial factors in terms of modern cybersecurity include individual awareness and the development of a proper neural cybersecurity network.

To dwell upon the necessity of these attributes, an example of a social engineering attack, along with the process of responding to the issue, will be presented. Thus, several years ago, a medium-sized enterprise was exposed to a cyber-attack, which was aimed at stealing all the crucial data about access to the company’s bank accounts. Since the overall financial situation within the enterprise did not allow the management to develop an extensive cybersecurity department, by the time they discovered an intrusion, the attackers had already managed to access the confidential information.

The company’s CEO issued a lawsuit on cybercrime, and the first thing assigned by the law enforcement facilities was an immediate initiation of an internal investigation. The detectives interrogated each of the employees in order to eliminate the risk of information leaks inside the company. Although no employee was found guilty of a crime, a thorough investigation showed that one of the financial department workers shared some confidential information during a private social media conversation with an acquaintance. Prior to filing a criminal charge, the detectives found out that nobody in the company was responsible for cybersecurity education for the employees. At present, the attackers have not been found, and the charges against the employee have been put on hold.

The following example demonstrates the primary importance of educating individuals on the subject of basic cyber protection patterns. Researchers claim that currently, the vast majority of people believe cybersecurity to be the IT department’s responsibility exclusively, feeling no need to be educated on how to manage confidential data (Ghafir et al.). That is, people do not understand how sharing sensible information on the Web might influence their employers and safety in general. For this reason, it is of crucial importance to develop a full-scale agenda of HR management education on basic labor rights, obligations, and cyber protection.

The issue described in the example tackled another problem relevant for modern enterprises – lack of finance allocation on cybersecurity and IT department in general. However, with today’s rapidly enhancing technology, supporting cyber safety departments will not obligatory benefit the level of the company’s protection. The only way to ensure such security is the implementation of a recurrent neural network, which enables the cyber protection mechanism to store the ways of attack attempts in order to anticipate and deal with future threats (Berman, 2019). Adherence to this advice, although costly for the overall company’s budget, significantly decreases the risks of social engineering attacks by limiting one’s possibilities of information leak and studying the patterns of cyber-attacks. Hence, the underestimation of cyber-attacks is a major mistake made by the enterprise’s management, as it leads to irrevocable damage.

Works Cited

Berman, Daniel S., et al. “A Survey of Deep Learning Methods for Cyber Security.” Information, vol. 10, no. 4, 2019, pp. 122.

Ghafir, Ibrahim, et al. “Social Engineering Attack Strategies and Defence Approaches.” 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud).

Social Engineering Attacks

Social engineering attacks date back to the advent of the Internet, and before that, criminals were using the telephone to masquerade as trusted agents to obtain information. The phrase “phishing” roots back to the mid-1990s, when it was utilized to describe the procurement of Internet Service Provider (ISP) account information (Koyun and Al Janabi 7533). Nevertheless, it has evolved to include a myriad of cyber breaches that target sensitive data. With the world increasingly adopting technology and the online platforms brought by the Internet, individuals are becoming more vulnerable to search attacks. There are three primary factors that black hats, that is, attackers, have taken advantage of, and they include the unawareness of threat and policy and their technical sophistication.

In the world today, the Internet is regarded as the most extensive information exchange and communication medium. Often, information is distributed over several online communication channels, such as e-mail and social networking sites, to the extent that it has become part of both our business and personal communication. Organizations expect their staff to be flexible and mobile regarding their workspace, and this has led to a decrease in face-to-face communication. This suggests that an increasing amount of data is made accessible to employees via online channels. Moreover, compounded by the fact that organizations are increasingly embracing third-party service providers, file sharing and communication have shifted towards decentralized data access and cloud services (Koyun and Al Janabi 7533). Recently, security vulnerabilities in online data-sharing channels and communication have been used to steal sensitive data using techniques, such as phishing, spear-phishing, baiting, and ransomware, among others. Susceptibilities can be resolved, and the security of such conduits reinforced.

In the future, the same tricks will be used but with new technology, therefore, leading to more targeted and sophisticated attacks. Nevertheless, when it comes to manipulations by social engineers, the efficacy of such security-enhancing techniques is lessened. Social engineering attacks are considered the most superior forms of hacking, as humans are the weakest link in the system, and for this reason, it is regarded as the most significant threat in virtual communities.

Aspects of Social Engineering Attacks

Social engineering attacks are multidimensional, thus they comprise social, physical, and technical aspects, which are employed in various stages of the actual breach. Such attacks often use malicious codes or malware (worms, viruses, or bots).

Physical Approaches

In physical approaches, black hats execute some type of physical activity to collect data concerning a future victim. The data can range from personally identifiable information to credentials for a computer system. A technique that is commonly used is dumpster diving, in which the attacker searches through an organization’s trash to locate sensitive data regarding employees, memos, print-outs, and other physical pieces of sensitive information.

Social Approaches

Social approaches are regarded as the most essential aspect of social engineering attacks. Often, attackers depend on socio-psychological methods, such as Cialdini’s principles of persuasion, to engineer their victims (Koyun and Al Janabi 7534). An example of such a way is the use of “purported” authority. On the other hand, baiting and spear-phishing attacks require the establishment of a relationship between attackers and their future victims. They encapsulate reverse social engineering where the attacker attempts to build trust with the victim. It entails sabotage, advertising, and assisting.

Technical Approaches

Such attacks are usually performed over the Internet. Attackers employ search engines to collect personal information regarding future victims from different Web sources. One commonly used tool is the Maltego.

Cyber Attack Channels

The various forms of cyber-attack channels include:

• Email is the most popular channel for reverse engineering and phishing attacks
• IM is also gaining popularity for phishing and reverse-engineering attacks
• Telephones and voice-over IP are commonly used by social engineers to collect sensitive information from their victims.
• Social media enable attackers to create fake identities, hence, making it easy to identify and obtain sensitive data.
• Cloud services are employed in gaining situational awareness of a collaboration scenario.
• Websites tend to be used for waterholing attacks, and can also be used in conjunction with emails to conduct phishing attacks.

Prevention Techniques

The frequency and cost of cybersecurity breaches continue to rise, hence, making it challenging to defend against today’s breaches. To provide security, system components require sufficient security measures to warranty reasonable protection.

Human-Based Mitigation

It is more aligned towards utilizing human judgment in detecting and preventing social engineering. It comprises two main approaches; policy and auditing, and the educational, transfer, and awareness. In policy and auditing, rules about determining whether a situation is legitimate or an attack are implemented. On the other hand, auditing compliments the policy-based method as it aims to evaluate the degree of exposure or awareness to malware and social engineering breaches. In addition, education, training, and awareness (ETA) is an essential human-based mitigation strategy (Zulkurnain et al. 193). This is because most people have fallen victim to the breaches due to the absence of knowledge regarding breaches and ignorance towards passive warnings given by security devices. The education of employees is critical to ensure that policies, standards, and procedures that have been created are effectively deployed (Zulkurnain et al. 193). Personnel needs to be guided on how they can recognize attacks and how to handle them when encountered.

However, there are several issues with human-based intervention. Although it is the most essential and popular measure of detecting and preventing malware and social engineering attacks, it holds its disadvantages. Human judgment is often subjective even with instilled knowledge, therefore, attackers can still use emotional and psychological manipulation to access sensitive information. Second, security management standards only assess whether specific information security processes are present within an organization. Nonetheless, they do not expand on the content of such procedures in any sort of detail. Third, new employees are the most common targets of attack. Usually, they have neither completed the security training nor gained loyalty toward the company. The only way this can be mitigated is by restricting their access to organizational assets, however, this would limit them from efficiently performing their duties.

Technology-Based Mitigation

It constitutes protecting the organization’s network and the physical environment. About an organization’s network, the primary function of a firewall is access control. By restricting inbound and outbound communication that is explicitly defined in an organization’s firewall policies, the various attack vectors are reduced. It is often regarded as the first line of defense (Zulkurnain et al. 194). The second is defending the computing environment, which is achieved by operating system patching and hardening, antivirus updating, email attachment filtering, monitoring logs, and conducting routine vulnerability scans. On the other hand, the physical environment can be secured by using sensors, biometrics, and social honey pots.

Technology-based mitigation also has its disadvantages. The issue of added cost and increasing complexity in the overall system of an organization comes with the use of technology. Purchasing and maintaining technology requires substantial monetary investment. Furthermore, the added complexity heightens the potential for an attack on technological infrastructure as it might have software flaws. Finally, technology is ever-changing; therefore, an organization’s infrastructure might become obsolete as time progresses.

Human and Technology-Based Combined Mitigation

Independently, each method has its associated disadvantages, therefore, to overcome this effect, firms should embrace the use of both mechanisms. The technology-based mechanisms are used to complement subjective human judgment to ensure better protection. However, this merger implies an increased cost.

Works Cited

1. Koyun, Arif and Ehssan Al Janabi. “Social Engineering Attacks.” Journal of Multidisciplinary Engineering Science and Technology, vol. 4, no. 6, 2017, pp. 7533-7538.
2. Zulkurnain, Ahmad, et al. “Social Engineering Attack Mitigation.” International Journal of Mathematics and Computational Science, vol. 1, no. 4, 2015, pp. 188-198.

Social engineering techniques are various methods used by hackers to get access to people’s personal information. In most situations, such techniques are considered unethical because they allow social engineers to deceive computer users and take advantage of their trust, low awareness, and lack of suspiciousness. Overall, to collect information from the identified organization, it is essential to focus on its weaknesses, including health violations, an enormous turnover, and an extended area occupied by the company. Thus, the following methods can be used: bribery, impersonation, and conformity.

To begin with, it is necessary to explore how bribery can be effective when attacking the selected company. Overall, as noticed by Basta et al. (2014), when using this technique, “the hacker pits an employee’s greed against his or her loyalty to the organization” (p. 22). Bribery is more likely to work when a worker is unsatisfied with the firm. Since the identified organization has a massive turnover, it is possible to suggest that the level of employee satisfaction is quite low. Further, conformity can be effective for the same reason: the hacker can “use this sense of conformity to convince victims that they have a lot in common and that they share the same values” (Basta et al., 2014, p. 22). Consequently, since not many employees seem loyal, they can share secure information with the attacker.

Further, impersonation can also be rather efficient for getting access to private information. For instance, since the company has health violations, it is possible for a hacker to pretend to be a health inspector and request access to relevant data. Once this access is granted, the hacker can use the organization’s computers to get the secured information they need. What is more, since the company has many employees who often change, and the area it occupies is quite large, it is unlikely that all workers know each other. Consequently, it should be easy for the hacker to pretend to be an expert or an IT professional and intrude on the firm.

Reference

Basta, A., Basta, N., & Brown, W. (2014). Computer security and penetration testing (2^nd ed.). Cengage Learning.