Social engineering is the use of deception or psychological manipulation of people into performing actions or divulging confidential, personal information that may be used for fraudulent purposes.
This article focuses on creating a basic awareness that outlines different social engineering methods and to give the reader a basis on how to protect themselves against social engineering attacks in the rise of remote work. As cybercrime continues to rise, the innovation in IT security technology is increasing and driving ease-of-use and effectiveness, and also representing great value. And, true to the nature of technology, these attributes will continue to increase with time. As cyber security professionals are finding ways to protect against old techniques, cybercriminals are also working hard to create solutions that enhance their operations in order to infiltrate business defences.
Cyberattacks, perhaps more so than any other type of crime, follow trends and one of the most prevalent trends in cybercrime in the world right now is social engineering and psychological attacks, which may also be referred to as human or emotional hacking. According to Steve Morgan, Editor-in-Chief of Cybercrime Magazine, published in November 2020, “cybercrime is expected to cost the world $10.5 trillion annually by 2025!”
Social engineering attacks are typically more psychodynamic in nature than they are technologically. Instead of using sophisticated hacking techniques or in-depth knowledge of computers, they rely on tricking people into giving away information using psychological and deceptive techniques, and the rise of remote working due to the COVID-19 pandemic has created the easiest access point for cybercriminals to carry out their attack smoothly.
According to the 2021 Cyber security breach report, 80% of the successful attacks were due to human and not technology, and social engineering was the successful approach for carrying out this attack.
So what makes social engineering a very effective attack method and why is it very easy to target people and compromise a system or a company more easily, instead of spending a long time trying to attack technology with no results?
Information: Security awareness is a main part of any cyber security program for all kinds of organisations; however it seems that information security awareness is not enough to alleviate against human risk, according to the 2021 cyber security breach report. So what is the main flow in human awareness? Hackers use two different approaches to conduct social engineering attacks—intimidation and enticement.
Intimidation: This technique depends on threatening the user with an action that would be taken against one of his important assets, like his email or social media account, or by convincing the user that his computer activity is monitored and logs are captured and will be sent to his contacts. This is much more successful if it is associated with evidence. For example, the scammer tries to convince the user that his email account will be blocked due to utilisation of storage, since user email is a very important asset used to follow up with his activities on the internet—login to his social media accounts or bank accounts. So if the user loses the email, it will for sure affect him and this is what the hacker focuses on.
Enticement: This is a different technique that depends on promising the victim a big fortune, or a large amount of money, and trying to convince the victim with a story about corruption or money laundering. This technique is kind of old and was used initially to get money from victims but the technique has been developed and used for phishing or system compromission by attaching a malicious file to the email as a proof of the story. Another technique is the email coming from an official entity like a post office or IRS or any entity that will provide some kind of trust to the victim and convince him to click on the link to know about a package that was shipped to him/her or a IRS report with tax return.
Solution: From the use cases I showed above, humans are still the weakest link in the security chain and conducting awareness sessions is not enough as many employees attend to email and messages without giving proper attention, which is mandatory in most companies, as pressure often distracts employees. It is important to evaluate awareness effectiveness using questionnaires and reporting the results to management so that they will give attention to the subject; also, if possible, conduct a social engineering campaign to employees after the annual awareness campaign.
Device protection should include remote management features that eliminate the need for user input or behavioural modifications. Real-time antivirus, browser and application protections and the host of defences standard with most high-quality solutions are essential. Password management applications should work seamlessly across mobile device platforms and the enterprise should sponsor software purchases and training for all employees. Automatic updating and patching of operating system software and other vulnerable third-party applications such as Adobe and Java.
Increasingly, collaborative threat intelligence resources are coming to bear for actionable, real-time, preemptive defences.
Algorithms will increase in effectiveness and application to predict and defend from future threats as they adjust and evolve. Organisation should also adopt the use of KPI to measure the effectiveness and attendance of awareness. In addition to device protection, each individual device should have a VPN—Virtual Private Network—for automatic encryption of internet traffic. A good VPN will protect the user’s identity, location, browsing, shopping, banking and all information transacted online, including over public WiFi networks.
Any business, whether a commercial enterprise or a non-profit business, would understand that building a secure organisation is important to long-term success. When a business implements and maintains a strong security position, it can take advantage of numerous benefits. An organisation that can demonstrate an infrastructure protected by robust security mechanisms can potentially see a reduction in assurance rewards being paid. Treasury departments should also engage staff with these social techniques in a fashion that is relevant to their daily activities in their personal lives, which will dramatically increase awareness and compliance at the workplace.
Additionally, this approach to cyber security strategy positions the enterprise for optimal benefit from the forthcoming acceleration of disruptive innovation in the IT security industry.
Nicholas Ibenu, a member, an Assistant Professor of Computer Science at Escae-Benin University of Science and Technology, writes from Lagos
END
Be the first to comment