Few things have advanced faster than the digital world, which is increasingly replacing the human mind and hand with that of the machine.
However, it is still impossible to regard the artificial mind as completely independent, and so to envisage a situation totally devoid of human error.Social engineering is the very common practice of exploiting human weakness and ignorance to initiate and/or execute a cyberattack.
Let’s start with the facts.
Eighty-two percent of cyberattacks listed in the 2022 Verizon Data Breach Investigations Report were perpetrated, at least in part, by exploiting human ignorance and weakness: i.e. through a form of social engineering.
Let’s look at the most commonly used forms of social engineering, and the best practices to adopt to limit their effect within a company.
The term “social engineering”, when used in the context of cybersecurity, is defined as: “the use of deception to manipulate individuals into disclosing confidential or personal information that can be used for fraudulent purposes.”
The types of attack covered by this definition include mass spamming to email addresses, with attempts at phishing.
So, consumers may click on a link to a malicious website or open an infected attachment, and if they divulge their personal information, this can then be exploited for criminal purposes.
“It could be someone pretending to be a brand, a company or a person you would implicitly trust […].
The intentions are often to install a malicious program, through the provision of passwords or confidential information (for example, social security number, bank details, etc.).”
Roger Grimes, data-driven defense evangelist
But why is it described as social?
That’s easy to answer: the cyber criminal uses psychological manipulation and particular methods of persuasion to encourage the user to carry out certain actions or to disclose confidential personal information.
Many attempts at social engineering make use of email, but that is not the only method. Attacks can also come via text messages, websites, social media, phone calls or even in person.
As Manos Gavriil, content manager of the cybersecurity training platform Hack The Box, points out, social engineering is regarded as the number one threat in this field. This is not only because it exploits individual human error and is therefore very difficult to stop, but also because, despite its simple form and ease of use, it can cause devastating harm to those who suffer an attack.
Let’s look at it more closely: common methods used to carry out social engineering attacks
⁃ Pretexting: by means of a false identity or scenario, the target is persuaded he needs to share sensitive data or take compromising action. This is the most common method of social engineering.
⁃ Priming: the primer makes a false promise in order to deceive the victim, steal sensitive information, or infect the organization with malware.
⁃ Phishing: the attacker sends bulk emails without a specific target in mind, in the hope that at least one of the malicious links or attachments will be clicked on by the victim, giving access to sensitive information. The hope is that the user will be panicked or irritated by the number of notifications he receives, and for one of these reasons, he will carry out the intended action.
⁃ Spear phishing: the attacker masquerades as a known or trusted source, and sends a targeted email to a specific victim, usually with specially personalized content. The attacker can source useful data from LinkedIn, Facebook and other platforms, to make his message appear more authentic.
⁃ Whale phishing: this type of phishing is aimed at a high-value target, such as a senior executive or financial officer. Whaling involves some highly sophisticated techniques.
The attacker will first collect information about the target and organization, in order to present a credible pretext for his message. The purpose is always the same: to obtain sensitive information or to enable a financial transfer.
⁃ Vishing or smishing: this is a phishing attempt made via a phone call or text message.
⁃ Business email compromise (BEC): the cybercriminal compromises a business email account and impersonates the owner, in order to trick someone in the company circle into sending money or sensitive data to the attacker’s account.
⁃ Pharming: a malicious code is inserted into a computer or server, to direct or trick the user into visiting a bogus website.
⁃ Tailgating or piggybacking: a method used by attackers to gain access to a building or protected area. The tailgater waits for an authorized user to open and pass through a secure entry point and then slips in behind him.
⁃ Dumpster diving: this is also an attack on a physical location. The criminal sifts through an organization’s rubbish to find information he can use to launch an attack.
Cybercriminals often pretend to belong to a trusted organization, such as the target’s energy provider, bank or IT department. They present scenarios that are extremely credible not only in context but also in form, using the logos of institutions, and creating email addresses that mimic official ones.
They only have one purpose: to gain your trust and persuade you to share sensitive information.
The message often comes with an implied threat. The attacker tries to lure the victim by warning him that if he does not perform a certain action as soon as possible there will be certain negative consequences, such as the permanent blocking of his account, a fine, or a visit by the police.
Social engineering attacks have made use of the current crisis: people become more vulnerable to exploitation by malicious opportunists when budgets are tight.
The attackers play on people’s fears about their personal finances, with text messages offering discounts on energy bills or tax rebates, and an increasing number of online banking scams.
10 best practices for identifying and preventing social engineering attacks
Our aim as a company is to spread awareness, so we’d like to offer some basic tips on how to foil attempts at social engineering in an organization:
1 • Provide security training.
This is perhaps the most important way to prevent harm from social engineering.
The training should be carried out at regular intervals and should inform users about how to identify social engineering.
2 • Submit employees to regular tests to see how they respond to threats.
Basic tests can be carried out prior to security training to determine the number of users who fall victim to simulated attacks. On the other hand, post-training tests will indicate the success of the training program. Clearly, to give an accurate assessment of user awareness, employees should never be given advance notice of any such simulations.
3 • Promote a culture of pervasive awareness.
If you create the right culture, you end up with a human firewall that protects your organization from attacks. Properly executed training and testing can help create a culture of healthy skepticism, with everyone aware of how to recognize a social engineering attack.
4 • Make it easy to report attempts and breaches.
The systems should allow staff to report potential phishing emails and other scams quickly and easily, either to the help desk, the IT department, or security. Would you like an example? A phishing alarm button could be incorporated into the company’s email program.
5 • The importance of multi-factor authentication (MFA)
Requiring the use of multiple ID credentials is one way to prevent initial attacks from escalating. MFA may involve the user in receiving a text message on his phone, entering a code in an authentication app, or verifying his identity in some other way.
6 • The importance of User and Entity Behavior Analysis (UEBA) for authentication.
In addition to MFA, you need to use additional authentication technology that will recognize any anomalies in locations, access times, etc. Then if a new device is used to access a certain account, this will trigger an alert and a requirement for additional verification.
7 • Keep administrative and privileged accounts firmly under control.
Once an attacker has gained access to a network, his next step is often to look for an administrative or privileged account that he can compromise. It is therefore very important that such accounts are only permitted when necessary, and that they are closely monitored to avoid abuse.
8 • Use secure email gateways.
Even though they are not yet perfect, secure email gateways reduce the number of phishing attempts and malicious attachments that reach users.
9 • Ensure you always update your antimalware, patches and software.
Keeping up-to-date with the latest versions and patches both reduces the number of social engineering attempts that reach users, and limits the damage that occurs when they fall for a hoax or click on a link by mistake.
10 • If you don’t want to invest in and implement all these strategies, go offline.
The only way to ensure total freedom from cyber attacks is to delete all users from the web, stop using email, and never communicate with the outside world.
Cybercrime in the industrial world: what are the challenges?
The number of cyber attacks on the industrial world have clearly grown beyond all recognition, and we are convinced that product safety cannot be guaranteed in the future if suitable protection is not put in place.
To protect complex industrial systems, the above precautions are not sufficient. A more advanced approach and highly specialized support are needed to ensure that systems and components meet the necessary standards of security.
Defensive strategies need to start with a careful analysis of the threat, and should involve the following:
- Employment of qualified personnel
- Attention to internal errors and oversights
- Adoption of security technologies
- Specificity of customers’ contractual requirements
- Implementation of compliance standards, specifically IEC 62443
Do you need immediate assistance with Industrial Cyber Security?
Go back to the blog
