social engineering,

Social Engineering: Are You The Weakest Link?

Dj Dj Follow Nov 16, 2011 · 4 mins read
Social Engineering: Are You The Weakest Link?
Share this

Even though it has been making recent headlines, social engineering is not a new phenomenon. In short, social engineering is manipulation that derives a desired action from its target—an action that the target may not want to take.

Spies have used social engineering for centuries. For example, a spy may observe a target’s movement and behavioral pattern every Saturday morning. In doing so he might notice that the target goes to a particular coffee shop every Saturday at 10 AM, reads the Wall Street Journal and strolls through the adjacent farmer’s market. The spy could then strategically place himself at the coffee shop and strike up a seemingly innocent conversation with the target about the nearby farmer’s market or an article in the newspaper. Once a bond is formed between the spy and the target, the spy can easily manipulate the target into divulging confidential or personal information, such as where the target works or if the target is married, without raising any flags. That is social engineering. Now enter cyberspace, a domain flooded with readily available personal information. Cyber criminals will try to manipulate their targets to click malicious links, which would give the cyber criminal unfettered access to the target’s system or network. These cyber criminals use social networks to target their attacks. Have a Facebook account? Chances are you do. Even if you have selected the highest privacy settings Facebook offers, your account is likely still linked to your real name, picture, and possibly your general geographic location. What about LinkedIn? A simple search of your name and general location, paired with the information gleaned from Facebook, and cyber criminals have everything they need.

Knowing a target’s employer is a jackpot for the social engineer, which makes LinkedIn especially dangerous. Would you open an e-mail sent from an address similar to your company’s? What if the e-mail was addressed to you and cc’d to your boss? Would you open it, and then click the link? Chances are very high that you would. Cyber criminals use these targeted phishing attacks (or spear-phishing) frequently, which have been made easier by the prevalence of social networks. Without these social networks, cyber criminals would have a much harder time discovering their target’s employer or position in the company.

Moe: Hello, Moe’s Tavern. Moe Speaking. Bart: Is Seymour there? Last name Butz?

The evolution of hacking began with social engineering. Before computers were available to the masses, hacking into phone systems was popular, also known as phone-phreaking. At the same time, prank phone calls were used to manipulate the person on the other end of the line to take an action; in the case of Bart Simpson, he manipulated Moe to make a fool of himself in front of his patrons. A few years later computers were readily available, and extremely easy for malicious hackers to infiltrate. The front doors to computers and networks were left wide open, making social engineering unnecessary for cyber criminals because they no longer had to pay attention to the human element to gain access. Computers were eventually armed with firewalls and better protections, which brought back the client-side attacks and the new era of social engineering.

There are more technical social engineering attacks now than before—which is both good and bad news. It means that the firewalls in place to protect our networks are strong, but it also means that the network is only as strong as its weakest link. In an organization of 50,000 people, it only takes one person to click on a bad link. The malicious hackers could then install a backdoor on the person’s computer, by-passing the organization’s boarder protection. Game over. A theme that you’ll hear over and over again is that security is usually not a technology problem; rather, it is a human problem. Social engineering will never be eliminated, so it is crucial that people within your organization are trained to notice when an e-mail looks phishy (pun intended).

What can you do to protect yourself from these social engineering attacks? Be aware of:

  • The e-mail address. If you suspect a suspicious e-mail, the first thing you should do is look at the address. The e-mail address of a social engineering attack will likely come from a fake account. For instance, if the e-mail is coming from Facebook, it should come from Facebook.com, not Fakebookmail.com, or Facebook.access/logins.com.
  • E-mails asking for your credentials. If there is an e-mail coming from your bank, for instance, don’t click the link in the e-mail. Instead, go to the web browser and type in the web address manually, so you won’t be duped into clicking on the potentially malicious link.
  • Attachments from people you don’t know. Never open an attachment from an unknown sender.
  • Spelling errors or little nuances. Often e-mail addresses used for social engineering attacks use addresses with spelling errors or unusual characters because they are sent from an automated system. There are always little flags in those sorts of e-mails.

Social engineers and cyber criminals are constantly refining their techniques, so we need to pay attention and keep our skills sharp.

B-Side Track

Join Newsletter
Get the latest news right in your inbox. We never spam!
Dj
Written by Dj Follow
Hi, I am DJ, the author of theclouddj.com, I hope you find some useful information here!