In this blog series we will understand the different concepts , technique, and countermeasures in Social Engineering. This blog would help us understand the concepts. Techniques and counter measures will be in the subsequent blogs that follow this series.
What is Social Engineering?
Social engineering is the art of convincing people to reveal confidential information to perform some malicious action. You could have a state of art security in place, but still there is one danger. That is social engineering. It targets the weakness of people. Most often people are not aware of security lapse on their part and reveal sensitive information unknowingly.
Pre-attack information gathering
Prior to performing Social engineering attack, an attacker gathers information about target organisation in various ways.
- Official website of target org where employee email address, names are shared.
- Blogs, forums etc where employee shares personal and organisation information.
After this attacker executes Social engineering attack using various approaches such as:
An impersonator is someone who imitates or copies the behavior or actions of another. In the field of Security it could be a criminal act such as identity theft. This is usually where the attacker is trying to assume the identity of another, in order to commit fraud, such as accessing confidential information, or to gain access to resources which he does not own.
Tailgating is a physical security breach in which an unauthorized person follows an authorized individual to enter a secured premise.
Piggybacking is similar to tailgating. It implies that the person who has opened the door with their credentials knows that others are following them in through the secure door where as tailgating means that others are following through the door without the knowledge of the person who has opened the door.
Reverse social engineering
This is a very unique form of social engineering. In most social engineering attacks, the attacker goes to the victim to obtain information. In reverse social engineering, however, the victim unwittingly goes to the attacker. Reverse social engineering is performed through the following steps:
- An attacker first damages the target’s resource.
- Next he advertises himself as a person of authority, ans skill in solving the problem.
- In this step, he gains the trust of the target and obtains access to sensitive information.
The attacker develops his social engineering skills to an extent where a victim might not even notice the fraud.
Common targets of Social Engineering
Front office or help desk: The attacker will use his skills and try to extract information from the front desk personnel. They will often reveal (sensitive) information if they feel they are doing so to help the customer.
Technical Support Executive: The social engineer can contact tech support pretending to be from senior management, a customer or vendor to acquire sensitive information.
System Admin:The attacker may get information about the operating system and the network infrastructure from systems administrator.
Employees and Clients: Social engineers also like to approach employees or clients, pretending to be a tech support executive.
Generally, the impact of social engineering is considered not that big of a threat. But it depends entirely on how the attacker executes it. Different examples of damage are:
- Economic loss
- Damage of reputation
- Loss of privacy
- Temporary of permanent closure
Why organisations are vulnerable to social engineering attacks
There are different reasons why organizations are vulnerable to this type of attacks.
Insufficient security training
Security awareness starts with the training. Thus, minimum responsibility of any organization is to provide their employees with adequate security training so that they are aware of these kinds of attacks.
Unregulated access to data
Providing access to sensitive data for everyone is a major threat to any organization. Therefore, access should be regulated based on the role and responsibilities of a person.
Lack of security policies or controls
Implementation of certain security measures like changing passwords, information sharing policies and access privileges is needed.
Different phases of a social engineering attack
- Research: First, the attacker tries to get as much as information about the targeted organization. He can indulge in gathering information from the company website, forums and the other sources that I’ve mentioned earlier.
2. Selecting a target: Next, the attacker will look for a weak point and selects an employee, who may be frustrated, to get all confidential information about organization. Identifying the frustrated employee could be based on the information that he gathered in the first step.
3. Developing trust: Once the attacker has identified his target, he will try and develop a level of trust with the victim.
4. Exploiting the trust: Last step is exploiting the trust and getting sensitive information from the victim.
Social engineering is a relatively easy and cheap attack to perform. Neither is there a method that guarantees full security from social engineering. That’s why it is so important for any organization to have that basic security training, awareness and security policies in place so that it can mitigate these attacks.