Cyber Basics: Combating Social Engineering

Manipulating people into surrendering their personal information is a simple tactic that remains one of the biggest cyber threats to individuals and organizations. While this tactic has been used by scammers and thieves for a long time, the ubiquity of computers and networks has spawned a new, virtual version of this age-old swindling — social engineering.

Social engineering, in its simplest form, is the use of deception to trick people into revealing their personal information. Social engineers exploit the naiveté or ignorance of their victims and convince them to take actions that facilitate an attack. When done well, victims are not even aware that their own actions were harmful to themselves.

No one is entirely safe from the manipulation and threats of social engineering. Even CIA Director John Brennan has fallen victim. In late 2015 a teenager was able to hack into his AOL account by using a fabricated employee code to trick someone into revealing Brennan’s personal account information.

Once hackers obtain your personal data, the damage they are able to do can be severe. In the infamous 2014 Sony hack, cyber criminals were able to access Sony’s network after deciphering login information through use of spoofed Apple ID verification forms and the LinkedIn profiles of employees. This hack ultimately cost Sony almost $35 million.

How hackers gain access

Numerous avenues exist for social engineering attacks. The table below shows some of the most popular social engineering exploits today, along with some preventative measures you may be able to use to guard against them.

Social-Engineering_quantumblog

Staying safe

Despite hackers’ resourcefulness and frequent success in social engineering attacks, there are many things individuals can do to reduce their susceptibility to breaches.

  1. First, combat social engineering attacks with awareness. People are less likely to become victims if they are informed and alert. Employees are prime targets for social engineering attacks, so it is imperative to train them on cybersecurity awareness as a company’s first line of defense. This means teaching employees to not open suspicious emails or links from untrusted sources, and to closely guard their confidential information.
  2. Next, limit employee access to data. Even if an attack is successful, the damage of a breach can be contained if information is compartmentalized—i.e. if each employee is granted access ONLY to those parts of the network they need to do their specific duties. For example, if an employee works in accounting, there is little need for him to have access to the design team’s network. Doing this ensures that one successful hack via a single point of entry will not compromise the entire network.
  3. Finally, install the most up-to-date security software and services and keep them regularly updated. Some of the most infamous malware out there is often installed willingly (albeit unknowingly) by the user. Malicious files appear as email attachments (usually as PDF files from reputable sources) and users install them by opening the files. Up-to-date security software could recognize files like these that attempt to run executables and thus prevent the entire scenario from unfolding.

Overall, it seems daunting to be able to defend against highly talented and specialized hackers. But hackers’ primary targets in social engineering are people – not computers. That means simply being aware of common social engineering tactics and the steps that can be taken to mitigate risks puts you on equal footing with even the most technically-savvy hackers.