IT Security 101: Social Engineering

Written By Jason Minor

Introduction

Simply put, social engineering is the use of deception to achieve a goal. It is a staple of television and movies, and occurs regularly in everyday life. The ease with which it is accomplished enforces the common assumption in cybersecurity that humans are the weakest link in any security program.

In this installment of ITSEC101, I will provide an overview of social engineering tactics, techniques and procedures as they relate to cybersecurity, and common defenses against them.

Social Engineering Explained

In cybersecurity, this describes the deceptive methods used by malicious actors to gain access to physical locations, devices and systems, or to obtain sensitive information.

The threat vector for this is human psychology. Malicious actors take advantage of predictable human behaviors and reactions in order to lower their defenses.

Here are the common ways that human psychology is exploited:

Trust - People are generally trusting by nature. Malicious actors may pose as known, trusted individuals or organizations.
Social Proof / FOMO - People tend to follow trends. Malicious actors may suggest that what they are offering is cool, new and hip, or that others have already responded, etc.
Authority / Compliance - People tend not to question authority. Malicious actors may pose as authority figures, or authoritative organizations.
Fear / Urgency - People tend to be overly reactive and panic when faced with urgent situations. Malicious actors may suggest that something needs to be done quickly or there may be consequences.
Greed / Desire - People have needs and wants, tend to look for good deals. Malicious actors may pretend to offer free services, special rewards, etc.
Goodwill / Empathy - People tend to be generous and helpful. Malicious actors may pretend to need assistance.
Curiosity - People tend to be curious. Malicious actors may make enticing hints or suggestions.
Overconfidence - People tend to think that bad things can’t happen to them, or that they are too smart to fall for tricks. Malicious actors craft their methods to take advantage of this.

These methods are often combined. For example, when a malicious actor poses as a CEO (trust, authority) with an urgent request (urgency) for an employee to purchase gift cards (goodwill) using a company credit card.

I’ll now present some common ways in which a malicious actor might engage with a target to take advantage of the above.

Attack Methods

The following list contains common methods used to trick a target into granting system access, downloading malicious software, giving up sensitive information, or facilitating financial transactions.

Email (phishing) - Malicious actors leverage email messages to initiate communication, or distribute malicious attachments and links.

SMS (smishing) - Malicious actors leverage SMS text messages to initiate communication, or distribute malicious attachments and links.

Targeted (spearing / whaling) - Malicious actors will use other techniques, but focused on a specific group of users (whaling) or high-profile targets (spearing).

Website Redirection (pharming) - Malicious actors may append specifically formatted strings to the end of legitimate website URLs that will redirect targets to malicious sites.
Fake Social Media / Customer Support (angler) - Malicious actors will pose as other people and organizations to trick targets into interacting with them and performing unsafe actions, using legitimate services such as social media, or legitimate-seeming services such as customer support numbers and chat sessions.

Business Email Compromise (BEC) - Malicious actors will take control of an email account and pose as the user to send malicious emails to contacts and known associates.

Face to Face - Malicious actors will disguise themselves in official uniforms, or out of uniform in the case of law enforcement, and interact with people in person to gain access to sensitive locations, information or assets.

Voice (vishing) - Malicious actors will interact through phone calls and voice messages to gain trust, obtain sensitive information, or convince a target to perform an unsafe action.

Deep Fakes - Malicious actors, with the aid of emerging technologies such as AI, will craft convincing replicas of real people to deceive targets.

Website / Login Page Cloning - Malicious actors will construct replicas of real websites to trick targets into providing sensitive information.

Supply Chain - Malicious actors will take advantage of 3rd-party trust and pose as legitimate vendors and service providers, or compromise systems and software generally trusted, to reach their target.

Defenses

  • Trust no one and nothing. Question everyone and everything.

  • Conduct user awareness training with emphasis on identifying social engineering in its various forms, and reporting suspicious activity. Foster a healthy environment that encourages reporting suspicious activity without fear of judgement or reprisal.

  • Develop policies and procedures for all request types, such as financial requests, password reset requests, etc., and train users thoroughly.

  • Conduct regular phishing tests using multiple techniques and templates. Track user response and conduct targeted follow-up training if necessary for repeat offenders.

  • Conduct penetration tests that include multiple methods of social engineering, and focuses on different aspects of security such as email use, and physical access.

  • Enforce strict policies and procedures for the selection of 3rd-parties. Include risk assessments to verify that the 3rd-party has a quality security program in place. Keep a well-maintained inventory of 3rd-parties, and develop a response plan in the event of a 3rd-party compromise.

  • Implement multi-factor authentication to reduce the risk if credentials are disclosed.

  • Implement physical security controls such as key fobs and name badges, and enforce policy and procedure for validating identification.

  • Implement advanced technical controls to identify and block potentially malicious emails, and websites.

Conclusion

The Human Factor, as it is often called, is commonly accepted as the weakest link in security. A defender should strive to understand all of the ways in which users are exploited so that they can apply the proper controls to make users more resilient, and protect the environment when that resiliency is overwhelmed. User awareness training and testing is generally considered the best way to arm users against social engineering. For further reading see my article on gamification in cybersecurity awareness training, or the following resources:

Cybersecurity – the Human Factor

The Human Factor in Cybersecurity

How to Measure the Human Factor in Cybersecurity

Daily Cuppa

Today’s cup of tea is Tulsi Masala Chai provided by Organic India.

Enormous flavor packed into a single cup, with invigorating spices and a comforting aroma.

If you found this article useful, or enjoy the site in general, feel free to buy the author a cup of tea.
The author is also available for work.

Jason Minor
Previous

IT Security 101: Common Network Ports and Protocols
Next

Free Cybersecurity Tools for IT Security Pros