If you are reading this article, you likely have some level of curiosity or concern for the answer to that question. Unfortunately, the short answer is “probably.” The sad fact is that almost all Cybersecurity concerns within an organization stem from some variation of a Social Engineering attack. There are plenty of articles out there with eye-popping statistics, but it is estimated that 98% of Cyber events originate from Social Engineering. So, try not to feel bad if you think you’ve been a victim. And if you haven’t been a victim, you’d be in a very small percentage of the corporate world. Let’s talk a little bit about what the term means, as it’s thrown around quite a bit as a buzz word in the industry.
What is Social Engineering? It’s any means of manipulation of a person that results in divulgence of information or getting them to perform an action. It can be an incredibly broad topic and not often understood. The most utilized form and the easiest per victim for cyber criminals to utilize is “Phishing”. As talked about in previous articles, phishing can come from email or web links that trick victims into clicking on something that seems legitimate. Social Engineering can, and typically does, run deeper than that in which a bad actor connects with victims over phone, chat, or even face to face. We can look to the movies for some entertaining examples, which often follow real life scenarios.
One of the best representations of social engineering to come out of Hollywood is the movie “Sneakers” starring Robert Redford. If you haven’t seen the movie, you should, but I won’t spoil it for you here (even if it is from 1992; you’ve had plenty of time). Essentially, it’s a story of a team of security experts that test other companies’ security capabilities. They get blackmailed by the government into stealing a code cracking box. Their methods are a combination of hacking and social engineering, which today resemble the makeup of a “red team”. One of the great scenes of the film involves discreetly recording an employee of the building they are trying to access. They enroll a female companion to lure the male victim into saying a series of otherwise random words which, when edited together, unlocks the building’s physical security voice activation system. This is better known as the “passport” scene.
There are many other examples out there with a quick google search, but the point is that you often don’t know you’re a victim until it’s too late. The conversation you have with someone can seem innocent, or completely topical, but you have no idea of the intent of the other person. This is exactly what the cybercriminal is counting on. They want to lull you into a sense of security, and it may take them time to do so, but they are using the information you divulge against you for their gain.
So, what can we do about it? Are we to no longer have conversations with people we don’t know closely? Well, no… we can’t all become hermits and cutoff interaction with other people. What we can do is stay vigilant and think about the life cycle of how social engineering works. The life cycle consists of 4 layers: Investigation, Hook, Play and Exit.
Investigation is the actor identifying their victims, deciding upon their methods, and gathering background information. Then comes the Hook, where they engage the target, spin a story, and try to take control of the interaction. This is followed by the Play, often taking the most amount of time and energy. The Play is where they are siphoning information, expanding their posture in the environment, and executing the attack. Finally comes the Exit, or closing the loop, removing all traces of access and bringing the masquerade to a natural end.
We don’t want to leave you without some sense of hope in the process. There are ways you can protect yourself and your company from these types of act methods. The first thing is to keep a level head. When you come across an email that makes you feel alarmed, or you come across an offer on a website that looks attractive, take a few moments to analyze the situation. Look at the source address of the email, does it look suspicious? Don’t open it. If there’s an offer that seems too good to be true, it probably is. Do a quick Google search on the subject of the offer, there will likely be articles out there as to its authenticity. Protect your user credentials with multifactor, and lastly keep your systems updated, especially your antivirus and antimalware.
It is important to understand and recognize the different types of social engineering attacks and their effects on individuals and organizations. A corporate environment should have a documented policy on privacy and protections pertaining to social engineering events. These guidelines protect both the employee and the employer and need to be revisited to keep up with the ever-changing landscape of cybersecurity.
コメント