Social Engineering is the term given to art or technique to manipulate people to perform action willingly which will benefit the person who performs such manipulation. It may be divulging sensitive information, obtaining any kind of financial benefit.
[pullquote]Social Engineering is not bad term as deemed by many people. It has served for good and bad purposes. One example may be the use of undercover agents to bring down whole organized crime. Here, undercover agent gains the trust of criminal then start to collect evidence against them to build case which can be later used to incarcerate them.[/pullquote]
It is a well-known fact that, although the organization has airtight security controls, it can still be penetration by compromising its’ employees. This article will primarily focus on human factors that are susceptible to social engineering attacks.
Why is Social Engineering so Effective
The social engineering is a dangerous arsenal in the hands of criminals because there is no control either hardware or software to prevent these kinds of attacks. We human beings are unique creatures with lot emotions like fear, greed, lust, anger, jealousy, kindness, empathy and a lot of time we make a decision based on these emotions when quick judgment is required. This is the reason why social engineering is so effective, by heightening any of those emotions mention above, any perpetrator can elicit the desired response from the target.
Medium of Social Engineering
The main purpose of social engineering is to trick any person to do certain activities. The most successful methods of social engineering are:
- Phishing Attack: Here attackers will create a fake site almost similar to genuine sites and will trick a user to put their credentials on that site. Please feel free to watch my Phishing Attack video tutorial given below to learn comprehensive processes where attackers clone bank sites to harvest unsuspecting users ‘ internet banking credentials. These video tutorials will also demonstrate various ways to protect yourself against such attacks.
- Embedding Backdoor: This is a widely used method where an attacker will insert the malicious code in the legitimate apps and trick users to download them on the mobile.
- Vishing: Meaning Phishing using wire communication. Attackers will pretend they are from legitimate companies and ask for the user’s sensitive information.
These are only a few ways, but there are so many techniques available, and as a passage with time, these techniques are being more deadlier and effective.
Methods of Human-Based Social Engineering
Following are some of the social engineering techniques that are being applied by the attacker and also legitimate companies, sale person and anybody who want to have something from you. Therefore, understanding them is crucial.
1. Elicitation:
Elicitation is a method in which a person will disclose all the confidential information willing fully. There is one story where one German General during world war II, used to take them for a long walk and chat with them along the way. He was so friendly, by the time they return from the walk, the prisoner would have given all the information.
2. Priming:
We, humans, make a split-second decision as if we were operating on an automatic pilot because all the impulse decision is guided by our preconceived notions and ideas. Have you wonder, how many times time your judgment based on the appearance of people was wrong.
3. Pretext:
As a pretext, the social engineer creates a scenario in such a way the victim will have no way out but select the alternative given by the perpetrator.
4. Persuasion
In his book, Robert Cialdini, Influence: The psychology of persuasion has resulted in six leaders influence individuals to get what they want. They are:• Give favor to obtain favor in reciprocity.
• Commitment–Backing down implies tarnishing your self-image once you have engaged orally or in writing.
• Social evidence–we’re doing stuff other individuals see doing.
• Authority–People are obedient to figures of authority.
• Liking–That’s why most individuals are doing their wife’s stuff than their mother’s.
• Shortness–The more scarce things are, the more you want them.
5. Pre-loading:
You really want to go to the newly advertised barbeque store, but your wife wants to go to another restaurant. Now you’re beginning to speak about the last barbecue at home, how delicious it was, the sizzling sound and the aroma. Then, you pretend to go back to the newspaper, after turning a few pages, you look amazed and say to your wife, “Honey, you can imagine the city has a fresh barbecue store and it’s inexpensive. You want to go?”. I bet you the response will be in your favor definitely unless she is vegetarian.
In Preloading, the social engineer overloads the victim with the data so that the person acts according to the social engineer’s desires.
6. Manipulation:
Of course, this is the sinister method that can be used by the attacker. Usually, it is performed through the following ways: • Increasing suggestibility: by providing subtle clues to make your target accept your guidance.
Environmental control: primarily related to the control of the data received by the goal.
Creating Doubt: affect the system of objective beliefs in order to decrease its capacity to make reasonable choices.
Sense of powerlessness: targeting him / her to lose trust and manipulating him / her according to the will of the attacker.
Manipulating feelings: targeting something by evoking emotional reactions such as doubt, guilt, rage, humiliation.
Intimidating: Targeting by fear of physical pain or other unpleasant circumstances.
Vulnerable Targets
1. Receptionists and Customer Help Desk Staff: These are the most susceptible goals to obtain confidential business data.
2. Technical Support Executives: The attacker impersonating as client, seller, etc. 3 can trick them into obtaining sensitive data. System Administrators: The system administrator is liable for keeping the organization’s system and may understand delicate data such as credentials for administrators.
4. Vendors: They may be aimed for information gathering.
5. Attacker users and clients may pose as someone from the organisation to deceive clients for data.
[stextbox id=’alert’]ARE YOU PLANNING TO TAKE ANY PROFESSIONAL CERTIFICATION EXAM LIKE CISA, CISSP OR OTHERS, SOONER OR LATER. TO HELP YOU IN THIS JOURNEY, WE HAVE JUST A MOBILE APP FOR YOU, WITH TON OF FEATURES AND “ABSOLUTELY FREE”.ALSO, CHECKOUT OUR YOUTUBE VIDEO PRESENTATION FOR THIS APP WHICH ALSO INCLUDES GREAT TIPS ON PASSING THESE EXAMS. [/stextbox]
Mitigation:
1. Awareness:
This is most essential as employees need to be conscious of various assaults on social engineering in order to recognize and protect them from these assaults. They should be correctly notified of the latest news of assaults on social engineering.
2. Classification:
The Organization must classify its data, a critical database. On that grounds, the employee should be allocated a suitable clearance level.
3. Physical Security:
The organization should invest in various safety measures such as guards, biometric equipment, fencing, etc.
4. Security Policies
Organizations should create and implement security policies with zero tolerance for non-compliance. Staff should be made aware of different penalties and liability that they need to endure if they don’t fully comply with those security policies.
5. Updating Software
Many organizations, like Windows XP, use outdated software and systems. They have already recognized vulnerabilities and exploits are easily accessible. Therefore, distinct security hole updates must be patched on organizational systems.
6. Doing Audit
Organization, by means of the simulation of the same assaults as a malicious social engineer, can employ qualified specialists to conduct social engineering audits to check the individual’s, policies, and physical perimeter.
It is enough to say that we can not be the victims of a social engineering attack, but we can protect ourselves if we become conscious of the assaults.
If you want to learn more about social engineering, best way to read different psychology books. Following are really interesting and educational book that is worth your time.
[the_ad id=”524″]
Thank you for reading. Thank you for reading. SHARE, SUBSCRIBE, please LIKE…