When the average person thinks of a hacker, he or she thinks of a person glued to the computer and engaged in some sort of highly technical system entry or someone coding a piece of malware fine-tuned to steal data or wreak havoc. These things do, of course, happen. But a big chunk of malicious system entry depends on a practice that’s quite low-tech and very old. The term for it in the tech world is “social engineering.”
Social engineering is a form of misdirection that hackers use in order to prey on people’s ignorance, absent-mindedness, personal vulnerabilities, or lack of understanding of how a given system works in order to get what they want or persuade victims to give them what they want.
It sounds like the sort of thing you would never fall for. But we see it every day. Many of the easiest and most commonly exploited entry points into networks rely on new takes on the classic social engineering scam. Now let’s explore the basics of social engineering for security experts and what they can do to stop such attacks.
Phishing: Social Engineering 101
An end user is sitting at work and receives an email from an old acquaintance. There’s a link in the email inviting the recipient to click through and see some pictures from the acquaintance’s latest family vacation. It seems strange. The recipient hasn’t talked to this person in years. But he or she figures that maybe he or she was included on this old acquaintance’s mass email list. Maybe scrolling though the pictures will provide a decent distraction in the fifteen minutes before the next meeting. The recipient clicks the link. A moment later, the whole business network is compromised by malware.
This sort of scenario happens frequently, and the social engineering element is what makes phishing schemes like this so dangerous—and so effective. Hackers know that people respond naturally to cues of familiarity in emails. Whether it’s allegedly coming from a friend (with an already compromised email address), from a person in a position of authority (say, from a big Internet service provider or bank), or from a person offering a too-good-to-be-true deal, like mysteriously found money, these sorts of scams induce people to click through. And victims only need to click once in order to make for a big enterprise-wide problem.
And the new era of big data is making this type of social engineering even more sophisticated.
Big Data and Big Scams
Personal data are stolen in data breaches for all sorts of different reasons. When it comes to financial data, the reasons behind stealing them are fairly obvious. But all those other data pulled off of compromised systems can actually provide hackers with social engineering tools. From a security perspective, this makes the spate of data thefts over the past few years even more disconcerting.
For instance, if data are stolen from a big-name retailer, hackers can then use that information in order to tailor their social engineering scams to seem more authentic. If a person is involved with a loyalty program through a retailer, for instance, a hacker with compromised user data can easily craft an email purporting to offer extra loyalty benefits if the person clicks through. Compromised personal data add a layer of authenticity, making it even harder to separate out phishing emails from real ones.
What Can Be Done
So what can security experts do in order to harden networks to such attacks? There are solutions that are evolving in order to manage the threat.
End-user training is beginning to play an important role in staving off social engineering attacks. Solutions such as training modules that send fake phishing emails at irregular intervals throughout an enterprise are coming into use in order to train workers to stay on their toes.
Threat intelligence that makes use of information about threats proliferating in a given space can put enterprises on alert and allow them to brief their staff accordingly.
And advanced security solutions can also be implemented in order to better protect against and fight malware, even if it is successfully delivered through a social engineering attack.
How have you seen enterprises fight social engineering and phishing scams?