Social Engineering Attacks

The human element is often the weakest link the security chain.

Data breaches, viruses, and other malware commonly make security headlines.      An entire industry of network and computer security has evolved to mitigate these threats.  However, most organizations overlook the weakest component of the security system – the human element.   Criminals, and others with malicious intent, are exploiting this weakness via social engineering. 

What is Social Engineering? 

There are quite a few definitions of social engineering, but it is simply a term to describe the process of convincing someone to perform a specific action.  As defined by Wikipedia, “Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information.  While it is similar to a confidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.

Past, Present, and Future of Social Engineering

Although social engineering is a relatively new name, social engineering is not a new concept.  Throughout history, deception has been used to manipulate human behavior.   In today’s environment, the risk from social engineering is significant. There are several reasons why social engineering is so popular and will continue to grow.   The primary reason is due to a significant reliance on distributed computer systems to conduct commerce.  Because of the pervasive use of online systems, the payout from a social engineering attack is extremely lucrative.   As such, there is an ever-increasing risk of financial loss due to fraudulent transactions.  In addition, other financial impacts would include expenditures to recover from data breaches, and decreased sales from negative publicity or lost competitive advantages.

Motivations Of Social Engineering Attacks

The motivation for conducting a social engineering attack is generally classified into one of three categories.  These categories and corresponding examples are detailed below.  

MotivationExamples
Financial GainObtaining online banking credentials, conducting wire transfers, etc. 
Obtain InformationLearning trade secrets, obtaining intellectual property, etc.
RevengeConducting activities to embarrass a particular country, company or person.
 
 

What Is The Cost Of A Social Engineering Attack?

Overall, it is difficult to state the actual cost of a social engineering attack.  The cost includes direct financial losses due to fraudulent transactions; decreases in sales due to lost competitive advantages; and direct expenditures to recovery from data breaches or to eradicate malicious software.  

Attack Methods Used In Social Engineering

Social engineering attacks can take many forms.   However, there are three basic modes of social engineering attacks.   Depending on the motivations of the attacker, a social engineering attack may include one or more of the following methods:

In Person:  This attack method includes activities conducted with one or more of the perpetrators physically involved in the attack, such as attempting to gain physical access to computer rooms or other non-public facilities. 

Telephonic: This attack method includes activities conducted over the phone, commonly referred to as pretext calling.   

Electronic: Social engineering attacks via electronic methods are most common.  This attack method includes activities primarily conducted via email, which is referred to as a phishing attack.  Other electronic methods exist but are not as common..  Electronic methods of social engineering attacks are popular for the following reasons:
  • Electronic methods easily cast a wide net.  As such, a simple attack can be used to target thousands of users with little additional effort.  
  • Electronic methods provide low risk of being arrested and convicted.  Without the need to be physically present, the attacker is more difficult to apprehend, as they could be located anywhere in the world. 
  • Electronic methods require minimal interpersonal skills by the attacker.   The other two social engineering methods require more interpersonal skills, as there is direct interaction with the target, either on the phone or in person.  Unless the attacker is skilled in these areas, it is much easier for the target to get suspicious. 

Malicious Software     

Although many people are unaware, social engineering is commonly used to propagate malicious software, such as ransomware (link to a ransomeware article).  A significant portion of malicious software needs user interaction to be installed or activated.  Social engineering is a common method to get the user to perform such action.   For example, a phishing email (link to What is phishing) may include an attachment that contains ransomware.  An attacker may trick and employee into opening the malicious attachment by masquerading it as an invoice or there relevant document.. 

The Human Element Of Security

Although there are technical controls that can be implemented to mitigate or compensate for some social engineering tactics, the human element of security is often considered the weakest component in the security system.  It is often easier to use social engineering tactics to bypass a control rather than trying to hack or penetrate the control directly.  For example, it is easier to ask someone for his or her username and password to a web-based application than it is so obtain the password file and try to crack or decipher a user’s password.   

Why is it so easy to get people to perform certain actions, such as giving up their passwords? Human nature.  The innate behavioral traits within most people allow them to be manipulated.  The partial list below outlines some of these traits. 

  • Most people want to be helpful.  When someone asks for help, most people have a subconscious desire to comply with the request. 
  • Most people are trustworthy.  When someone asks for something, the first reaction is to believe the request is true. 
  • Most people like to say yes.  When someone asks for something, most people would rather fulfill the request rather than saying no.  
  • Most people avoid conflict.  When requested, most people would rather supply the request than deal with the conflict involved if they decline. 
Because of these traits, a social engineer may use many tactics to elicit the desired response from the target.   Although an organization may have strong passwords, firewalls, and other security measures, all of these controls may be circumvented by an employee’s lack of security awareness.   As stated before, the human element is the weakest component in the security system.

Matter Of Time

If a company has not been the target of a social engineering attack, it is just a matter of time.  The severity and sophistication of the attack will depend on the ultimate value to the attacker.  However, no company or employee is immune. The tactics may change, such as the content of the message or request, but all companies and employees are susceptible.   During social engineering testing, is has been documented that all types of personnel, from hourly workers to high-paid executives, can and will fall victim. Through basic social engineering testing, over thirty-three percent of targets tested will comply with the requests presented during the testing.8

The Good News

The same techniques used by attackers can be used to test and train employees about social engineering.   As stated earlier, electronic means such as phishing are a primary method of attack.  The same reasons phishing works for the attacker, make it good for auditors and security professionals.  The beneficial attributes of electronic testing methods, such as phishing, include: 

  • Easy.  With the right tools, this does not take a lot of skill.  This allows an audit or security firm to add social engineering to their scope of control testing.
  • Traceable.  Much like online advertising, phishing provides very good traceability as the target’s actions are clearly documented.
  • Cost effective.  Social engineering tools do not cost much to use.

Defending Against Social Engineering

Testing and training are key control for minimizing the impact from a social engineering attack.  However, such testing and training should be part of a layered approach to security.   As stated earlier, employees are susceptible to tricks and manipulation, but an organization’s other controls can lesson the impact of the human element.   As such, the traditional concept of layered security still applies. 

  • Up-to-date Software.  By maintaining current and secure software, an organization can limit the potential impact of a vulnerability by malicious software that a user may be conned into installing. 
  • Minimize User Rights.  End-users should have the minimal amount of access needed to perform their duties.  In the event that a user’s system or access credentials were compromised, the impact would be lessened.  In particular, administrative access to system should be extremely limited.  
  • Strong Authentication.  Use strong authentication whenever possible.   It is much harder to get access to a system with true two-factor authentication, such as tokens or one-time passwords.
  • Training.  End users should be trained on security awareness.  This training should include social engineering tactics.  
  • Testing.  Without social engineering testing testing, the effectiveness of the training is not known.  Companies will test firewalls, and other technology, but often skip social engineering. 

Training, Testing, and Remediation

The last two factors of a layered defense, training and testing, are critical when it comes to minimizing the impact from social engineering.  As stated earlier, only twenty-six percent of companies perform any type of social engineering prevention training, and of those, training is often limited to reading policy on the subject.9 Furthermore, training should be conducted that includes real-world examples of social engineering. Testing is critical and can be used to reinforce and tailor training initiatives.   
There are some key items to remember when presenting findings from social engineering testing.  As it relates to social engineering test results, the following points should be considered when addressing end users.  
  • Present Findings Delicately.  Findings should be presented carefully, with a focus on training and to demonstrate that this can happen.  
  • People Can Be Resentful.   Employees may be embarrassed that they fell victim.  In addition, the employee may get resentful thinking that the company has set them up for failure by “tricking” them. 
  • Clarify Understanding of the Attack.  For example, if a technology administrator’s email is spoofed as part of a phishing attack, the recipients need to understand that the email was not actually sent from that person.  
  • Follow-up Testing and Training.  As stated earlier, approximately thirty-three percent of recipients will fall victim to basic social engineering testing.  With ongoing training and testing, the failure rate is reduced to around five percent.8 There are three primary reasons for the continued failure and the need for ongoing training and testing. These reasons are described below.  
  • Vigilance.  Due to everyday demands, people may let their guard down.  
  • Turnover.  In a given year, most businesses will have new employees.  Depending on their background, these employees may have received very little security awareness training. 
  • Forgetfulness.  Over time, people can simply forget. 

Summary

Social engineering is the act of manipulating people into performing a certain action.  From a security perspective, the risk from social engineering is significant since the human element of security is the most difficult to manage.  Through social engineering tactics, and organizations controls are often circumvented rather than directly attacked.  Although a layered defense involving technical controls can minimize the success of some attacks, social engineering awareness training and testing are primary prevention measures.