Social engineering is a technique by computer system users to transmit sensitive information which can be used to access a computer system unauthorized to the public. The word can also include behaviors like human friendliness, covetousness and curiosity in order to gain access to restricted buildings or to make the users install backdoors.
Social engineering is a non-technical interference, frequently contributing to the breakdown of usual safety procedures,’ using social skills and human experiences to collect information on organizations or computer systems. This uses cognitive skills and communication with human beings.
How does social engineering work?
- Gather Information: This is the first step, he knows as well as he can the intended victim. The knowledge is obtained from corporate websites and other media and also in contact with target device users.
- Plan Attack: The attackers explain how the attack will be carried out.
- Acquire Tools: Tools that an attacker uses when the attack is initiated.
- Attack: Using the flaws of the target system.
- Use acquired knowledge: Information gained through social media, such as pet names, the date of formation of company founders, etc. are used in attacks such as password guessing.
Social engineering techniques:
The most common forms of attacks or strategies social engineers may use, including:
The most common kind of social engineering attack appears to be phishing. Fake emails and websites are linked. A malicious party submitted a fraudulent email phishing occurs. The email is intended to make the receiver exchange personal data including credit cards, passwords or social security numbers. You may also allow a victim to download or click on a hyperlink. People are also forced to reveal confidential or private information. Phishing has long been around, but it has become increasingly numerous and sophisticated.
Pretexting usually occurs when a party lies with another party to obtain access to privileged information. An impostor produces an atmosphere that causes the victim to reveal confidential information. While phishing emails benefit from fear and urgency, pretext attacks rely on a false sense of belief in the victim. In order to confirm the identity of the victim, for example, an intruder may claim to need personal information.
Baiting involves the hacker, which aims to attract victims with an item or nice. It’s close to attacks by phishing. For example, if you send your personal information to a certain site Baiters will make free music for users.
This attack is often called “piggyback” and involves someone who does not have proper authentications in a restricted area following an employee. This attacker sweeps away the workers with legitimate access to the area.
This is a malicious program to warn the victim of an infection, to force the victim to purchase and download fake antivirus software. The security program provides daily infection alerts and allows payment for their removal.
Shoulder Surfing is an attack on security in which the attacker uses surveillance techniques to obtain information, for instance, when taking action involving the deliberate use of important, identifiable information by looking over someone’s shoulder. This can be done both in a very close range and in a wide range through binoculars or other devices that enhance vision.
Many times, major corporations have discarded things like company contact books, program manuals, business policy guides, meeting schedules, activities and holidays, confidential data printouts or login names and passwords, source code printouts, disk and cassette printouts and corporate letters and memo formats, and obsolete equipment into company dumpsters carefully. The intruder will use these things to obtain a lot of information on the organization and network structure of the business. This search process, via the dumpster, is known as Dumpster Diving to look up information that is potentially useful for a company’s employees.
How to prevent social engineering attacks?
Security experts are expected to make efforts to prevent social engineering. The impact of social engineering is unavoidable but can minimize their impact.Some best practices against social engineering are :
- Implement an education campaign about cyber security.
- For everyone who carries out a service, involve the appropriate identification.
- Set a standard which does not offer passwords on the devices.
- Mandating the security of passwords.
- Build a security detection system.
- Limit access to knowledge.
- Implement caller ID technology and other support features for the help desk.
- Please ensure that the consumer is aware of phishing emails – Cyber Streetwise (https:/www.cyberstreetwise.com/common-scams) and Staying safe online (https:/www.cyberstreetwise.com/common-scams) are available to give good advice.
- You may receive guidance from other CiSP participants to improve your user experience if your company is a member of CiSP. For more information on CiSP membership see here: https://www.cert.gov.uk/cisp/
- Consider setting up awareness sessions for members, possibly during training or induction periods, including a demonstrative penetration test that demonstrates that a (anonymous) “member of the company is effective in social engineering attack.
- Encourage users to search for unusual requests or messages with a previously verified number calling the originator. Inform users of their online presence and warn them how much information they have in social media.
- Consider how much information the company publicly provides and how it can be used in a social manipulation attack. Implement policies that minimize the risk of effective phishing (e.g., never to send confidential information to the network of your organization) and offer assurance to users that they are not disciplined for obedience to the rules.
- Encourage users to speak to their colleagues and IT helps about suspicious emails or other social engineering events.
- Make sure that you warn others as an organization of possible attempts in social engineering through the CiSP – you might not be the first one targeted at this attack, but you may be the first one to carry out it.
- Make sure you are extremely likely to end up being compromised, and that you have the ability to respond and recover from disasters. In general, you will be able to avoid, respond and recover from cyber-related events, including social engineering, if your company adheres to the “10 Measures to Cyber Security”9 and the” 20 Basic Controls for Cyber Defence”10.
Policies, procedures and practices need to be communicated, taught and reinforced to employees in order to be effective. Employees should be educated in detecting an attack, mitigating the impacts and creating barriers to the attacker. All must understand and behave accordingly, from top to bottom.
The best response therefore is to inform users about the tactics employed by social engineering and raise knowledge about how both people and computer systems can be exploited to build a false degree of confidence. This should be supported by a safety mindset that encourages the exchange of feedback, enforces information security laws and protects users. However, an attacker should be able to obtain the information he is searching for with sufficient ability, resources and, eventually, luck. This is why organizations and people must take steps to respond to a successful attack and to recover from it.