Test your staff’s security awareness and day-to-day compliance to policies & procedures
Real-world attack simulations against your first line of defence.
What is Social Engineering
Over 30% of all hacks resulting in data breaches in the last year included some sort of social engineering attack such as phishing or telephone pretexting. Why? Because it works. In terms of cyber security, social engineering is technically defined as an attack methodology comprised of deceiving people into giving sensitive information or unauthorised access to an attacker. Think of it as hacking a human. Social engineering is the art of exploiting human nature for access.
This can be done in a wide variety of ways, but essentially all social engineering attacks are based on tricking an end user into revealing their system authentication credentials to an attacker or gaining physical access to restricted areas or IT hosting facilities for the attacker to directly compromise the targeted system. It can be as simple as a fraudulent phone call professing to come from the IT department, a bogus email requesting a password reset or a more advanced attack such as setting up a “phishing” site or visiting your business pretending to be from a service company. Whatever form it takes, it is a highly effective attack methodology and consequently increasing dramatically in today’s threat landscape.
How does Social Engineering work
A social engineering attack relies on the manipulation of human behavior.
A person’s personality, good nature, beliefs, education, professional status or social etiquette can often easily be exploited, and they can be tricked into doing something that is in a hacker’s interests. This is how easily social engineering works and why it’s so dangerous. By and large all social engineering attacks attempt to exploit one (or more) of the following four common human emotions:
- Helpfulness: Our innate willingness to want to help others.
- Obedience: Our inclination to comply with the law, a direct request or an order from someone in a perceived position of authority.
- Fear: An unpleasant emotion that be caused by the idea that something or someone can cause us harm.
- Greed: A selfish desire for personal gain.
Social engineering requires nothing more than a basic understanding of simple behavioral psychology principles and some good acting skills.
Typical Social Engineering attacks
Successful social engineering attacks are delivered in contexts designed to exploit these human weaknesses. Typical social engineering attacks for instance include scenarios such as:
- Pretexting: Masquerading as someone else
- Baiting: Enticing the victim with promises of something of value
- Blackmailing: Threatening to reveal something that the target wishes to be kept secret
- Offering Quid Pro Quo: Promising something to the victim in exchange for the victim’s help
Social engineers use their knowledge of how people think in a variety of ways.
By targeting the human element, they increase their probability of a successful attack by bypassing defenses designed to protect against “conventional” hacking.
Why conduct Social Engineering Testing
Social engineering is a reliable and proven technique for by-passing technical security controls and obtaining unauthorised access to systems and information. System end users are the weakest link – this is a fact. And yet, most companies focus solely on testing the effectiveness of the security hardware and software controls they’ve implemented on their systems to reduce the risk of unauthorised access. A hacker will follow the path of least resistance for gaining unauthorised access. Why bother hacking a firewall when they can pick up a telephone and trick an end user into revealing their logon credentials?
Conducting social engineering testing will benchmark the security awareness level of your end users in addition to identifying weaknesses in operational and business processes which could be exploited for access. When considering the security integrity of the controls you have put in place to prevent unauthorised access you must think holistically. Good social engineering testing will spotlight vulnerabilities you have overlooked and give you invaluable insight into the actual state of security your information security risk management program provides.The question is why haven’t you undertaken social engineering testing?
Why engage Risk Crew
Risk Crew has been designing and successfully implementing simulated social engineering attacks against companies in virtually every business sector for well over 15 years. Social engineering is not a science – it’s an art. Risk Crew is staffed with social engineering artists. Each project is customised in terms of the time scale and objectives of the testing and our consultants follow a stringent methodology for all engagements, ensuring all objectives are met within the agreed time and budget.
Frequently Asked Questions about Social Engineering
Yes. In general, any attack that relies on the participation of a system end user usually involves some sort of social engineering aspect. Injecting malicious code that would allow unauthorised access for instance is usually done through “phishing”.
Phishing is a broad term for any cyber-attack that attempts to obtain sensitive information such as logon credentials, passwords or credit or debit cardholder details by masquerading as a trustworthy entity made in an electronic communication.
Spear phishing is term for phishing attacks that target specific individuals or businesses to obtain sensitive information (such as logon credentials, passwords or credit or debit cardholder details). Unlike phishing, spear-phishing attacks are highly customised to their targets to increase the likelihood of success.
Whaling is a term used for spear-phishing attacks that specifically target senior and high-ranking business executives to obtain sensitive information or conduct fraudulent financial transactions.
SMShing is a term used for a phishing attack conducted via a SMS communication. Like phishing, it seeks to obtain sensitive information. This attack can take the form of a text message to a mobile telephone containing a link to a malicious software download.
The best defence against social engineering attacks is to educate your end users. Users must be made aware of the threat and the methodology. Social engineering attacks are designed to exploit the weaknesses in the way users think. All social engineering attacks boil down to trying to get someone to do something that they should not do or allow. They must be educated to question requests from unknown sources. The top 3 best practices to include in your user awareness training are to:
- Verify that the person is who they claim
- Verify that the person is a current employee or has need-to-know relationship with the company
- Verify that the person is authorised to make request.