What is Social Engineering?
The hacking of humans, using knowledge of human behavior to elicit a defined response.
Manipulation of a user into revealing confidential information that are detrimental to that user or the security of our systems.
Why Social Engineering?
Approximately 98% of cyber attacks rely on social engineering.
Social Engineering is a component of the attack in nearly 1 of 3 successful data breaches, and it’s rising.
Social engineering attempts spiked more than 500% from the first to second quarter of 2018.
Common Attack Methods:
A person who works for or with an organization but has ulterior motives.
Might be one of the most dangerous threats to organizational security
An employee who steals information is an insider threat.
Data loss protection system can be used to help identify insider threats.
Pretexting is a form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they use to try and steal their victim’s personal information.
Common as a fraudulent phone calls to unaware targets, such as (reception desks).
Might as well be used to setup other attacks, such as facility entry/break in or phishing.
Can be avoided by providing employees awareness or education programs and establishing policies to handle suspicious pretexters.
If not discarded in a proper way, sensitive information may be discovered by attackers in dumpsters or trash bins.
Printed emails, reports, credit cards receipts…etc.
Network/application diagrams, device inventory with IP addresses.
Can be avoided by using shredders for paper disposals and establishing proper disposal policies.
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity
The email might ask you to update account information.
The hyperlinks provided are unfamiliar.
Common baits: “Sweet deals”, “free stuff” ,”Limited time offers”.
Can be prevented by using multi-factor authentication, and enforcing user training.
Common as an attacker leaves a USB thumb drive or a CD within the organization’s premises with a key word such as Confidential/Secret.
Humans are curious by nature.
Probably has a malware in it named (secret stuff), uneducated employees would open it without caution, thus affecting a workstation inside the local net, or the whole network.
If succeeded might be fatal to a network.
Enforce strong disposal policies.
Limit facility ingress/egress points.
Implement proper technology to screen emails and websites for attacks.
User training and education plays a major role in preventing most social engineering attacks
Wikipedia : https://en.wikipedia.org/wiki/Social_engineering_(security)
Purple sec: https://purplesec.us/resources/cyber-security-statistics
Pratum’s slide share: https://www.slideshare.net/IntegritySRC/what-is-social-engineering-an-illustrated-presentation-70347323