Organizations battle daily with social engineering-based cyberattacks and unfortunately often find themselves on the losing side. What can be done? To determine this, we need to step back from our technological tools and start with the psychological basis of why social engineering works and why it is a tactic of choice for cyber attackers. Armed with that knowledge, organizations can begin to mount a more effective defense.
When people think of social engineering they tend to think of phishing, which is a huge problem. According to the 2015 Verizon Data Breach Incident Report (DBIR), 23 percent of phishing recipients open messages, and 11 percent click on attachments. The 2013 DBIR reported 95 percent of incidents attributed to state-sponsored actors used phishing, and more than two-thirds of cyber-espionage incidents involved phishing.
A cybercrime campaign of only 10 emails yields a greater than 90 percent chance that one person will click on a malware link. Fifty percent of users open emails and click within the first hour of receiving.
Going Beyond Phishing
But the social engineering problem goes well beyond phishing.
It is no wonder hackers use social engineering techniques; they work. Hackers are in business and are looking for a return on investment. Whether it is stolen identities, bank account numbers, intellectual property or just notoriety, they are looking for a return for their time.
Think of it this way: If you had a choice to spend hundreds of hours scanning networks, identifying operating systems and applications in use, determining vulnerabilities, and crafting malware, or making one phone call pretending to be from the help desk and talking a user out of his/her password, which would you do? Social engineering provides a greater return on investment.
Social engineering is not an invention of the information or even the industrial age; it has been around throughout history—look at the original Trojan horse. There is a psychological basis for why social engineering works. All of the following can be turned against a target to gain a goal:
- Sense of urgency
- Desire to be helpful
There are many tools available to cybercriminals to conduct social engineering and gain valuable information from individuals, including Google and other search engines, dumpster dives, simple phone calls to just ask, burner phones (prepaid cell phones replaced frequently to avoid leaving a trail), caller ID spoofing, doppelganger domains, fake public Wi-Fi access points, and, yes, phishing email.
Fighting Back Against Social Engineering
So how do you block this path of least resistance and prevent attacks, detect attacks sooner and lessen impact? First, it is critical to know what information hackers are looking for in social engineering attacks and how to protect it. Having some technical security controls in place is critical, as well. And, finally, awareness training—making your people social engineering attempt detectors—will go a long way in addressing the weakest link in these sorts of attacks—humans.
Douglas Rausch is President of Aurora Cybersecurity Consultants, and an assistant professor of cybersecurity at Bellevue University, Bellevue, NE. His expertise centers on providing risk management, cybersecurity, governance and awareness training expertise to organizations worldwide. He brings 25 years of experience as a cyber operations officer in the US Air Force, leading risk management activities, assessing cybersecurity, and recommending cybersecurity policy and technologies for Department of Defense and Air Force terrestrial and space systems. He was recently appointed to the National Initiative for Cybersecurity Education (NICE), Training and Certification Sub-Working group.
Rausch will present a webinar, Social Engineering: Placing Obstacles on the Path of Least Resistance, on Tuesday, 23 February, at 11AM Central Standard Time. To sign up, click here.
Douglas Rausch, CISSP
Aurora CyberSecurity Consultants, Inc.
[ISACA Now Blog]