The weakest link in every security posture is always the human element, which is a problem because the core asset of every business is its people. It is that human factor that makes social engineering such a significant, difficult to manage problem.
The term “social engineering” incorporates any and all human-intelligent interactions that are designed to elicit an involuntary or unconscious response that serves the social engineer’s need. In many cases, this means that social engineering is conducted to elicit sensitive/private information or induce end users or enterprises to adopt a certain set of behaviors.
Typically, social engineering is a precursor to, or simultaneous to, technology-based attacks. The overall attack, therefore, has a technical and a social component, allowing attackers to fine-tune their methods and reactions to end-user or corporate behavior. The more background research and intelligence the social engineer possesses, the more difficult it will be to recognize the social engineering attempt.
Social engineering is especially dangerous for employees who may have special access to valuable assets that other employees may not, such as the ability to wire funds. A good example of this occurred last year when Ubiquiti Networks Inc., a US-based manufacturer of high-performance networking technology for service providers and enterprises, was taken for US $39 million. An employee of a Ubiquiti subsidiary was the victim of a CEO scam, which hijacks or impersonates the email of a senior executive within an organization. In this case the victim, who had authority to initiate wire transfers, transferred large amounts of money from company accounts to the criminal’s accounts.
Adversaries are cognizant of the basic human tendency to trust people on face value, and accordingly, they abuse that trust to perform social engineering attacks. Unfortunately, the best way to combat these conditions is to change behavior. Specifically, it is best to change behavior in a way that makes people less trusting and more skeptical. Changing behavior is already difficult and especially more so when the change requires a person to acquire a bleaker outlook on the world around them. For these reasons, organizations need to recognize that results may require investments of time and resources to drive a long term change.
Increasing Vigilance, Awareness
It takes considerable training and awareness for organizations to develop the skills and collective mindfulness required to consistently fend off social engineering attacks. Though commonly seen as synonyms, it is important to note that training and awareness are distinct topics.
Training seeks to educate individuals about what they should or should not do. Through training, personnel become more educated about the ways they may unwittingly become victimized, so they can become more vigilant. For example, a good training program would teach attendees about why they should be suspicious of a phone call asking for information, and it would provide them with techniques to politely ascertain the validity of the request.
Awareness seeks to galvanize the group to address security problems together. Through awareness, members of a team become more cognizant of what each member is doing. For example, an effective awareness program leads members to raise a red flag if they see a delivery person walking through the office area unescorted. Seemingly innocuous circumstances (such as package deliveries) are the arenas in which social engineers operate most effectively.
Editor’s note: ISACA Now is running a series of blogs on the 10 threats covered in ISACA’s Cybersecurity Nexus (CSX)Threats & Controls tool. To learn more about the controls for cybercrime, as well as recent examples and references, typical patterns of cybercrime and more, visit the tool here. Ted Harrington drives thought leadership initiatives for Independent Security Evaluators, and is a sought-after speaker, presenting at high-profile conferences in a range of industries, including media and entertainment, hospitality, finance and others.
Ted Harrington, Executive Partner, Independent Security Evaluators
[ISACA Now Blog]