Social engineering and how it affects the IT industry
Introduction
Internet fraud or cyber crime is on the rise. In the past few years the main media of fraud was thought to be only the internet, where criminals used sophisticated software or perpetrate attacks and gain un-authorized access to personal or company’s data. The same fear is still at large but, lately a lot of concern has shifted to social engineering. Social engineering can be perpetrated by use of technology or by use of non technology elements. Still social engineering is a major crime of concern to all stake holders whether in the IT industry or not.
This paper focuses on the aspect of social engineering and social engineers. The introductory part of the paper seeks to bring the reader to an understanding of what the term social engineering means. The reader is provided with deep information that helps in the realization of the gravity of the crime. The second part focuses on ways in which the crime can be perpetrated by the criminals. Lastly, the paper focuses on the effects of the crime on the IT industry. Discussion basing on the direct and indirect effects in the IT industry is given.
Social engineering
With the proliferation of technology and the expanding use of internet in the carrying out of tasks in many organizations, internet fraud has topped the list of criminal activities that can be perpetrated by use of ICT resources. Not only is internet the only cause of fraud in the ICT field, but also stand alone systems experience the same problems. The IT industry has largely been affected by such kind of frauds which occur or are perpetrated as a result of human factors or technical problems. The notable kind of crime that affects the ICT industry is social engineering.
Social engineering is a non-technical kind of intrusion. It relies mostly in human interactions. In order to perpetrate the act, one has to trick a suspecting encounter in order to break normal security features. Social engineering is run by social security engineers who carry out what can be referred to as a con game. Anyone using social engineering as an aspect of crime perpetration must first gain the confidence of an authorized user or owner if the system. Once confidence has been gained, the user is enticed in revealing information pertaining the security procedures or access methods of a computer system. The weakness of people and their carelessness as well as their trust is the most exploited element by social engineers. There are many forms through which social engineering can be perpetrated. As mentioned earlier, the key is to gain an individual’s trust and confidence. This can be done by use of several means identified by the perpetrator and seems non harmful to the target user.
Virus writers use social engineering tactics to convince people to use a certain malware or open documents that contain malware. People are also convinced to reveal their sensitive information through a process referred to as phishing. Other methods include scarewares which are used to scare people into running applications that are useless but dangerous in nature.
Social engineers also rely on the people inability to adhere to policies and rules that guide the use of ICT resources and services. Failure by users of systems to adhere to culture that relies heavily on information technology is a recipe to social engineering exploitation. If a user or an owner of information is not aware of the value of information at his or her disposal, the chances of safeguarding the same securely is limited. Social engineers therefore exploit this vulnerability to their advantage.
Social engineering is becoming one of the most used means of perpetrating crimes in the IT industry. The effects caused by the act have influenced the industry in many ways. It is important to note that, social engineering will not only affect the ICT field but will also largely influence other sectors of global economy.
In order to understand social engineering better, a discussion on the techniques and terms used is discussed below. A very important point to note is that social engineering techniques will rely majorly on the cognitive biases of an individual. Cognitive biases refer to specific attributes of decision makings made by human beings. Attack techniques will therefore be largely motivated by these exploits of human cognitive biases. Some of the techniques include;
Pretexting
In this technique, invented scenarios are used in the engagement of a targeted victim to divulge information or perform actions that would divulge or weaken security of systems. In order for this technique to be effective, a lot of research needs to be done concerning the information in the victim’s knowledge. These tricks can be used by experienced social engineers to trick businesses into exposing their customer or client information amongst other many types of data. Pre texting can be used to impersonate almost everyone in an organization provided the perpetrator has information concerning the target victim particulars. One can impersonate police officers, co-workers, bank official or even clergy
Diversion theft
This is a type of social engineering which can only be exercised by professional thieves. This form of social engineering aims at convincing the victim that the intended destination of information is wrong and that a new destination provided by the attacker is the right destination. In this case data and information ends up being send to the wrong destination.
Phishing
Phishing involves fraudulently obtaining private information. Most of phishing attacks are perpetrated by use of emails. An email that appears to come from a legitimate source is sent to a suspecting victim. Such emails normally contain links to fraudulent web pages that can cause loss of information on the victim’s side or even cause serious harm to the computer systems used by the victim.
IVR or Phone Phishing
Interactive voice response is used to recreate legitimate sounding copy of a person recognized by the victim. An example is copying or recreating the sound of a bank official. In such cases a victim may reveal such information as credit card number or passwords. A good con will create an IVR system that will reject the information provided for a number of times. This will prompt the user to enter many passwords in the process exposing all the type of passwords used in other sectors or in other systems.
Baiting
Curiosity is the theme of exploit in this method. Baiting is similar to Trojan horse which uses physical media and depends on the victim’s curiosity or greed. Baiting involves use of physical media as well as software. A link can be provided on a web page indicating something enticing. A victim will be tempted to click on the link and in the process expose the system to serious attacks.
Quid pro quo
The term quid pro quo means something for something. This can be implemented randomly by an attacker without a chosen target in mind. An attacker might pose as a support office in an organization and call random numbers with the intention of conning. This can be done until it hits on one unsuspecting victim. It relies mostly on exploiting human weakness to personal gain.
Effects of social engineering to the and in the IT industry
Social engineering has been recognized as the most common way of perpetrating crimes in the IT industry. As criminals who use this methodology to commit crimes, become more and more advanced, the IT industry and stakeholders are changing in their way of operations. Change is necessary if combating such aspects of social engineering is to be realized.
The operational procedures of any organization that relies on the IT resources for their operations, has in the past significantly changed due to the threats of social engineering. Some changes are introduced by the stake holders whole others occur by natural means. Action is met by a reaction, therefore once bitten by a misfortune of a social engineering criminal attack; an organization will automatically change its methods of operation in order to prevent the occurrence of such problem in the future.
The following section discusses the manner in which operations in organizations have been forced to change due to the effects of social engineering. The faith that users had in IT systems is diminishing and to restore the faith and confidence again, the stakeholders in the IT field have been forced to implement measures that will counteract the vice.
Information categorization
The IT industry has been forced to implement measures that are used in the categorization of information and data. Stakeholders have been forced to identify sensitive information in any set up. The same information are identified or the purposes of protection. In order to categorize information, organization needs to develop procedures that can be used in the process. Procedures which can be developed need to be developed by experts in the field f data management and information and knowledge management. A lot of IT personnel spend a lot of time determining which data to consider private and hence need extra protection.
This aspect of data categorization has led to many organizations therefore investing in personnel who are able to do the task. Policies have been developed to ensure that data protection measures are in line with the expectations of the stakeholders.
Employee training
Research has been conducted in this area in order to understand the factors contributing to such vices. The results of such research have been relayed to the stake holders in the IT industry in order to pass the information to their clients and system users. As a result employees have been trained in ways of verification of identity before divulging sensitive information to anybody. Employees and all relevant bodies have also been made aware of information that are sensitive and are very valuable. Companies especially banks will regularly advices their employees against revealing their credit card numbers by whatever means. This makes employees understand the value and the sensitivity of the matter and are therefore put in a state of constant awareness of the possibility of a social crime targeted at them.
Complex and fool proof system development
In a bid to solve the problem of social engineering, the IT industry has been ripe with innovations and creativity. Systems that are fool proof and complex in nature have been developed. Such systems include the use of voice recognition software, biometric scanners among others. Though the same have been developed, the problems of social engineering are still eminent in the industry. Social engineering therefore is still a ripe vice in the industry despite such measures.
Loss of business potential/loss of data and information
The vice has affected the industry a great. Many organizations have lost a growing business potential due to loss of information and data pertaining majorly competitive edge. The financial loss that have encountered is not low. Negative effect introduced by the crime has therefore put the industry at a road of non trust where people consider IT resource and technology at large as the recipe for crime activities. Data lost due to social engineering therefore has led to compromise on the integrity and availability of data. In some cases law suits have been preferred against companies due to such problem.
Conclusion
Social engineering is still a big problem in the ICT industry. In as much as methods have been developed to combat the crime, the perpetrators will always find new means of perpetrating their criminal activities. The difficulty in implementation arises from the fact that personal weakness and feelings are exploited in the attack. It is recommended that more research be done in the field to understand ways in which users can use to identify such attacks.
Reference
David G. M. (1994). Exploring Social Psychology . New York: Wiley.
Harl, P. (1997). People Hacking: The Psychology of Social Engineering. Talk at Access All
Areas III Conference. Chicago.
Mitnick, K. S. (2002). The Art of Deception: Controlling the Human Element of Security. New
york: Wiley.
Mitnick, K., & Simon, W. (2005). The Art Of Intrusion. Indianapolis, IN: Wiley Publishing.
Robert A. O. and Timothy C. B.(1998). Distraction Increases Yielding to Propaganda by
Inhibiting Counterarguing. 15 Journal of Personality and Social Psychology , 344-362.
Ross, A. (2008). Security engineering:a guide to building dependable distributed systems,. New
York: Wiley.
