Social Engineering Concepts and Examples with Prevention Methods
Social engineering is one of the most critical aspects of cybersecurity since many attacks are arising from it rather than the traditional technical hackings. It is easy to manipulate people directly than to crack systems, thus makes social engineering the most used method of social attacks with an ever changing landscape in terms of methods of resolving it. This paper discusses two examples of social engineering and compares it to social engineering attacks view by two authors under reference and methods that could have prevented the attacks.
Examples and context of social engineering
The first example of security breaches caused by social engineering is stealing customer information in a by masquerading as customer service and calling to ask for some confidential information about the customer on his mobile banking. They will then use the acquired information to call the financial provider and complain that they have lost their mobile banking service and SIM cards where they will be asked the vital questions they asked the original customer and end up getting the line replaced and withdraw the customer’s money. Social engineering will play a huge role in the access of the customer information since a trust is built between him and the intruder and that makes him more willing to give out information. The customer will feel obliged to give out information since the caller seems like the genuine authorized person to give out information to and since the customer feels there is no way the caller can do any harm to him. This form of phishing called pretexting since personal information is stolen under the false pretext of someone phoning someone else to fetch their private information and use it to steal from them.
The second example of an attack is when an employee takes work material home, which has confidential information on the company and people. This is a case example of the army administration attack where records of army officers, date of birth and other records are stolen from the employees’ computers at home. Social engineering here happened since the employee carelessly just took vital information home. He assumes that since his home is secure no one can be crazy to come and start eavesdropping on his personal or workstations at home. Due to this trusting attitude of his premises, he leaves everything unattended and unsecured, which gives an opportunity for someone of malicious intend to come and retrieve the information and data from his laptop
Social engineering tactics work because people will trust anybody who builts trust and credibility. A call to the phone company or a person requesting for the information on the customer like secret questions, date of birth while giving a very valid explanation for the request will make the customer trust you more. This coupled with the fact that the customer thinks that his account if being given more security will prompt them to give out information willingly to the party who will use it to commit a social engineering act. The attacker will simply use the information obtained to call the genuine company posing as the customer and if asked to verify some of his details will do so since he will have already obtained them from the unsuspecting customer.
Prevention of the Social engineering Attacks
The company could have taught its customers on the authorized numbers and the context they might receive a phone call from the parent company to prevent the first security breach. Educating the customers makes them less trusting to any source that calls them in the course of their operation and thus makes them less ignorant to some of these tactics. The customers should have been told that under no circumstances will the company require their sensitive information from them, thus they shouldn’t expect any request for information from the company apart from the specified information category.
Conception of social engineering
Mitnick's views social engineering as being prompted by the urge to just learn something new and push to have it easy in life. He believes that social engineering can be used for the positive gain of society and thus not all social engineering attacks are meant to do evil like steal data and identity from people. This curiosity can lead to someone obtaining confidential data from a laptop of an employee who takes work home and thus commit this social engineering in the name of just going through it. The pretexting attack example, maybe the user was just trying out to see if he could be given vital information by the client and due to the clients naivety got everything he asked for. The attacker learns of an organization's culture like introducing themselves with a company name and uses it to lure his targets. This Mitnick calls tailgating and could have been used in the first attack.
A social engineering attack can be born out of the mere action of following the wrong rules. People might tend to follow the strong rule, they know rather than the best one which will mostly affect their judgement of things and lead to social engineering attack like the case of taking sensitive data home
Importance of social engineering in cyber security
Social engineering has led to improved countermeasures in cyber security. Users are given priority in the training of avoiding social engineering like security policy and whom and how to give out information private to the organization they work for. This understanding of the social sphere has led to less successful cyber-attacks on the people. The attacker will pretend to have the sensitive information and coalesce his subject to giving him the correct information by mentioning the wrong information first.This is because if the attacker directly asks for the sensitive information the person would not give it to him.
It has also sealed so many loopholes of the vulnerabilities of the system in regards to the clients. Many systems designed will have so many features that protect the customer and the company from social engineering. This can be in terms of CAPTCHAS images in the website to verify the person requesting information, eliminating the interface where the customer’s information is disseminated through a phone or email .
Also, an appropriate audit policy should be adopted which will lead to less social engineering attacks.Management policy of where and who can access some information and whether they are allowed to take them home or where they can access the information from for example through a centrally monitored server room.
Conclusion
It can be concluded that social engineering is a very important aspect of cyber security and its understanding will enable the protection of attacks caused by vulnerabilities of human beings. The awareness creation to human beings and common sense to users proof to be very effective prevention of social engineering. This backs up the ongoing prevention from technological designs thus will make our systems more secure to cyber attacks.
References
Anderson, R. (2001). Security engineering: A guide to building dependable distributed syst. New York: Wiley.
Hadnagy, C. (2011). Social Engineering: The Art of Human Hacking. Indiana: Wiley Publishing Inc.
Mitnick, K. a. (2011). Ghost in the wires: My adventures as the world's most wanted hacker. New York: Little, Brown and Company.
Mitnick, K. D. (2002). The art of deception: Controlling the human element of security. Indianapolis: Wiley Pub.
Click the arrow to open and close the My Cisco Menu.
Click the arrow to open and close the My Cisco Menu.
Click to open.