Social Engineering Attacks
Social engineering attacks date back to the advent of the Internet, and before that, criminals were using the telephone to masquerade as trusted agents to obtain information. The phrase “phishing” roots back to the mid-1990s, when it was utilized to describe the procurement of Internet Service Provider (ISP) account information (Koyun and Al Janabi 7533). Nevertheless, it has evolved to include a myriad of cyber breaches that target sensitive data. With the world increasingly adopting technology and the online platforms brought by the Internet, individuals are becoming more vulnerable to search attacks. There are three primary factors that black hats, that is, attackers, have taken advantage of, and they include the unawareness of threat and policy and their technical sophistication.
In the world today, the Internet is regarded as the most extensive information exchange and communication medium. Often, information is distributed over several online communication channels, such as e-mail and social networking sites, to the extent that it has become part of both our business and personal communication. Organizations expect their staff to be flexible and mobile regarding their workspace, and this has led to a decrease in face-to-face communication. This suggests that an increasing amount of data is made accessible to employees via online channels. Moreover, compounded by the fact that organizations are increasingly embracing third-party service providers, file sharing and communication have shifted towards decentralized data access and cloud services (Koyun and Al Janabi 7533). Recently, security vulnerabilities in online data-sharing channels and communication have been used to steal sensitive data using techniques, such as phishing, spear-phishing, baiting, and ransomware, among others. Susceptibilities can be resolved, and the security of such conduits reinforced.
In the future, the same tricks will be used but with new technology, therefore, leading to more targeted and sophisticated attacks. Nevertheless, when it comes to manipulations by social engineers, the efficacy of such security-enhancing techniques is lessened. Social engineering attacks are considered the most superior forms of hacking, as humans are the weakest link in the system, and for this reason, it is regarded as the most significant threat in virtual communities.
Aspects of Social Engineering Attacks
Social engineering attacks are multidimensional, thus they comprise social, physical, and technical aspects, which are employed in various stages of the actual breach. Such attacks often use malicious codes or malware (worms, viruses, or bots).
Physical Approaches
In physical approaches, black hats execute some type of physical activity to collect data concerning a future victim. The data can range from personally identifiable information to credentials for a computer system. A technique that is commonly used is dumpster diving, in which the attacker searches through an organization’s trash to locate sensitive data regarding employees, memos, print-outs, and other physical pieces of sensitive information.
Social Approaches
Social approaches are regarded as the most essential aspect of social engineering attacks. Often, attackers depend on socio-psychological methods, such as Cialdini’s principles of persuasion, to engineer their victims (Koyun and Al Janabi 7534). An example of such a way is the use of “purported” authority. On the other hand, baiting and spear-phishing attacks require the establishment of a relationship between attackers and their future victims. They encapsulate reverse social engineering where the attacker attempts to build trust with the victim. It entails sabotage, advertising, and assisting.
Technical Approaches
Such attacks are usually performed over the Internet. Attackers employ search engines to collect personal information regarding future victims from different Web sources. One commonly used tool is the Maltego.
Cyber Attack Channels
The various forms of cyber-attack channels include:
- Email is the most popular channel for reverse engineering and phishing attacks
- IM is also gaining popularity for phishing and reverse-engineering attacks
- Telephones and voice-over IP are commonly used by social engineers to collect sensitive information from their victims.
- Social media enable attackers to create fake identities, hence, making it easy to identify and obtain sensitive data.
- Cloud services are employed in gaining situational awareness of a collaboration scenario.
- Websites tend to be used for waterholing attacks, and can also be used in conjunction with emails to conduct phishing attacks.
Prevention Techniques
The frequency and cost of cybersecurity breaches continue to rise, hence, making it challenging to defend against today’s breaches. To provide security, system components require sufficient security measures to warranty reasonable protection.
Human-Based Mitigation
It is more aligned towards utilizing human judgment in detecting and preventing social engineering. It comprises two main approaches; policy and auditing, and the educational, transfer, and awareness. In policy and auditing, rules about determining whether a situation is legitimate or an attack are implemented. On the other hand, auditing compliments the policy-based method as it aims to evaluate the degree of exposure or awareness to malware and social engineering breaches. In addition, education, training, and awareness (ETA) is an essential human-based mitigation strategy (Zulkurnain et al. 193). This is because most people have fallen victim to the breaches due to the absence of knowledge regarding breaches and ignorance towards passive warnings given by security devices. The education of employees is critical to ensure that policies, standards, and procedures that have been created are effectively deployed (Zulkurnain et al. 193). Personnel needs to be guided on how they can recognize attacks and how to handle them when encountered.
However, there are several issues with human-based intervention. Although it is the most essential and popular measure of detecting and preventing malware and social engineering attacks, it holds its disadvantages. Human judgment is often subjective even with instilled knowledge, therefore, attackers can still use emotional and psychological manipulation to access sensitive information. Second, security management standards only assess whether specific information security processes are present within an organization. Nonetheless, they do not expand on the content of such procedures in any sort of detail. Third, new employees are the most common targets of attack. Usually, they have neither completed the security training nor gained loyalty toward the company. The only way this can be mitigated is by restricting their access to organizational assets, however, this would limit them from efficiently performing their duties.
Technology-Based Mitigation
It constitutes protecting the organization’s network and the physical environment. About an organization’s network, the primary function of a firewall is access control. By restricting inbound and outbound communication that is explicitly defined in an organization’s firewall policies, the various attack vectors are reduced. It is often regarded as the first line of defense (Zulkurnain et al. 194). The second is defending the computing environment, which is achieved by operating system patching and hardening, antivirus updating, email attachment filtering, monitoring logs, and conducting routine vulnerability scans. On the other hand, the physical environment can be secured by using sensors, biometrics, and social honey pots.
Technology-based mitigation also has its disadvantages. The issue of added cost and increasing complexity in the overall system of an organization comes with the use of technology. Purchasing and maintaining technology requires substantial monetary investment. Furthermore, the added complexity heightens the potential for an attack on technological infrastructure as it might have software flaws. Finally, technology is ever-changing; therefore, an organization’s infrastructure might become obsolete as time progresses.
Human and Technology-Based Combined Mitigation
Independently, each method has its associated disadvantages, therefore, to overcome this effect, firms should embrace the use of both mechanisms. The technology-based mechanisms are used to complement subjective human judgment to ensure better protection. However, this merger implies an increased cost.
Works Cited
- Koyun, Arif and Ehssan Al Janabi. “Social Engineering Attacks.” Journal of Multidisciplinary Engineering Science and Technology, vol. 4, no. 6, 2017, pp. 7533-7538.
- Zulkurnain, Ahmad, et al. “Social Engineering Attack Mitigation.” International Journal of Mathematics and Computational Science, vol. 1, no. 4, 2015, pp. 188-198.