Blog

Social Engineering: Low Tech, High Threat

Social media often is a fun diversion and has long served as an outlet for people to share information about themselves. When it comes to security, there are some real dangers with our relaxed posture on social media that we really should be paying attention to. What we and our employees do and share in these arenas can certainly affect the security of our personal and work lives. Organizations need to further orient themselves to the problems of social engineering threats and protect against attacks that can come from this continuously present information channel. They also need to educate employees about the dangers of social engineering emanating from oversharing of information on personal social channels.

Chances are you are keen to the basic sort of social engineering attack. Consider social media as a subset target of social engineering attacks where things like phishing, smishing, and unexpected phone calls are all part of the spectrum of threats. Last year, a data breach at the Ritz in London that evolved into vishing (voice phishing) attacks on high net-worth hotel guests demonstrated how conniving cybercriminals have become in this social engineering scam. Some of these attacks can get very sophisticated and convincing, but it always comes back to manipulation of the human mind. Information is one of the core prized assets of any organization (the same could be said about an individual). Therefore, the goal of these social attacks is to create mental lapses that cause security mistakes and disclose sensitive information by gaining trust and then using that trust to launch another attack. Social engineering attacks alone are not very damaging on their own, but they are always combined with another form of subterfuge to do the dirty work.

Fun and Games Until Somebody Loses

Think about this scenario: it may seem like a fun game to share your birthday or submit answers to a quiz you see in your social media channel, but that is exactly the kind of innocence that social attacks prey upon. Answers collected from a scam like this could open the door to an impersonator on a phone call, password recovery, or give a hacker a leg up on things to use to crack secure passwords. Data is everything.

Social engineering attacks are a component of practically every modern cyberattack today. Most recently, Samsung, Microsoft, Nvidia, The Ritz, and Morgan Stanley joined a long list of major profile companies that have been breached by means of social engineering. Billions have been lost through countless combinations of:

· Credential stealing

· Purchasing and exchanging cookies and credentials in public forums

· Targeting privileged employees including support, executive, and technical staff

· Privilege escalation

· Phishing in emails, links, and pages

· Impersonation

· Fake messages and pop-ups

Social as a Gateway

Social engineering attacks are constructed on facets of human behavior and response. The most successful attacks count on near scientific understanding of what happens when fear is used as a tool, or a false urgency is introduced – these are moments where rash decisions are made. We are all human and we are all therefore, targets.The organization must decide what protections it can leverage to detect and minimize harm to sensitive data.

The most recent social engineering tactics have moved beyond conventional tactics. To look at one example, in the recent Lapsus$ incidents the breach was extremely non-technical – in some cases insiders were contacted and convinced to simply turn over privileged credentials for small sums of money. Whether it was just for kicks, financial exchange, or some false sense of anti-corporate justice, the undermining of protections and privilege is more than what many companies can handle. While this group appears to be facing a dismantling at the moment, a bigger issue is whether the success of these campaigns will inspire other groups to continue using similar tactics.

The Prevention Key is Multi-Layered

If preventing social engineering attacks sounds dire, especially knowing the human element will always be the most fallible component and that most attacks are commonly spearheaded with social, that position is difficult to deny. These threats however are only part of the cybersecurity and information security spectrum and by combining technical controls and monitoring with continuous security awareness, these threats can be effectively mitigated. By building a multi-layer protection system around sensitive information and privileged accounts, the most common attacks can be prevented. Employee training is critical, and it should not occur just once a year. It should be a continuous program of not only security education, but also ethical phishing tests to understand the soft spots in your organization.

In addition to a solid base of updated security practices, organizations are looking to address potential oversights. For example, in Zero Trust, details matter, and you trust no one. You validate everything and everyone, everywhere. Encrypt everything, everywhere. That is one strong approach. You can further use security software and appliances that have anti-phishing, sandbox, and additional prevention capabilities. Many organizations have started to pay attention to data access design in everything from SharePoint to messaging systems. This can help prevent information leakage.

Alert, Alert, Protect

The specter of social engineering threats is extensive and difficult to protect against. Attackers can come from anywhere, in combinations of traditional mail, email, links, phone calls, SMS messages, social media pages, and more. This is one of the reasons why the benefits of a comprehensive security strategy are so critical. With robust monitoring and alerting in place, anomalous behavior, privilege escalation, unknown sources, and sign-in discrepancies are the sort of triggers that can alert the organization and stop a chain of events that often begins with simple social engineering. The practice of comprehensive security also ensures that an organization can efficiently (and safely) return to normal in the event of a major security incident.

This article was originally published in Forbes, please follow me on LinkedIn.