Social engineering has become an integral part of cyber fraud. We are talking about a special method of manipulation that helps to force a person to give the necessary data to the attackers. How? By exploiting human weaknesses – that is, the victim’s emotions and natural behavior. Social engineering is the art of manipulating users of a computer system to reveal sensitive information that can be used to gain unauthorized access to a computer system. The term can also include actions such as using human kindness, greed and curiosity to gain access to restricted buildings or tricking users into installing backdoor software. Today there are many methods of using social engineering. The basis is the manipulation of human fears, interest or trust. You can become a victim of social engineering both during personal communication and over the phone or through digital gadgets. Criminals can “disguise” themselves as institutions that a person trusts.
For example, pretending to be representatives of a mobile operator or bank employees, they can send e-mails with an attachment or a link that requires a person to enter their personal data. Victims can also additionally call and ask to open this application or go to the link. Such “live” communication is believed to add a lot of believability to the situation and usually leads people to open attachments. Knowing the tricks hackers use to trick users into divulging vital login information is fundamental to protecting computer systems.
Information Gathering: This is the first step in which a person learns as much as possible about the intended victim. Information is collected from company websites, other publications, and sometimes through conversations with users of the target system.
Attack Plan: Attackers describe how he/she is going to carry out the attack
Acquisition tools: These are computer programs that an attacker will use in an attack.
Attack: Exploit the weaknesses of the target system.
Use the knowledge gained. Information collected during social engineering tactics, such as pet names, birth dates of organization founders, etc., is used in attacks such as password guessing.
Social engineering methods can take many forms.
Below is a list of common techniques:
Familiarity exploit: Users are less suspicious of people they know. An attacker can become familiar with the target system’s users before a social engineering attack. An attacker can interact with users while eating, when users are smoking, he can join, at social events, etc. This makes the attacker familiar to users. Suppose a user works in a building that requires an access code or card to gain access; an attacker can track users when they go to such places. Users like to keep the door open for an intruder to come in because they are familiar with it. The attacker may also ask for answers to questions such as where you met your wife, the name of your high school math teacher, etc. Users are more likely to reveal answers because they trust a familiar face.
Frightening Circumstances: People tend to avoid people who scare others. Using this technique, an attacker can pretend to be having a heated argument over the phone or with an accomplice in the scheme. An attacker can then ask users for information that will be used to compromise users’ systems. Users are more likely to give correct answers to avoid a confrontation with an attacker. This trick can also be used to avoid being checked at a checkpoint.
Phishing: This technique uses trickery and deception to obtain personal information from users. A social engineer might try to impersonate a real website, such as Yahoo, and then ask an unsuspecting user to confirm an account name and password. This technique can also be used to obtain credit card information or any other valuable personal data.
Stalking: This technique involves following users behind as they enter restricted areas. Out of human courtesy, the user will most likely let the social engineer into the restricted area.
Human Curiosity Exploitation: Using this technique, a social engineer can deliberately drop a virus-infected flash drive in a location where users can easily pick it up. The user will most likely connect the flash drive to the computer. The flash drive may automatically launch the virus, or the user may try to open a file with a name like Employees Revaluation Report 2013.docx, which may actually be an infected file.
Human Greed Exploitation: Using this technique, a social engineer can lure a user with promises of earning a lot of money online by filling out a form and verifying their details with credit card details, etc.
A security threat is defined as a risk that has the potential to cause harm to computer systems and an organization. The reason could be physical, such as someone stealing a computer that contains important data. The cause can also be non-physical, such as a virus attack. In this tutorial series, we’ll define a threat as a potential attack by a hacker that could allow him to gain unauthorized access to a computer system.
A physical threat is the potential cause of an incident that could result in the loss or physical damage of computer systems.
In the list below, physical threats are classified into three (3) main categories;
Internal: Threats include fire, unstable power supply, moisture in the premises where the equipment is housed, etc.
External: These threats include lightning, floods, earthquakes, etc.
Human: These threats include theft, vandalism of infrastructure and/or equipment, failures, accidental or intentional errors.
To protect computer systems from the aforementioned physical threats, an organization must have physical security controls in place. The list below shows some of the possible actions that can be taken:
Indoor: Fire hazards can be prevented by using automatic fire detectors and fire extinguishers that do not use water to extinguish the fire. Unstable power supply can be prevented with voltage controllers. An air conditioner can be used to regulate the humidity in the IT room.
External: Lightning protection systems can be used to protect computer systems from such attacks. Lightning protection systems are not 100% perfect, but they do go some way to reducing the chance that lightning will cause damage. Placing computer systems in the highlands is one possible way to protect systems from flooding.
People: Threats such as theft can be prevented by using locked doors and limited access to computer rooms.
A non-physical threat is a potential cause of an incident that can lead to:
Loss or corruption of system data
Disrupt business operations that rely on computer systems
Loss of confidential information
Illegal monitoring of activity in computer systems
Cyber security breach
Below is a list of common types of non-physical threats:
Denial of service attacks
Distributed Denial of Service Attacks
Unauthorized access to computer system resources such as data
Other computer security risks
To protect computer systems from the aforementioned threats, an organization must have logical security measures in place. The list below shows some possible steps you can take to protect against cyber security threats
To protect against viruses, trojans, worms, etc., an organization can use antivirus software . In addition to antivirus software, an organization can also monitor the use of external storage devices and visits to websites that are likely to download unauthorized programs to a user’s computer.
Unauthorized access to computer system resources can be prevented using authentication methods. Authentication methods can be user IDs and strong passwords, smart cards or biometrics, etc.
Intrusion detection/prevention systems can be used to protect against denial of service attacks. There are also other measures that can be taken to avoid denial of service attacks.
Most of the techniques used by social engineers involve manipulating human biases . To counter such methods, an organization can:
To counter the familiarity exploit, users must be educated not to substitute familiarity for security measures. Even people they know must prove they have permission to access certain areas and information.
To counter phishing attacks, users must be trained to identify social engineering techniques that harvest sensitive information and politely decline.
To counter phishing, most sites like Yahoo use secure connections to encrypt data and prove they are who they say they are. URL checker can help you detect fake sites . Avoid responding to emails asking for personal information .
To counter malicious attacks, users must be trained not to allow others to use their security clearance to gain access to restricted areas. Each user must use their own access permission.
To counter human curiosity, it’s best to provide selected flash drives to system administrators, who should test them for viruses or other infection, preferably on an isolated machine.
To counter methods that exploit human greed, employees must be educated about the dangers of falling for such scams.