Security threats explained: Social engineering

Training, improved security policies and monitoring of social networks needed, say security experts

Social engineering, according to Quest Software, can be defined as the technique of using deception and manipulation to gain sufficient knowledge to dupe an unwary individual, employee or company.

For example, the Windows Event Viewer scam involved telemarketers calling people, telling them they have a virus and requesting the recipient's authority to run a Windows program called Event Viewer in order to fix ‘so-called’ bugs in the operating system. Other callers claim they can remove the virus for a fee and ask for people's credit card details.

In this series, Computerworld Australia examines some of the information security threats facing small businesses and larger enterprises today. We’ve looked at internal negligence and continue the series by speaking to experts about the problem of social engineering.

The threat of social engineering

Scammers have called people posing as a member of their company’s IT department and named the person’s boss in order to gain their trust, according to Sophos Asia Pacific director, Rob Forsyth.

“So if the ‘IT department’ rang and said that Pete [not his real name] has told them your computer was having a problem and they had been asked to fix it, would you do their bidding?,” he asks. “Social engineering is the major tool used by criminals to build trust and undermine security.”

Check Point Software Technologies Australia and New Zealand managing director, Scott McKinnel, says social engineering is such a large threat because it utilises the invariability and flaws in human nature.

“Social engineering is so dangerous because it takes advantage of the one fallible part of any access point-- human users,” he says.

He adds that people are naturally curious and will click on a uniform resource locater [URL] and download attachments without always thinking about security.

“What makes social engineering so cunning is that it takes advantage of human behaviour and is often disguised as something a person is expecting to receive in their daily working life such as a link or attachment directly to a work email address.”

In a business environment, employees’ machines are supposed to be protected by an antivirus solution so that even if social engineering works the network will remain safe, according to Bitdefender chief security research officer, Catalin Cosoi.

“Social engineering can overcome this obstacle too, as in some cases carefully crafted messages will attempt to persuade the victim to disable the solution that protects a computer. It’s a highly adaptive threat, constantly changing shape and baits,” he says.

Extent of the threat

Once someone has control of the employee’s computer, it is a much easier task to begin to mine data and dig deeper into company systems, according to Sophos’ Forsyth.

“In the case of the Sony PlayStation Network hacking, the loss of customer data resulted in a fall in market capitalisation of US$2 billion,” he says. “It took almost 70 years to establish the brand value of Sony, but in a matter of days this value was destroyed simply by careless data keeping.”

Social engineering attacks can go undetected when downloading malware and when attackers gain access to a system, warns Check Point’s McKinnel. From there, a system can be compromised by releasing critical passwords, or using an organisation's resources as part of a botnet to send spam.

“The cost of such security breaches can be enormous for an organisation,” McKinnel says. “Not only can valuable intellectual property be stolen, but there is the danger of breaching regulatory and compliance issues, the risk of immeasurable damage to a brand/customer confidence and the fall out of auditing and legal costs.”

Bitdefender’s Cosoi says social media is a very important vector for targeted attacks against companies. “The future of such attacks lies in social malware and social engineering-- convincing people to infect themselves by installing applications that have a background agenda.”

Addressing social engineering

Check Point’s McKinnel says the best way to mitigate the risk of social engineering is a mix of technology, simple security policies and user awareness.

“Having a simply-written security policy that staff and users can understand is key, and that policy needs to be supported by regularly repeated education focusing on the implications of security issues rather than just the rules,” he says.

In addition, companies should make the security policy accessible to staff and users by avoiding technical jargon and sharing posters around the office.

“Technology can also assist in user awareness,” adds McKinnel. “Employ technology that places the onus back on individuals and reinforces user education.”

For instance, pop up click boxes can be deployed before users download anything that looks high risk, send sensitive information or use media websites. “This technology embeds security practices into business processes without slowing down regular work activity,” he says.

Sophos’ Forsyth agreed that education is the key to rebutting attacks. “If staff are made aware of their part in protecting customer data [and trust] they will appreciate the need for vigilance,” he says.

“This training should be a joint responsibility of the information technology [IT] and human resources [HR] departments. It should also be a core component of staff induction and staff should receive regular updates on the latest threats.”

Social networks and instant messaging services should also be closely monitored to lessen the risk of social engineering, according to Bitdefender’s Cosoi.

“Sometimes, classified information can be leaked by employees through social network profiles or even personal blogs,” he says. “Some of the most frequent details that go public ahead of time are product-launch dates, product screenshots or other branding elements such as logos and boxes.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Join the CSO newsletter!

Error: Please check your email address.

More about Check Point Software TechnologiesCheck Point Software TechnologiesCheck Point Software TechnologiesetworkPoint Software TechnologiesQuest SoftwareScott CorporationSoftware TechnologiesSonySophosTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts