The 2015 Social Engineering Survival Guide

Despite being an integral aspect of many, if not most, major attacks, social engineering tactics always seem to go underappreciated by enterprise security teams. However, it’s often easier to trick someone into opening an email and exploiting a vulnerability that way, or convincing an unsuspecting assistant to provide a few useful bits of information, than it is to directly attack a web application or network connection.

So, when attackers employ social engineering tactics, what exactly are they doing? Think of social engineering as the act of exploiting people instead of computer systems. That exploitation can come in the forms of convincing someone to provide physical entrance to the data center (perhaps by acting like an insider or service tech) or tricking someone into offering a password and user ID over the phone.

The techniques for social engineering range widely, as does the potentially targeted information. For example, we said that social engineering could include a phishing email that tricks a user to open an attachment that includes some type of exploit or payload. But social engineering techniques include showing up dressed as delivery people, tech support, corporate attorney, salespeople, job applicants—you name it and it probably had been attempted and likely been used successfully somewhere.

Often, it’s the goal of the social engineer to push an attack just one step further by obtaining a password, or even getting a name that can be dropped in a planned, deeper social engineering attack. Or, it could be as simple as attempting to obtain information about the network and computer systems and where data are held within the organization.

Any organization that wants to protect its information systems and intellectual property needs to be aware of social engineering threats and train employees to be able to quickly identify such attacks. People throughout the organization can be approached at any time: friended online, approached at trade shows, or have criminals act as insiders as part of an attack.

Here are more details on how social engineers work, from our CSO’s Ultimate Guide to Social Engineering:

How social engineers work

There is an infinite number of social engineering exploits. A scammer may trick you into leaving a door open for him, visiting a fake Web page or downloading a document with malicious code, or he might insert a USB in your computer that provides access to your corporate network.

Typical ploys include:

Stealing passwords: In this common maneuver, the hacker uses information from a social networking profile to guess a victim’s password reminder question. This technique was used to hack Twitter and break into Sarah Palin’s e-mail.

Friending: In this scenario, a hacker gains the trust of an individual or group and then gets them to click on links or attachments that contain malware that introduces a threat, such as the ability to exploit a weakness in a corporate system. For example, says Netragard CTO Adriel Desautels, he might strike up an online conversation about fishing and then send a photo of a boat he’s thinking of buying.

Impersonation/social network squatting: In this case, the hacker tweets you, friends you, or otherwise contacts you online using the name of someone you know. Then he asks you to do him a favor, like sending a spreadsheet or giving data from “the office.” “Anything you see on a computer system can be spoofed or manipulated or augmented by a hacker,” says Desautels.

Posing as an insider: In many cases, the scammer poses as an IT help desk worker or contractor to extract information such as a passwords from an unknowing employee.

Desautels also said that 90% of those they successfully exploited during [vulnerability assessments for clients] trusted their firm because they thought they worked for the same company as them.

People want to be helpful, and they tend to discount the risks of doing so—and that can be a dangerous combination.

Read more: Understanding the underground asset landscape with augmented reality

This is why employees and other insiders, such as trusted partners, need to understand how and why they could be targeted—and what to do when they suspect they have been. Additionally, many organizations don’t understand that social engineering is a crucial part of their security program.

With that in mind, we’ve developed the 2015 Social Engineering Survival Guide.

Building Awareness

The first step to defeat social engineering attacks and scams is knowing what they look like:

Four of the newest (and lowest) social engineering scams

Social engineering thugs have reached new lows, as gangs play on users’ fears of privacy loss, theft, and even death.

Social engineers work in teams to harness the power of information

Proving once again that information viewed as harmless can often enable an attacker, the contestants in this years Social Engineering Capture the Flag (SECTF) contest at DEF CON 22 worked in teams of two to collect vital information from some of the nation's largest companies.

Aggressive social engineering campaign uncovered in Europe

Recent attacks on multiple France-based firms have exposed an aggressive social engineering campaign that has resulted in large amounts of money being stolen.

DEF CON attendees demonstrate social engineering prowess in CTF contest

CSO gets a front row seat at this year's DEF CON Social Engineering Capture the Flag event and watches just how quickly skilled SEs manage to finesse valuable private information out of unsuspecting targets.

Social media remain an easily exploitable attack surface

Twitter, like every other social platform, has an interesting attack surface, one that criminals have been exploiting for years. The instant connection to information offered by those platforms can be turned against their users, leading to a wide range of problems.

Social engineering attacks costly for business

New research from Check Point Software finds social engineering is now a common attack strategy and organizations are getting hit frequently by hackers.

The Basics of Social Engineering

Before mastering social engineering defenses, it’s important to master the basics:

Social Engineering: The Basics

What is social engineering? What are the most common and current tactics? A guide on how to stop social engineering.

Social engineering in penetration tests: 6 tips for ethical (and legal) use

Social engineering techniques often are crucial to executing penetration tests. But which methods cross the ethical line—or even venture into the dangerous territory of illegality?

Social Engineering: Anatomy of a Hack

How a social engineering expert gained access to extremely sensitive information with little more than a thrift-shop shirt, a plate of cookies and a Linksys box.

Punish careless employees to reduce security breaches, vendor says

Holding employees accountable for carelessly falling prey to social engineering schemes could lead to tighter security.

Social Engineering Deep Dive

Designing your own social engineering attacks and defending your organization against the attacks of others:

Read more: Security Watch: Verizon 2015 Data Breach Investigations Report – sophistication and old techniques come together

Social Engineering: Eight Common Tactics

Stealing your company's hold music, spoofing caller ID, pumping up penny stocks—social engineers blend old and new methods to grab passwords or profits. Being aware of their tactics is the first line of defense.

The Social Engineering Toolkit

Dave Kennedy, creator of social-engineer.org's social engineering toolkit, gives an overview of how the program was created and how it is always changing to keep pace with crime.

Pen Tester's Guide: Steps for Executing a Social-Engineering Attack

A detailed guide for testing your organization's insiders and their vulnerability to a social-engineering attack via a targeted spear-phishing campaign.

Why security should monitor social media to prevent violence

Behavior on social media can offer clues to potential threats of violence against an organization and its employees. Here are some tips for why and how security managers can keep an eye on social media to mitigate future problems.

This story, "The 2015 Social Engineering Survival Guide" was originally published by CSO.

Join the CSO newsletter!

Error: Please check your email address.

Tags freemiumsecurity|DEF CON attendees2015|DEF CONsecurity awarenessCSOguidesocial engineeringStealing passwordsattackers

More about Check PointCSOLinksysToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place