Despite being an integral aspect of many, if not most, major attacks, social engineering tactics always seem to go underappreciated by enterprise security teams. However, it’s often easier to trick someone into opening an email and exploiting a vulnerability that way, or convincing an unsuspecting assistant to provide a few useful bits of information, than it is to directly attack a web application or network connection.
So, when attackers employ social engineering tactics, what exactly are they doing? Think of social engineering as the act of exploiting people instead of computer systems. That exploitation can come in the forms of convincing someone to provide physical entrance to the data center (perhaps by acting like an insider or service tech) or tricking someone into offering a password and user ID over the phone.
The techniques for social engineering range widely, as does the potentially targeted information. For example, we said that social engineering could include a phishing email that tricks a user to open an attachment that includes some type of exploit or payload. But social engineering techniques include showing up dressed as delivery people, tech support, corporate attorney, salespeople, job applicants—you name it and it probably had been attempted and likely been used successfully somewhere.
Often, it’s the goal of the social engineer to push an attack just one step further by obtaining a password, or even getting a name that can be dropped in a planned, deeper social engineering attack. Or, it could be as simple as attempting to obtain information about the network and computer systems and where data are held within the organization.
Any organization that wants to protect its information systems and intellectual property needs to be aware of social engineering threats and train employees to be able to quickly identify such attacks. People throughout the organization can be approached at any time: friended online, approached at trade shows, or have criminals act as insiders as part of an attack.
Here are more details on how social engineers work, from our CSO’s Ultimate Guide to Social Engineering:
How social engineers work
There is an infinite number of social engineering exploits. A scammer may trick you into leaving a door open for him, visiting a fake Web page or downloading a document with malicious code, or he might insert a USB in your computer that provides access to your corporate network.
Typical ploys include:
Stealing passwords: In this common maneuver, the hacker uses information from a social networking profile to guess a victim’s password reminder question. This technique was used to hack Twitter and break into Sarah Palin’s e-mail.
Friending: In this scenario, a hacker gains the trust of an individual or group and then gets them to click on links or attachments that contain malware that introduces a threat, such as the ability to exploit a weakness in a corporate system. For example, says Netragard CTO Adriel Desautels, he might strike up an online conversation about fishing and then send a photo of a boat he’s thinking of buying.
Impersonation/social network squatting: In this case, the hacker tweets you, friends you, or otherwise contacts you online using the name of someone you know. Then he asks you to do him a favor, like sending a spreadsheet or giving data from “the office.” “Anything you see on a computer system can be spoofed or manipulated or augmented by a hacker,” says Desautels.
Posing as an insider: In many cases, the scammer poses as an IT help desk worker or contractor to extract information such as a passwords from an unknowing employee.
Desautels also said that 90% of those they successfully exploited during [vulnerability assessments for clients] trusted their firm because they thought they worked for the same company as them.
People want to be helpful, and they tend to discount the risks of doing so—and that can be a dangerous combination.Read more: Understanding the underground asset landscape with augmented reality
This is why employees and other insiders, such as trusted partners, need to understand how and why they could be targeted—and what to do when they suspect they have been. Additionally, many organizations don’t understand that social engineering is a crucial part of their security program.
With that in mind, we’ve developed the 2015 Social Engineering Survival Guide.
The first step to defeat social engineering attacks and scams is knowing what they look like:
Social engineering thugs have reached new lows, as gangs play on users’ fears of privacy loss, theft, and even death.
Proving once again that information viewed as harmless can often enable an attacker, the contestants in this years Social Engineering Capture the Flag (SECTF) contest at DEF CON 22 worked in teams of two to collect vital information from some of the nation's largest companies.
Recent attacks on multiple France-based firms have exposed an aggressive social engineering campaign that has resulted in large amounts of money being stolen.
CSO gets a front row seat at this year's DEF CON Social Engineering Capture the Flag event and watches just how quickly skilled SEs manage to finesse valuable private information out of unsuspecting targets.
Twitter, like every other social platform, has an interesting attack surface, one that criminals have been exploiting for years. The instant connection to information offered by those platforms can be turned against their users, leading to a wide range of problems.
New research from Check Point Software finds social engineering is now a common attack strategy and organizations are getting hit frequently by hackers.
The Basics of Social Engineering
Before mastering social engineering defenses, it’s important to master the basics:
What is social engineering? What are the most common and current tactics? A guide on how to stop social engineering.
Social engineering techniques often are crucial to executing penetration tests. But which methods cross the ethical line—or even venture into the dangerous territory of illegality?
How a social engineering expert gained access to extremely sensitive information with little more than a thrift-shop shirt, a plate of cookies and a Linksys box.
Holding employees accountable for carelessly falling prey to social engineering schemes could lead to tighter security.
Social Engineering Deep Dive
Designing your own social engineering attacks and defending your organization against the attacks of others:Read more: Security Watch: Verizon 2015 Data Breach Investigations Report – sophistication and old techniques come together
Stealing your company's hold music, spoofing caller ID, pumping up penny stocks—social engineers blend old and new methods to grab passwords or profits. Being aware of their tactics is the first line of defense.
Dave Kennedy, creator of social-engineer.org's social engineering toolkit, gives an overview of how the program was created and how it is always changing to keep pace with crime.
A detailed guide for testing your organization's insiders and their vulnerability to a social-engineering attack via a targeted spear-phishing campaign.
Behavior on social media can offer clues to potential threats of violence against an organization and its employees. Here are some tips for why and how security managers can keep an eye on social media to mitigate future problems.
This story, "The 2015 Social Engineering Survival Guide" was originally published by CSO.