Bad news: cyber criminals are only getting better at what they do. In fact, with ever more data available and the help of machine learning, bad actors who want to attack victims via social engineering are probably enjoying an easier time of it. Social engineering is nothing new, but businesses may want to rethink the ways in which they work to prevent these types of attacks.
Humans are now the top target for cybercriminals. The number of Internet users is rising dramatically, up from 2 billion in 2015 to 3.8 billion in 2017. Cybersecurity Ventures estimates the number will reach 6 billion by 2022.
Social engineering attacks are not only on the rise but on the "rapid rise," per a Beazley report. The insurance firm in the first nine months of 2017 saw a nine-fold increase in the number of social engineering incidents reported by clients compared to the same period the year before.
What is Social Engineering?
The phrase social engineering may call to mind the great parties the engineers threw on your college campus, but it's nowhere as jovial, unfortunately. And, it can be a lot more dangerous.
Social engineering describes the process a person with ill intentions uses against human nature to gain access to data, systems, or physical premises. In social engineering, network or system vulnerability aren't exploited. Rather, the social engineers quickly access initial information about a victim, establish a basic level of trust, and leverage human impulses to please/help/trust or plain old be lazy.
There are many types of social engineering used to breach physical premises, applications, networks, and more. The range of ways someone might "people hack" includes:
- Calling an employee claiming to be from IT support to trick the user into sharing credentials.
- Sending business communications to employees that appear to be from another department, or the leadership team, to gain personal identifying information.
- Dropping USB devices near your location that some "good Samaritan" in your office might pick up and plug into a computer trying to find the rightful owner — only the drive installs malware.
- Appearing at the door holding something in both hands, needing someone else to open the door. It's only polite to help out right? Just like that, without needing a key or security badge, the person gains access to the premises.
- Creating social network accounts to exploit status updates, advertisements, group messaging, job postings and more to lure users to malicious websites.
- Pretending to be a new hire who needs a tour of the office or help accessing the network.
- Taking advantage of a world disaster to scam people into giving up their personal information by donating to a fake charity.
The list goes on and on, and no method of approach is off limits.
Your IT team may be awesome (and maybe you're part of it!). You might have a robust cybersecurity posture. But your employees can (often unwittingly) leave you open to attack. They click on malicious links or downloads. They reuse passwords (really weak passwords at that). They share too much information. They don't update software and applications when told to do so. They assume that they have nothing to worry about and don't take action to prevent attacks. It's just the way of the world, and bad actors know it.
Watch: The 3 Biggest Mistakes Social Engineers Make
Protecting Against Social Engineering – DIY Dangers
Regrettably, fighting this trend isn't as simple as telling your people to trust no one. If only.
Sure, education is an important defensive measure. You'll want to impress upon your people that any organization can be a target, review existing processes and procedures, and remind them to take the time to question and confirm. But more prevention and protection are needed.
Some businesses will try to bolster social engineering awareness among employees on their own, which is a start–RedTeamSecurity even offers an online course on the subject. Others might turn to automated social engineering, or hiring an outside firm to run the social engineering equivalent of a vulnerability scan on their human assets. There are even "social engineering toolkits" that promise to help automate social engineering with a simple, free download.
However, just as a security reporting mill isn't the best answer to ever-evolving cybersecurity threats, running a script to test social engineering awareness at your business is often insufficient. These automated approaches take a simple, one-size-fits-all approach to the problem; that's how they lower costs. Yet, by utilizing only lower-level techniques and taking a more sweeping approach to the problem, they don't accurately reflect the many steps a motivated social engineer will take to breach your business.
Social engineering attacks are easy to implement, typically low-cost, and often highly lucrative. As we've pointed out previously when discussing a good social engineering strategy, "Only 3% of malware Symantec Security encounters tries to exploit technical weaknesses. The remaining 97% tries to trick a user through some type of social engineering."
RedTeam Security's highly trained experts bring industry-specific expertise to our in-depth social engineering services. Drawing on deep experience with comprehensive penetration testing, we can customize our social engineering training or testing to not only find security issues but also put you on the path to fixing them.
Beware relying solely on a DIY social engineering approach. Your organization has too much on the line to risk by trying to save a quick buck.
Thinking of employing third-party social engineering testing? Just fill out our simple scoping questionnaire and we'll deliver a custom proposal to your inbox.
10-Point Offensive Security Checklist
Download Free Resource Download Free Resource