Another great post from one of our consultants, this time from Dale Penn on the topic of Social Engineering.
Social engineering is still the most prolific and successful method of hacking. It is a non-technical attack that relies on a user being tricked or coerced into some form of action which presents the attacker with a window of exploitation and can bypass even the most robust of technical controls. It is much easier to coerce a member of staff into providing information than is to mount a technical attack on a web application or network connection.
It is important to note that the threats from Social engineering tactics are almost always under rated by enterprise organisations even though they form an integral part of most modern day attacks. The reason behind this is that there currently exists a trend within enterprise organisations to fixate on the technical solutions to information security threats and neglect the human element.
Any organisation that wants to protect its information assets must be aware of the current Social Engineering threats.
The top 3 Social Engineering Methodologies
Phishing – This is the practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information. A Phishing email will usually contain a link which will redirect the user to a false webpage where they are asked to provide personal information such as usernames and passwords. Once entered this information is captured and ready for use by the hacker. Gone are the days were Phishing emails will contain poor grammar and spelling and were easy to pick out. Modern day Phishing emails are professionally created and very convincing.
Vishing – This is the practice of eliciting information or attempting to influence action via the telephone, may include such tools as “phone spoofing.” A common attack method is to call a user within an organisation and pretend to be the IT Helpdesk. From there the attacker will coerce the user into “confirming” their user name and password
Pretexting – This is the practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system. This is where where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity. More advanced attacks will also try to manipulate their targets into performing an action that enables them to exploit the structural weaknesses of an organisation or company. A good example of this would be an attacker who impersonates an external IT services auditor and manipulates a company’s physical security staff into letting them into the building.
- Education, Education, Education – All users should be appropriately trained to recognise these methods of attack. The work force should adopt a culture of healthy scepticism when approached for sensitive information and not take things at face value.
- Develop policies and procedure to identify and handle sensitive information so staff will know what is sensitive to the organisation and what they can and can’t do with it.
- Introduce appropriate technical defences which limit the methods of these attacks (i.e. block inbound emails with active links)
- Review your security controls regularly to ensure they are still appropriate.