Today, one of the most valuable assets for organizations is information. Sharing information with other entities often suggests an invasion of privacy.
For this reason, institutions (government, educational, financial, etc.) look for ways to implement security controls to protect their information, such as camera circuits, safes, firewalls, etc., measures that are also expensive.
However, there is an insecure resource that stores very sensitive information: the human mind. Either due to forgetfulness or the challenge of securing information inside the heads of their employees, organizations do not pay much attention to this aspect.
Regardless of how many physical or logical locks there are to protect an asset, by giving access to a person, there will always be a human risk present, and therefore vulnerable to social engineering.
What is Social Engineering?
Social Engineering is the act of manipulating a person through psychological techniques and social skills to achieve specific goals.
These contemplate, among other things: obtaining information, accessing a system, or carrying out a more elaborate activity (such as the theft of an asset), which may or may not be in the interest of the target person.
Social Engineering is based on a simple principle: “the user is the weakest link”. Since there is not a single system in the world that does not depend on a human being, Social Engineering is a universal and platform-independent vulnerability.
It is often heard among security experts that the only safe computer is the one that is unplugged, to which Social Engineering lovers usually reply that there will always be an opportunity to convince someone to plug it in.
Social Engineering is an art that few develop because not all people have "social skills". Even so, there are individuals who, from an early age, have shown that they have the aptitude and, with a little training, turn it into the ideal way to carry out malicious actions.
For example, there are crackers who, instead of wasting hours breaking a password, prefer to get it by asking a technical support employee over the phone.
FORMS OF ATTACK
The forms of attack are very varied and depend on the imagination of the attacker and his interests. In general, Social Engineering attacks act on two levels: the physical and the psychosocial.
The first describes the resources and means through which the attack will be carried out, and the second is the method with which the victim will be deceived.
The forms used on a physical level are:
- Phone attack. It is the most persistent form of Social Engineering. In this, the perpetrator makes a phone call to the victim posing as someone else, such as a support technician or an employee of the same organization. It is a very effective mode, since facial expressions are not revealed and all that is required is a phone.
- Internet attack. Since the Internet became one of the most important means of communication, the variety of network attacks has increased as well as the large number of services that exist on it. The most common attacks are via email (obtaining information through phishing or infecting the victim's computer with malware), web (making the target person fill out a fake form) or even chatting with specific people in chat rooms, messaging services or forums.
- Dumpster Diving or Trashing (diving into the trash). It consists of looking for relevant information in the trash, such as: telephone books, organizational charts, work schedules, storage units (CD's, USB's, etc.), among many other things.
- Attack via SMS . Attack that takes advantage of cell phone applications. The intruder sends an SMS message to the victim making them believe that the message is part of a promotion or a service, then if the person responds to it they may reveal personal information, become a victim of theft or set off a more elaborate scam.
- Attack via postal mail. One of the attacks in which the victim feels more secure, mainly due to the reliability of postal mail. The perpetrator sends fake mail to the victim, taking as a pattern some magazine subscription, discount coupons, etc. Once he designs the proposal to make it attractive, it is sent to the victim, who if all goes well, will reply to the attacker's post office box with all her data.
- Face to face attack. The most efficient method, but at the same time the most difficult to perform. The perpetrator requires great social skills and extensive knowledge to be able to adequately handle any situation that comes his way. The most susceptible people are usually the most "innocent", so it is not a great challenge for the attacker to fulfill his objective if he chooses his victim well.
On the other hand, there are psychological and social environments that can influence whether a social engineering attack is successful. Some of them are:
- “Familiarity exploit”. Tactic in which the attacker takes advantage of the trust that people have in his friends and family, posing as any of them. A clear example of this occurs when an acquaintance arrives at a party with one of his friends. In a normal situation, no one would doubt that this individual could not be trusted. But is someone we have never dealt with trustworthy?
- Create a hostile situation. Human beings always try to get away from those who seem to be crazy or angry, or in any case, get out of their way as soon as possible. Creating a hostile situation just before a checkpoint where there are guards causes enough stress not to check the intruder or answer his questions.
- Get a job in the same place. When the reward warrants it, being close to the victim can be a good strategy to obtain all the necessary information. Many small and medium-sized businesses do not conduct a thorough background check on a new applicant, so getting a job where the victim works can be easy.
- Read body language. An experienced social engineer can use and respond to body language. Body language can generate, with small details, a better connection with the other person. Breathing simultaneously, returning smiles, and being friendly, are some of the most effective actions. If the victim seems nervous, it is good to reassure her. If she is comforted, attack!
- Exploit sexuality. Almost infallible technique. Women who play with the sexual desires of men have a great capacity for manipulation since the man lowers his defenses and perception. It probably sounds amazing, but it's leveraging biology to your advantage.
HOW TO DEFEND SOCIAL ENGINEERING?
The best way to deal with the problem is to make people aware of it. Educate them about safety and encourage the adoption of preventive measures. Other suggested mechanisms are:
- Never disclose sensitive information with strangers or in public places (such as social networks, advertisements, web pages, etc.).
- If you suspect that someone is trying to deceive you, you must demand that they identify themselves and try to reverse the situation by trying to obtain as much information as possible from the suspect.
- Implement a set of security policies in the organization that minimize risk actions.
- Carry out physical security controls to reduce the inherent danger to people.
- Routinely perform audits and pen tests using Social Engineering to detect security holes of this nature.
- Carry out information security awareness programs.
Information security should not only be understood as a set of technical and physical elements but as a cultural process of people and organizations. If the user is the weakest link, there must be controls that help reduce the risk that he may represent.
Kevin Mitnick, the world's most renowned hacker, and social engineering expert, concludes: "You can spend a fortune on technology and services...and still, your network infrastructure could be vulnerable to the oldest form of manipulation."