What is Social engineering?
Social engineering means that an attacker tries to manipulate people into disclosing confidential information or doing things that they should not do. The attacker exploits a number of psychosocial qualities that we all share. I will give you some examples of these qualities:
From a young age, we learn to respect people with power and authority. This starts with our parents and teachers, and continues with our manager at work. We are conditioned to respect individuals with power and authority, not to mention people in uniform. If we feel that an individual has a position of authority, we are likely to do what they say.
- Helpfulness and trust
Humans tend to follow the crowd rather than have the courage of our convictions. This also means that it is in our nature to trust our surroundings and help others. Trust and helpfulness have historically been important to our survival, but they are also factors that easily can be exploited by an attacker.
- Lack of responsibility
This social phenomenon imply that our power of action is reduced when we are surrounded by other people. This is primarily due to two factors – that we do not feel responsible for situations that arise when we are surrounded by others, but also that we seek guidance from other people in uncertain situations. If no one else does anything, we assume that nothing needs to be done.
A clever attacker is very good at exploiting these qualities using social codes and knowledge of human behaviour to make you do things that you should not.
What does an attacker do?
An attacker who exploits employees using Social engineering is only limited by their own creativity. The attacker might for example follow a person with a valid entry card into company buildings. Attacks can also be carried out from a distance over the phone, by sms or by e-mail. I will give you an example of a relatively clever attack:
The women were attentive, well-dressed and their business proposals were very interesting. After the meeting, business cards and courtesies were exchanged. What no one at the company realised was that they had left a USB stick on the floor in the conference room. It said “Salary statistics 2016” on the stick, which prompted a curious employee to pick it up and plug it into their computer to have a look. Then and there, the intrusion was complete.
How should you as an individual react?
As an individual, you need to trust your intuition. The way I normally put it is that you need to have a healthy degree of suspicion. If someone calls and tells you they are a colleague, but you are not sure they are, you should ask some control questions or ask if you can call them back when you have found out more.
Make a habit of being careful with the information you give out. Do not answer unusual questions from people you do not know via telephone, e-mail or chat or if the method of communication is different to normal. You also need to be careful about disclosing information about yourself and your employer on social media. Such information can easily be used against you and your colleagues.
What can companies do to make their employees more security aware?
I advise that companies regularly review their information security procedures and work towards increasing the security awareness in their employees. Many companies do not know how security-conscious their employees are and what steps need to be taken to change employee behaviour and ensure a good security culture.
Combitech is a leader within Cyber Security and can offer support in measuring how security-conscious employees are and how this consciousness differs in different countries or departments, as well as assessing what actions need to be taken. We can also contribute through training and fictitious Social engineering scenarios to see whether a real attacker would be able to gain access to confidential information about your company and customers.
What trends do you see within this area?
One factor that has contributed to Social engineering becoming more and more common is the development and use of the black market online. Fraudsters, companies and industry spies from all around the world can now exchange information and collaborate anonymously.
There is now an established digital world market for stolen business information where it can be bought and sold anonymously. In this world market, different groups specialise in certain areas – e.g. stealing information from banks in the Nordic region, the pharmaceuticals industry or high-tech companies.
Combitech is a Nordic technical consultancy company combining technology, environment and security. The company, which is an independent company within the defence and security group Saab AB, has around 1470 employees in 20 locations across Sweden, as well as offices in Norway and Finland. For more information, please visit www.combitech.se