Social engineering is a human threat vector from cybersecurity point. It simply means the criminal action of exploiting human nature rather than technical path to gain unauthorized access to people’s minds, digital systems, data and other assets. We cannot talk about this threat enough; it is oftentimes the most relegated and the most exploited of all paths. This very brief article will cover the following sub-headings;
- meaning of social engineering
- facts about it
- human cognition often exploited by it
- broad types of social engineering
- common tools of it
- anatomy of social engineering
- countermeasures against it
Facts about social engineering
- It is built on manipulation, regardless of the type.
- It is considered the path of least resistance to cyberattacks.
- A high number of successful security attacks have started with or involved a social engineering method.
- People should be critical part of firewall – human firewall, if you don’t mind.
- awareness of it must be prioritized.
Human cognition oftentimes exploited
In the context of this piece, human cognition involves the mental process of understanding and reacting to unfolding events. Average criminals, have always believed that these human traits would increase chances for success, as such they can’t do without them. See the highlight below.
Authority – people most of the time respect and obey authority.
Trust – it is natural for most people to trust, especially someone with authority.
Responsiveness – a responsible person would want to be responsive to events.
Fear – people fear not to get into trouble or found wanting of anything.
Urgency – urgent reaction is natural, especially under duress.
Threat – people want to avoid threatening event that steal their peace.
Reward – it is often enticing and enriching to be rewarded.
Curiosity – the inquisitiveness and excitement to face and close out challenge.
Ignorance – is a liability to the holder, and an opportunity to the exploiter.
Priority – people choose what to prioritize per time.
Types of social engineering
- Phishing: this is email based social engineering. It can be
- Spear phishing – targeting certain category of persons.
- Whaling – targeting rich and public personalities.
- Smishing: this type uses sms text to attack.
- Vishing: this one is voice/audio based.
- Watering hole: uses website or social media avenue to attack.
Physical types of it
- Shoulder surfing: unauthorized covert observation.
- Piggy backing or tailgating: concert entry or exit to circumvent protocol.
- Dumpster diving: searching dump sites or bins for confidential data.
- Baiting: uses infested USB or other similar gifting to entice and attack.
Other types known as synthetic content
Synthetic content types of social engineering include;
- Disinformation: intentional spread of false and misleading information.
- Shallow fake: refers to alteration of original media content to misrepresent fact.
- Deep fake: uses artificial intelligence to generate and spread deceptive content.
Common tools of social engineering
- Website
- Social profile
- Spoofing toolkits
- Clothing and apparel
- Appeal/charisma
- Phishing toolkits
- Audio recorder
- Infested USB
- Spy cameras
- Romance
Anatomy of social engineering attack
Establish objective – from outset social engineering attackers set out what they want to achieve.
Determine target – they would establish who should be targeted, oftentimes perceived success rate is used to make this choice.
Do reconnaissance – background investigation would be carried out to have better insight to routine behaviors of targets.
Develop tools – necessary toolkits will be developed.
Mobilize resources – other resources needed to accomplish the attack will be mobilized.
Launch attack – at this stage, attack would be launched, sometimes in small scale.
Evaluate success rate – the rate of success would be gauged.
Revise/modify – if necessary, some modification would be applied to increase success rate.
Relaunch attack and keep modifying as needed.
Reap results – this maybe positive or negative.
Countermeasures against social engineering
Technical: policy, firewalls, authentication, and alert.
Non-technical: training, awareness, and simulations.
Social engineering is one of the most dreadful cyber threats of modern time. It can be a stand-alone; or a path to many other cybersecurity incidents. What is more? Cyber criminals find it very handy, reliable, and result-orient. They take advantage of human nature to deploy social engineering. Awareness and knowledge are key to avoid falling victim and compromising your personal identifiable data or that of your organization.
ALSO READ:
4 Types Of Phishing Attacks And 10 Signs To Know A Phishing Email
About Author
Discover more from TRW Interns
Subscribe to get the latest posts sent to your email.