One would believe that, in a day of increasing technological improvements in business techniques, the security of those resources is mostly based on technical controls and programming algorithms. While the technical aspect of security is vital, there is one weakness that cannot be addressed through technology. That vulnerability is specific to a particular element that is unavoidably important in any company's day-to-day operations. This vital component is the human employee, who is vulnerable to social engineering attacks, which are decidedly low-tech in character.
In terms of computer and network security, the term "social engineering" has been around since at least 1995. However, in the information security field, social engineering is defined as "the activity of using psychological tactics to persuade someone to give up what they would not otherwise give up." The basic methods of persuasion used, regardless of the specific attack method, are "impersonation, ingratiation, conformity, diffusion of responsibility, and plain old friendliness...the main objective is to persuade the person disclosing the information that the social engineer is in fact a person they can trust." Dumpster diving sifting through abandoned files for sensitive information is an additional supplement to the information-gathering process and building of a believable background prior to pretexting. In network infiltration and cyber theft, social engineering has a significant and long-lasting impact. This isn't to argue that it's a must-have job; a cracker may theoretically breach a system without requiring any human interaction by exploiting technological flaws. Because of the continual vulnerability that any system has and will continue to have its users and administrators the importance of the role it performs is significant. People will always have to be regarded one of the links in the security chain because they are involved in the management and use of any computer network. For the simple reason that people are easy to manipulate, this link is and will remain the weakest. Emotions frequently take precedence over any commitment to reasoning that we may have. Computers, which are built on pure, plain logic, do not have a psychological dimension. Because of our psychological flaws and demands, as well as our defective memory and erratic attention span, we are extremely prone to deception and emotional manipulation. They play on most people's wants for validation, affection, and recognition while also exploiting our innate desire to help others, particularly those with whom we share some type of affiliation. These are all flaws that a computer that is founded on uncompromising logic is immune to.
Social engineering attacks can be carried out with little specialized expertise on the side of the attacker because they are independent of the technological controls in the systems employed. To steal important information through a discussion with an employee, you don't need any computer programming knowledge or a deep understanding of the underlying network topology. Anyone can assume the mantle of social engineer if they have enough of a backstory to appear credible, a strong sense of timing, and a rudimentary grasp of the power names and common internal language. As long as people are involved in any capacity, organizations will be vulnerable to social engineering attacks for the foreseeable future, regardless of how complex our technology systems grow. This is evident in depictions of a technologically hyper-advanced future society in science fiction films and television shows.
An attempt to physically break into a house or business to steal money, equipment, or sensitive information carries a huge risk. It's very likely that you'll be caught in the act or that you'll leave a trail of DNA, fingerprints, shoe prints, hair and garment particles, or security camera film to prove your presence. To reduce the chance of being caught or identified, a significant amount of effort and planning is required. For the criminal who uses a computer to assault the target's digital information and resources, this amount of preparation is not required. For an amateur cracker, hiding one's IP address and utilizing other methods to hide digital tracks is child's play. Open-source software that can attack tens of thousands of targets is available for free. In comparison to a physical crime, the attacker's relative anonymity is high, and the attack requires less time and resources.
Illegal activities involving the internet and digital connectivity, or attempts at criminal acts involving the internet and digital connection, will continue to rise as the target of opportunity grows. Because of the growing shift to digital records and transactions, as well as the sharing of personal information online, this target will become increasingly appealing to individuals looking to blackmail, extort, impersonate, and steal from others.
Cybercrime is a serious problem that should not be overlooked. Because of the personal nature of the information compromised or monies taken, it may appear to be the most catastrophic to the individual computer user. Organizations, on the other hand, stand to lose a lot, and the damage done to them in terms of money, reputation, and missed time can be considerably more damaging in the long run due to the large number of individuals affected employees and consumers alike. A successful network intrusion can result in astronomical financial costs. The amount of money seized by the attackers isn't the only factor that goes into calculating the financial loss to an organization. It contains a calculation of the amount of money lost as a result of online resources becoming unavailable in the event of a denial-of-service attack, as well as the cost of recovering erased data in the event of a malicious attack including data destruction. A data breach, such as the one that occurred at Target in 2013, exposing over 40 million credit and debit card records as well as the names, addresses, and phone numbers of over 70 million customers, is a major blow to the company's reputation. Customers who lose faith in a company are less inclined to trust it with sensitive information needed for commercial transactions, which results in lost revenue. This is likely to have a detrimental influence on their commitment to the organization and lead to lower production, resulting in a business downturn. Employee dissatisfaction leads to increased turnover and emigration to competitors, prolonging the downward trend for the company that failed to secure its data. Though an organization's vulnerability to social engineering assaults will never be completely eliminated, there are various preventative measures and solutions that can be implemented. Because of the human factor, simply adding more technological permission procedures is insufficient. As long as we rely on people to run businesses, social engineering will continue to pose a threat to network security. As much as we'd want to believe that we can patch any rip, plug every hole, and close every loophole in the way we safeguard ourselves and our data, we can't entirely eliminate this vulnerability.
Hunting and farming are the two categories in which a social engineering attack may be categorized:
1. Hunting - This method aims to carry out the social engineering operation with the least amount of engagement with the target. Communication is likely to be ended once the desired goal is met and the security breach is discovered. This is the most common way for supporting cyber-attacks, and it usually only includes a single contact.
2. Farming - Although social engineering farming is not commonly employed, it might be useful in some situations. The attacker wants to build a bond with the victim so that he or she may extract information for a longer length of time. The contact might evolve over the process, the target may discover the truth, and the social engineer may try to bribe or blackmail the target, reverting to typical criminal behaviour.
Social engineering operations can vary from a single encounter to a series of operations, sometimes including numerous threat actors, aimed at gathering bits of relevant information from various sources in order to achieve a certain goal. Even though the attack is based on a single encounter, it usually follows a four-step process: research, hook, play, and exit.
1. Research -The operation usually starts with a reconnaissance phase, in which the team studies and gathers as much information as possible about the target's personnel and business strategy. Rather of launching a focused attack, a skilled social engineer can take advantage of fortuitous interactions, resulting in new chances with no prior research.
2. Hook - The threat actor initiates communication with the potential victim at this phase. He engages the target, tells a tale, establishes closeness, and takes command of the engagement.
3. Play - The game's goal is to achieve the attack's goal, which might be to extract data or alter the target in order to breach the system.
4. Exit - Finally, the victim's relationship with the social engineer is completed, ideally without generating suspicions. The attacker is usually quite tough to track down after this last stage.
Attack Spiral Model
This model shows that as the process progresses, the risks to the target and threat actor rise, despite the fact that they are present throughout the whole operation. As a result, the attack's complexity increases. As a result, social engineers frequently consider risk assessment at every stage.
Social engineering assaults occur in a variety of shapes and sizes, and they may be carried out anyplace there is human interaction. The five most popular types of digital social engineering attacks are listed below:
1. Baiting - Baiting attacks, as the term indicates, employ a false promise to spark a victim's avarice or interest. They trick consumers into falling into a trap in which their personal
information is stolen or their computers are infected with malware. Physical media is used to disseminate malware in the most hated form of baiting. For example, attackers may place the bait usually malware-infected flash drives in settings where potential victims are likely to encounter it. Targets pick up the bait out of curiosity and place it in a work or home computer, causing malware to be installed automatically. Baiting takes place online in the form of appealing advertising that direct viewers to harmful websites or entice them to download a malware-infected application.
2. Scareware - The victims of scareware are assaulted with false alerts and bogus threats. Users are duped into believing their system is infected with malware, encouraging them to install software that has no purpose (other than to profit the offender) or is malware. Deception software, rogue scanning software, and fraudware are all terms used to describe scareware. The legitimate-looking popup ads that show in your browser while you're perusing the web, showing phrases like "Your computer may be infected with nasty spyware applications," are a popular scareware example. It either offers to instal the utility for you (which is frequently malware-infested) or directs you to a malicious website where your PC is infected. Scareware is also spread through spam email, which sends out false warnings or encourages people to acquire useless/harmful services.
3. Pretexting - An attacker gathers information by telling a series of well-constructed falsehoods. A perpetrator may start the scam by professing to need sensitive information from a victim in order to complete an essential assignment. The attacker frequently begins by impersonating coworkers, police, bank and tax authorities, or other people with right-to-know authority in order to gain trust from their victim. The pretexter poses inquiries that are apparently intended to validate the victim's identification, but are really used to obtain sensitive personal information. This fraud collects a variety of sensitive data and records, including social security numbers, personal addresses and phone numbers, phone records, employee vacation dates, bank records, and even security information about a physical plant.
4. Phishing - Phishing scams, which are email and text message campaigns aiming at instilling a sense of urgency, curiosity, or terror in victims, are one of the most common social engineering attack types. It then pressures people into disclosing personal information, visiting fraudulent websites, or opening malware-infected attachments. An email sent to subscribers of an online service informing them of a policy violation that necessitates prompt action on their part, such as a necessary password change, is an example. It contains a link to an illicit website that looks almost identical to the official version and prompts the unwary user to input their current credentials and a new password. The information is delivered to the attacker when the form is submitted. Because phishing attempts send similar or almost similar messages to all users, mail servers with access to threat sharing systems have an easier time identifying and stopping them.
5. Spear phishing - This is a more focused variation of the phishing scam, in which the perpetrator targets specific people or businesses. They then personalise their communications depending on the traits, work titles, and contacts of their victims in order to make their attack less obvious. Spear phishing takes a significant amount of work on the part of the attacker and might take weeks or months to complete. They're significantly more difficult to detect, and if done correctly, they have a higher success rate.
6. Whaling - Another targeted phishing technique is whaling. Rather of targeting the typical user, social engineers aim on higher-value targets like CEOs and CFOs in whaling. Whaling takes its name from the practice of pursuing a company's "big fish."
7. Quid Pro Quo - Quid pro quo (Latin for "something for something") is a sort of social engineering technique in which the attacker seeks to exchange information for services. An attacker may contact the main lines of firms purporting to be from the IT department, hoping to contact someone who was having a technical difficulty as a quid pro quo.
We speak the language of Technology & Internet. We understand how the law interacts with Technology & Internet. Cyber Crime Chambers is a boutique firm specializing in internet laws and digital forensic evidence.
B.A., B.L., (Hons) IPDP., (London)
Pgd IPR., Pgd Cyber Law., Msc., (IT)
CCI., CFA., IPCL.,
Advocate, Madras High Court
Karthikeyan, is a renowned cyber law expert, who is also the Managing Partner of Law Office of Karthikeyan, a reputed law firm based in Chennai.More About Us