The Importance of Social Engineering
Social engineering is essentially the art of exploiting human nature.
Social engineering is essentially the art of exploiting human nature in order to access something you shouldn’t. Most people are familiar with the concept of hackers breaking into systems and stealing data using technology and technical vulnerabilities, but social engineering is a way of using human vulnerabilities to achieve the same result.
A technical vulnerability is more black and white than a human one. Computers are binary; a vulnerability is either there or it isn’t. There is a grey area when a technical vulnerability hasn’t been discovered - but this is only because humans are involved. Human vulnerabilities are different - no amount of technical security can protect against them. If you have the strongest password in the world it doesn’t make a difference if you’re going to give it away.
It sounds ominous but it’s not all doom and gloom. Security is like an onion - it’s all about layers. The more layers, the harder it is for an attacker to get through. No system is ever 100% impenetrable but there are things we can do to add as many layers as possible, and this is the approach we take to help prevent social engineering.
“Security is all about layers”
The Defense
In businesses as well as in our personal lives, a great start to help prevent human vulnerabilities in our systems and businesses are: Training/awareness & Policies/processes
Making sure you and your employees are aware of and recognise the common signs of an attack is a great first step. Look for things like:
Urgency - Often an attacker will make you feel like you have to act now; this gives you less time to process what’s going on
Impersonation - An attacker will often impersonate people or their victim in order to do things or get information that they otherwise wouldn’t be able to do
Authority - This is often used in combination with impersonation. An attacker can pretend to be a person with a lot of authority, resulting in less questions being asked
Prizes - This is the classic Nigerian prince scam. If someone is offering you free money, or a deal sounds too good to be true then it probably is.
Training yourself and employees on how an attack could happen can help them recognise when they’re being attacked, and know what to do if it happens. Most attacks vectors fall into three main categories:
Over the phone - An attacker might call up and use impersonation and authority to get access to information/services
In the office/in person - An attacker might pretend to be someone else so they can get access to the building; then they could steal something or infect your computers with malware
Online - This can be anything from a phishing email to a scam website or fake social media accounts. A more obvious example would be a scam phone call from “Microsoft help desk”, or an email from a Nigerian prince. Unfortunately attacks aren’t always this easy to spot, so it’s great to be aware of some ways attackers can utilise urgency, impersonation, authority and prizes. Let’s look at phishing email as an example:
Spelling and grammar mistakes:
Suspicious links or emails - An attacker will often try to impersonate a genuine person or business, including people of authority. Always check to make sure links and the sender’s email match up to who they claim to be. Emails and links can often look similar to genuine ones, so be sure to check carefully
Time limits - The email might have an expiry date, or ask you to reply by a certain time
Rewards - They will often talk about some sort of prize or money
Suspicious attachments - Be careful opening an attachment from anyone you don’t know or trust
(Reference https://www.itgovernance.co.uk/blog/5-ways-to-detect-a-phishing-email )
Policies/processes are the next line of defense
They help ensure when, even if you think a situation is genuine, you are always making sure it is. Processes and policies will be unique to each business and situation, but some common ones can be things such as:
Verifying identities:
Verify people/customers before giving them information or completing their request e.g. customers who call asking for their information, or when a manager asks an employee to transfer some money.
Verify business’ identities before giving out your or your business’ information e.g. if your “bank” calls or emails you asking for your personal information or password - don’t give it out until you call them yourself to make sure it’s really them.
Authority:
Ensuring no-one can take security shortcuts no matter who they are or how senior their position is.
Online/office/phone:
Ensuring consistency across any rules/standards put in place whether you are dealing with someone face-to-face, over the phone or in person
It’s all good and well knowing this, but what’s the best way to actively make sure you can keep on top of it? There’s no golden solution, but these are a few things we do here at First AML. Keep security in the minds of staff. For example, at regular company meetings reserve time to talk about security. This can also double as training/education. Encourage a culture where people feel they can speak up and have conversations about security. People will point out areas that can be improved on without improvements always having to be sought out. Simulate attacks and always try to identify the areas that need most improvement. This could be pretend phishing emails, scam calls or testing physical building security. You can even hire companies that do this for you.
Finally, it is still as important as ever to maintain technical security policies and processes. Processes like two-factor authentication, network security, workplace security, password managers (this list goes on!) are all still important layers in your onion to protect yourself and business.
Learn More about First AMLs security at firstaml.com/security
