How to steer clear of social engineering scams

By : Krishna Anindyo | Tuesday, February 18 2020 - 21:06 IWST

From video games to government (Images by Pinterest-avante.biz)
From video games to government (Images by Pinterest-avante.biz)

INDUSTRY.co.id - Technology can do lots of things better than humans can - playing chess, working a factory floor and soon supposedly driving our cars and trucks is just the start of a very long list. But technology, at least so far, can’t trump the human when it comes to protection against cyber attacks.

Bad guys know it - they know that if they can trick, seduce, or scare a human into clicking on a malicious link or giving up personal or corporate credentials, it’s game over - in their favour.

Which is why social engineering is rampant. All you have to do to understand why is watch some videos of the Capture the Flag contest in the Social Engineering Village at DEF CON in Las Vegas every August. The relative ease with which contestants get people to hand over sensitive, proprietary information to callers they’ve never met and don’t know can be funny, but also frightening.

That’s because it doesn’t happen only in contests. It keeps happening in the real world, even though the damage is always painful and sometimes catastrophic.

Phishing, The most common type of social engineering attack is phishing - an email purportedly from a trusted source, designed to manipulate the recipient into revealing sensitive information, clicking a malicious link, or opening a malicious file.

Three high-profile ransomware attacks against three cities in Florida this past summer were all enabled by an employee responding to a phishing email.

The 2019 Verizon Data Breach Incident Report found that phishing was the top cause of data breaches, at 32%, and was a factor in 50% of security incidents last year. Security firm FireEye, in its Q1’19 Email Threat Report, found that phishing attacks rose 17% in the first quarter of this year.

That, of course, is because it works. As Christopher Hadnagy, founder, CEO, and chief human hacker at Social-Engineer, put it,

“Phishing is the easiest because it has the lowest cost and the potential is huge.”

An ominous trend Verizon noted is that phishing attacks are increasingly aimed at C-level executives. These targets tend to be busy and under too much pressure to be wary of any single email within the ongoing flood they receive. They also have approval authority and virtually limitless access privileges.

Vishing, smishing, and gaming, oh my!
But phishing is not the only type of social engineering attack. There’s vishing, or phishing by phone - which is what the contestants at DEF CON do. There’s smishing, in which an attacker tries to get a victim to give up private information via a text or SMS message.

Can social engineering training prevent attacks?
All this raises the obvious question: What are the best ways to help people spot, resist, and report those attacks?

Well, it ain’t easy. If it were, the problem would have been solved long ago. Many very well crafted security awareness programs have been in place for decades. Every major security conference in existence features multiple presentations on how to prevent social engineering attacks.

The reality is that it’s hard. So hard that Travis Biehn, technical strategist at Synopsys, contends that social engineering awareness training has “negligible effects.”

“The only thing that seems to make a difference is constant training - and even then attackers eventually find a weak link,” he said.

Chris Clark, business development manager, senior staff, at Synopsys, said some examples of technology help include

“security capabilities capable of catching these attacks - smart email filters, regional blocking, reactive firewalls paired with content filtering. Attackers are always scooting around, so make sure you have a good mousetrap.”

 

News Comment

Today's Industry

World Bank Group (Images by ITU)

Kamis, 05 Maret 2020 - 07:23 WIB

World Bank Group Announces Up to $12 Billion Immediate Support for Covid-19 Country Response

As Covid-19 reaches more than 60 countries, the World Bank Group is making available an initial package of up to $12 billion in immediate support to assist countries coping with the health and…

Association of International Certified Professional Accountants (Images by Irish Times Executive Jobs)

Rabu, 26 Februari 2020 - 12:48 WIB

Global Accounting Leaders Call on Profession to Help Address Climate Change

As part of The Prince’s Accounting for Sustainability Project (A4S) Accounting Bodies Network, which collectively represents over 2.5 million accountants and students worldwide, 14 major accounting…

Check Point Software Technologies (Images by Acclaim)

Rabu, 26 Februari 2020 - 12:21 WIB

Check Point Software Technologies Recognised as a Microsoft Security Partner Award Winner

At the inaugural Microsoft Security 20/20 partner awards, held February 23, Microsoft announced award winners in 16 categories that span security integration partners, system integrators and…

HackerOne (Images by Tekno Tempo.co)

Selasa, 25 Februari 2020 - 16:00 WIB

Hacking as a Career Soars in Popularity According to HackerOne’s 2020 Hacker Report

HackerOne, hacker-powered pen-test & bug bounty platform, today announced findings from the 2020 Hacker Report, which reveals that the concept of hacking as a viable career has become a reality,…

Google Play Store (Images by Brands of the World)

Selasa, 25 Februari 2020 - 13:05 WIB

Is the Google Play Store Safe? Not Yet.

Over recent years, there has been a lot of activity on Google’s part to improve the security of its Google Play app store. Why? Because millions of users have inadvertently downloaded thousands…