How to steer clear of social engineering scams
By : Krishna Anindyo | Tuesday, February 18 2020 - 21:06 IWST
From video games to government (Images by Pinterest-avante.biz)
INDUSTRY.co.id - Technology can do lots of things better than humans can - playing chess, working a factory floor and soon supposedly driving our cars and trucks is just the start of a very long list. But technology, at least so far, can’t trump the human when it comes to protection against cyber attacks.
Bad guys know it - they know that if they can trick, seduce, or scare a human into clicking on a malicious link or giving up personal or corporate credentials, it’s game over - in their favour.
Which is why social engineering is rampant. All you have to do to understand why is watch some videos of the Capture the Flag contest in the Social Engineering Village at DEF CON in Las Vegas every August. The relative ease with which contestants get people to hand over sensitive, proprietary information to callers they’ve never met and don’t know can be funny, but also frightening.
That’s because it doesn’t happen only in contests. It keeps happening in the real world, even though the damage is always painful and sometimes catastrophic.
Phishing, The most common type of social engineering attack is phishing - an email purportedly from a trusted source, designed to manipulate the recipient into revealing sensitive information, clicking a malicious link, or opening a malicious file.
Three high-profile ransomware attacks against three cities in Florida this past summer were all enabled by an employee responding to a phishing email.
The 2019 Verizon Data Breach Incident Report found that phishing was the top cause of data breaches, at 32%, and was a factor in 50% of security incidents last year. Security firm FireEye, in its Q1’19 Email Threat Report, found that phishing attacks rose 17% in the first quarter of this year.
That, of course, is because it works. As Christopher Hadnagy, founder, CEO, and chief human hacker at Social-Engineer, put it,
“Phishing is the easiest because it has the lowest cost and the potential is huge.”
An ominous trend Verizon noted is that phishing attacks are increasingly aimed at C-level executives. These targets tend to be busy and under too much pressure to be wary of any single email within the ongoing flood they receive. They also have approval authority and virtually limitless access privileges.
Vishing, smishing, and gaming, oh my!
But phishing is not the only type of social engineering attack. There’s vishing, or phishing by phone - which is what the contestants at DEF CON do. There’s smishing, in which an attacker tries to get a victim to give up private information via a text or SMS message.
Can social engineering training prevent attacks?
All this raises the obvious question: What are the best ways to help people spot, resist, and report those attacks?
Well, it ain’t easy. If it were, the problem would have been solved long ago. Many very well crafted security awareness programs have been in place for decades. Every major security conference in existence features multiple presentations on how to prevent social engineering attacks.
The reality is that it’s hard. So hard that Travis Biehn, technical strategist at Synopsys, contends that social engineering awareness training has “negligible effects.”
“The only thing that seems to make a difference is constant training - and even then attackers eventually find a weak link,” he said.
Chris Clark, business development manager, senior staff, at Synopsys, said some examples of technology help include
“security capabilities capable of catching these attacks - smart email filters, regional blocking, reactive firewalls paired with content filtering. Attackers are always scooting around, so make sure you have a good mousetrap.”