A – Z of Cybersecurity

by

Whether you are an IT expert, use the computer at work or at home or just use the internet for fun, this article is for you. Cybersecurity is no longer the responsibility of the security engineers, rather everyone is responsible for enhancing cybersecurity.
This article provides explanation to common cybersecurity terms that you should be known to the most basic users of the internet.

 

  1. Adware: Adware, which is short for advertising software is unwanted software designed to run endless advertisements and pop-ups on your device. Adware is usually made for computers but you may also find versions for mobile devices. These applications are potentially harmful to you and your device as they send data about you to the developers without your consent after you install them unknowingly, either by visiting an infected website or installing them while installing a free software. They can be stopped and prevented with an antivirus and ensuring that your browser has the latest patches.
  2. Botnet: A botnet, formed from the words “robot network” is a collection of bots – compromised devices controlled by a bot master for the purpose of spamming or launching a Distributed Denial of Service(DDoS) attack. Any device connected could be part of a botnet as long as they’ve been compromised by the botmaster.
  3. Cryptography: Cryptography is the knowledge of the protection of information and communication through the use of codes so that it is unreadable to third parties unauthorized to have access to it.
  4. Dictionary attack: This is a form of brute force attack technique for cracking a password computer system or website by systematically using a large set of words in a dictionary as the password. This form of attack still works people a lot of people still use basic dictionary words as passwords.
  5. Encryption: This is the process of changing or encoding data to a form that cannot be readable to parties that are not authorized to have access to it, or has the encryption key to decrypt it.
  6. Freeware: Freeware is software that you can download, install and use without cost. Most of the linux-based software used for hacking is freeware with a voluntary option to donate to the developers. However, one should be wary of unverified freeware as some are used to embed virus and adwares.
  7. GDPR: GDPR, which is an acronym for General Data Protection Regulation standardizes protection law across all 28 European Union countries and sets rules for the control and processing of personal data and impose sanctions for organization that mishandle this sensitive data.
  8. Honeypot: In cybersecurity, a honeypot is an advanced cyber defense mechanism where a computer system is set to decoy cyber attackers. it is set up as a real system but in actuality it is isolated and closely monitored to study prospective attacks and develop countermeasure against them.
  9. Incident Response: this is an organized, documented step-by-step approach to addressing and managing a cyberattack. It is in place to contain a security breach, reduce further damage and loss, and speed up recovery time.
  10. JavascriptJavaScript is a high level interpreted programming language. It is one the most widely used programming language on the internet. Therefore, to be able to hack a website and provide web security on a general level, one needs to know a bit about how it works.
  11. Keylogger: A keylogger is a software or hardware device that records all keystrokes on a computer keyboard. It is usually used as a trojan spyware that runs without the knowledge of the victim and sends keystroke logs of the victim’s computer to the attacker.
  12. Linux: Linux is one of the most popular operating systems. It is the most used open source operating systems to date. Linux is the preferred operating system for hacking and there are various versions of it, the best of which is Kali linux which comes with various applications that can aid hacking and cybersecurity as a whole.
  13. Malware: malware is a general term for malicious software, which could include virus, trojans, worms, spyware or any piece of code in a system to disrupt the normal flow of the system for criminal purposes .
  14. Nmap: which is short for Network Mapper, is a free open-source software used for security scanning of devices and networks. It is the typical software for vulnerability scanning and network mapping.
  15. Open Source: software is a type of software of which the source code is released and can be studied, changed and distributed for free by users or other developers as they deem fit. Open source software is usually developed as public collaboration.
  16. Penetration Testing: This is the practice of running controlled attacks a network system, IT infrastructure, web application or end-user behavior to find vulnerabilities that a threat actor could exploit. Penetration tests are also called white-hat hacking as they are done by white-hat hackers that are usually employed by the organization to carry out such exercise.
  17. Quarantine: Quarantine is a function that antivirus software performs on a file that it is unsure of whether it is a virus or not. The software isolates the file while it determines whether it is harmful or not. During this isolation, the file is unable to run.
  18. Ransomware: Ransomware is a malicious software which encrypts a victim’s files. This allows hackers to hold the victim to ransom by restricting them to from using their computer system until a ransom is paid.
  19. Social Engineering: This is the technique of eliciting sensitive information and/or manipulating individuals into performing actions that may result in a security breach. Victims of social engineering do not know they’ve been compromised until much later.
  20. Trojan Horse: Usually just called trojan, this is a software that is disguised as a legitimate or harmless software but in actual fact runs another (usually malicious) program underneath which is capable of disrupting the normal flow of a system, hacking or spying on a system.
  21. Unauthorized access: This refers to illegal access to a resource, be it a website, server, account, data or service. It is what is often referred to as hacking.
  22. Vulnerability: A vulnerability is a weakness which can be exploited by an attacker. It could be weak passwords, protocol/system design flaws, software bugs.
  23. Worm: Worms are self-propagating and self-replicating types of malware that do not need to be attached to another program to cause havoc or spread. They use networking mechanisms to spread themselves.
  24. XSS: This stands for Cross-Site Scripting and it refers to a vulnerability found in website applications. A cross-site script vulnerability can be used by attackers to bypass access controls rules.
  25. You: You are also part of cybersecurity. You and everybody else is responsible for the security of your organization’s infrastructure and data. If you aren’t secure, then your organisation is as vulnerable as you are. An organisation is only as strong as the weakest link.
  26. Zombie: A zombie in cybersecurity context is a computer that is already compromised/infected and is being controlled remotely by the hacker to perform malicious activities. Most of the time owners of these devices are unaware of this compromise and a group of these zombies is referred to as a botnet.

3 Cutting-Edge Open Source Tools Taking Endpoint Security To The Next Level

by

The days of simple endpoint security by way of basic antivirus software is over. Antivirus software works by detecting viruses when they have the signatures of the particular virus in their database, but in today’s day and age, viruses have evolved to the point where antivirus software is not able to detect them on time in order to sandbox them and mitigate their effects. Scanning, screening and protecting endpoints from viruses has become a complex process and in reality, a something that any organisation should consider compulsory. Unfortunately, most antivirus or anti-malware tools available today only find a small fraction of potential infections from constantly adapting attackers.

 

It’s no secret that distributing malware is a growing business, and the malware epidemic shows no signs of slowing. It has become easier to create and obtain botnets, crypts and zero-day exploits needed to pull high level attacks as malware creation and management education is on the rise. Therefore, it is crucial for organizations to employ the use of stronger security options that do more than traditional anti-virus software, while retaining these functions.

By using endpoint security platforms, cybersecurity engineers are able to monitor, detect, investigate and mitigate suspicious activities and issues on endpoints while learning about various attack life cycles.

Endpoint security platforms should be built on these basic principles for increased efficiency.

  1. They should do more than just protection or prevention, they should have detection and behavioral analysis capabilities to mitigate attacks early on.
  2. They should correlate data across the whole environment so that the system as a whole can learn and is able to easily mitigate similar attacks.
  3. They should be able to monitor the endpoints and its activities without interfering with the normal workflow of the endpoints.
  4. Good data visualization should be employed to display results for the benefits of technical as well as non-technical users.

Of course, elements of good endpoint security platforms are not limited to these, but these are the most basic points to look out for when considering endpoint security platforms.

 

These days, there are numerous advanced endpoint detection and response tools (EDR) that find, mitigate and block the most subtle attacks.

 

In this post, we will be reviewing three open source tools that take endpoint security to the next level by proactive monitoring and looking closely for threats. They evaluate threats learned and mitigated from each endpoint in a larger ecosystem by examining individual processes on each endpoint and sometimes combining it with the best aspects of network intrusion detection for better security. Each of these are open-source, which has the advantage for the end user of being free. Though there are paid endpoint security platforms available, no single product can offer absolute security, and one has to make compromises or choose one that works best with the particular situation. These open source tools are good enough for sufficient endpoint security for most situations, especially for SMEs who are concerned with keeping costs down.

OSSEC:

OSSEC is an open-source host based intrusion, detection and prevention system (HIPS) that performs both signature based and profile analysis, real-time integrity monitoring and tracking of endpoint activities, and prevents endpoint intrusion. It supports most operating systems including Windows, Linux, Solaris, and others. OSSEC performs log analysis – you are able to see everything that goes on with the endpoints in question. OSSEC collects, analyses and correlates these logs so you can notice any attack, misuse or anomaly. It also performs  file-integrity checking – every attack on your endpoints change a configuration, so the goal of file-integrity checking is to detect these changes in real-time and alerts you whenever they happen no matter how subtle they are. Windows registry monitoring is also part of OSSEC’s features- this feature is particular to the Windows Operating System. OSSEC identifies rootkits and can mitigate related attacks and provides active response with time-based alerting.

This is a very powerful endpoint detection and response security tool and it supports both agent-based and agentless monitoring. It also has a cross-platform architecture that enables you to monitor multiple systems from a centralized location.

 

Security Onion:

The official catchphrase of Security Onion is “peel back the layers of your network”. Security Onion is a free Linux distribution for intrusion detection, enterprise security monitoring and log management. It works with many other security tools to achieve better efficiency. It is a distinct operating system on its own used for enterprise security management amongst other things. Though it might be expected that due to it being an operating system, it would be difficult to install and work with, this fortunately isn’t the case. This great tool is rather useful when you are pressed for time because the installation is straightforward, as is working with it.

Security Onion integrates three core functions; it is able to perform full packet capture, it has network-based and host-based intrusion detection capabilities, and it serves as a powerful analysis tool.

It is able to do all these and get enough data due to the accompanying security tools that can work with it, amongst which are Snort and Suricata for rule based and analysis based network intrusion detection respectively. It also works with our very own OSSEC for Host based intrusion detection, and Squil and Kibana for data analysis.

 

Tripwire:

If you want to become more efficient with  managing your security infrastructure, Tripwire is another perfect tool for you. It is available as both an open-source version and full-fledged Enterprise version. The open-source version is a very effective tool, though it is worth noting that the Enterprise version does have more features than the open source version. Just like the other tools mentioned above, Tripwire is able to do configuration management, file-integrity monitoring, asset discovery, vulnerability and log collection. However, the open-source version will only run on Linux and Unix machines, with no support for Windows – though support for Windows is provided for the Enterprise version.

Tripwire monitors Linux systems to detect and alert users to unauthorized changes to files and directories. It creates a baseline of all files in an encrypted file and monitors the files for changes such as  permissions, internal file changes and timestamp details. Cryptographic hashes are then used to detect changes in files without storing its entire content in the database. Tripwire is useful for discovering intrusions after they’ve occurred, and can also serve many other purposes including policy compliance, integrity assurance and change management.

The list of open-source endpoint security platforms is constantly growing. This is critical because cyber-attacks have become a profit-making business and attackers are unrelenting in their efforts to commit cyber-crimes. Thanks to the effort of the creators of open-source tools, attacks can be mitigated and nipped in the bud, and malware can be studied and analyzed to make cybersecurity easier in the future.

 

 Cyraatek is a security consulting outfit that specializes in installation and management of open source and enterprise endpoint security platforms among other services. Contact us today.

 

Fending off the Cyber Risks with Smart Security Solutions

by

Fending off the Cyber Risks with Smart Security Solutions

The digital world of today is where the global citizens reside. Everything from sharable to confidential information about individuals are logged in secure cyber archives and saved for preservation and documentation every day. While some of these data is accessible to one and all, others are not, for expressed reasons. Those that are expressly confidential data are the ones that are targeted by hacking syndicates. These supposedly secure databanks holds immense amount of information that, if leaked, can cause organizations to fall apart in a matter of minutes. Lucky for us, there are companies that are working to stop that from happening and quite effectively undoing hacking attempts for small and big concerns across the world.

This they do through a full spectrum of solutions. Each of them cogent and effective helps companies keep their sensitive digital material well under lock and key. The top three solutions that the cyber security companies extend to that end are:

Compliance Management Solutions: The value of any information is immense to the right kind of recipient. So, it is of inexplicable importance to keep it secure at all times. The compliance management solutions makes sure that your business operates at minimum risk by maximizing the security confidence through an array of methods that are failsafe and cutting-edge. There are some providers that are internationally recognized with a practice framework that is compliant to all domestic and international rules.

Cyber Security Awareness Training: Security awareness training is another great method adopted by companies to nip the threats at the very beginning. Businesses fall prey to hacking threats because their employees are not well equipped to handle the problems when it first shows up. The only way to tackle the problem right by its head is to train your employees to handle a possible security breach by themselves. There are companies that offer cyber security awareness training programs, both on and off-site in which they train a company’s staff to handle valuable informational assets properly, maintain security and stability in the system and make the maximum use of security systems. The training programs often continue for days, but by the end of a training, your employees would have acquired a great deal of knowhow about how the security system works and how best to block a threat when it pops up.

Wireless Penetration Testing: The third and the most successful method of securing cyber information is what is called the wireless penetration test. It is mostly an exercise in which the security system of a digital infrastructure is tested through penetration. With consent from the owners, the security experts attempt to breach the protection of the system to find out the weak points of the system. A remediation strategy is then formulated to make sure that the vulnerabilities are repaired so that they do not end up serving as the entry points or routes of exploitation for hackers and cyber thieves.

Tackling Cyber Security Threats through Trained Experts

by

Cyber threats have plagued the Internet users almost since the advent of the World Wide Web. While security engineers are incessantly at work trying to fend off the malicious attacks and attempts and secure a safe environment for the users, every once in a while hackers find a way to get past the guards rending their attempts futile. Once inside the servers, they wreak havoc stealing and disclosing data leaving the system vulnerable to other threats. Before the peril strikes, what one needs to do is to seek the consultation of an ISO 27001 consultant who is professional equipped to treat the vulnerabilities of your digital infrastructure and make it fit to withstand all kinds of security threats.

This may sound unexpected but there is no one magic trick that does the job for all kinds of servers and websites. Like the systems, their strengths and weaknesses vary greatly and that’s the reason why a cyber security consultant Manchester forges new ways to secure a system and that is usually preceded by an extensive study of the system. There are some consultants that are robustly opposed to the idea of using one and the same strategy to secure different kinds of systems and to secure your system, you want someone like that.

To tighten the security of a website or server, cyber security consultants take the help of some tried and tested methods. Wireless penetration tests, security awareness training and endpoint security, to name a few. However big or small a business you own, or whatever is your experience with cyber threats, the provider you hire to get your system bolstered against malicious attacks should have GDPR compliance Manchester. These companies function in full compliance with domestic and international security protocols. Their tools and processes are accurate and updated.

Motivations behind an attack

by

The motives behind Social Engineer’s attacks vary massively. There are the odd good ones who have turned their lives around and now offer constructive services to companies, so their work force can build up an awareness and combat these attacks, i.e. Kevin Mitnick [1]. Then we have some who are the exact opposite, who are driven purely by sheer greed to leech every single hard earned penny out of their target, so they can live a lavish life style, while leaving their unfortunate victims to count up the losses.

Social Engineers can attack a target for number of reasons. Some of the potential motives can be observed below:

1- Financial

The focus of a Social Engineer in these types of attacks is to get hold of sensitive and valuable data, so that the victim can be blackmailed into handing over a ransom money. To minimise the inconvenience of dealing with the target, Social Engineers are also known to target victim’s financial accounts directly, so that they can take command and transfer the funds easily and with minimal detection.

These attacks are often well planned in advanced and every attempt is made to remove all traces of contact, to ensure that authorities fail in their attempts to track the individuals responsible. In most cases the intentions of the Social Engineers are malicious, when carrying out this type of attack, and their victims suffers in one way or another, the consequences of this unwanted intrusion.

2- Curiosity/Personal interest

In this type of attack, the attacker typically attempts to gain as much information about the company or the target as possible. The objective here is not to inflict damage, but to understand procedures, policies and what is the highest level of sensitive information Social Engineer can gain, without compromising their identity and objectives.

Normally, once the attacker reaches a desired level, they usually consider their objective complete and move on. This motivation for attack can also be described as ‘target practising’, where the Social Engineer probe smaller companies to build up experience and confidence, before taking on the bigger or final target.

3- To attain reputation/fame

There exists many Internet forums and mediums through which both experienced and new Social Engineers communicate and exchange advice and tips.

a

Figure 1 – Netflix accounts being offered for free on a Social Engineering forum [2].

With the aim to build up reputation and brag about their achievements, some Social Engineers target companies and then release the acquired data on these forums for others to use, often for free, in the hope of getting ‘likes’ and ‘vouches’ from other users (example – Figure 1). Upon achieving the desired reputation, they gain the account privilege to offer and sell their services to other members for a fee.

4- Revenge attack

Grievance against employers are common. However, it becomes a costly affair for both parties when one of them takes the law in their hands and maliciously attempts to damage the other party by sabotaging or releasing illegally acquired sensitive data online.

As an ex-employee, attackers are usually well versed with procedures and policies of the company, which makes the task of stealing or hacking even easier. They know the chain of command and with the right contact and insider knowledge, can cause severe damage to their employers, should they choose to take this path.

Social Engineering and hacking attacks are becoming so common against ex-employers that America’s Federal Bureau of Investigation issued a press release in 2014  [3], warning the employers to be wary of this threat and also issued a long list of recommendation for them to follow, once an employee is relieved of their duties.

5- Political

Politics may also encourage an attacker to take matters in their own hands, to either bring reputational damage to an entity, or by taking action which favours the political cause preferred by the attacker.

Reporting on the case of an Algerian hacker, Aljazeera released a report in 2015 [4] with the caption ‘Is the Algerian Hacker a hero?’.

The hacker in question was the co-author of a Trojan horse virus, which was introduced to around  200 different banks, through various Social Engineering methods. Once the virus seized control of the system, the Algerian hacker called ‘Hamza Bendelladj’ was able to withdraw money from compromised banks and institutions.

From the money, Hamza amassed through his hacking skills, he donated a reported $280,000,000 to Palestine, a territory illegally occupied by Israel since 1967 [5]. Hence, the reason many of his fans calling him a hero and ran campaigns for his release. BBC reported in April 2016 [6] that the Algerian Hacker has been jailed in US for a total of 15 years in prison, for committing cyber crimes.

6- State sponsored attacks

The idea behind these types of attacks is to either cause maximum devastation to the target or to discreetly steal high value confidential data. As these attacks are paid for by Governments and powerful establishments, attackers usually have access to infinite resources and funds.

As opposed to criminals who usually work alone, state sponsored Social Engineers are well organised and work in groups. And because they often have immunity from prosecutions, they tend to take bigger risks and have the capability to launch sophisticated attacks, to achieve their goals.

Because of this coordination, dedication and a large amount of resources, state sponsored attackers are usually the ones who discover zero day exploits and come up with unique manipulation methods, which are then employed to sabotage the targets, extract secret data or simply used to steal trade secrets of another nation.

It was widely reported in the media in 2011 that US and Israel facilitated the assassination of an Iranian scientist [7] as well as the development of ‘Stuxnet’ virus [8], which was later introduced to power plants in Iran through ‘baiting’. Their objective was to delay Iran from acquiring technology necessary for the construction of a nuclear weapon.

Consequently, the virus caused the desired impairment to the power plants and Iran went back on to the table of negotiations with the US and eventually agreed to halt its Uranium enrichment program [9]. Reuters also released an exclusive report in 2015 [10] citing evidence that a variant of Stuxnet virus was also used by the US to attack North Korea, but the attempts of sabotage ultimately failed.

Information about function and operational methods of some of the viruses created by state sponsored attackers are now in public domain i.e. Duqu, Flame & Gauss [11]. It is safe to assume that there are many other undiscovered variants of smart malwares, secretly transmitting sensitive and valuable data to the high profile sponsors of these types attacks.

 

 

References

 [1] Kevin Mitnick (2016) MitnickSecurity, Available at: https://www.mitnicksecurity.com/(Accessed: 15 July 2016).

[2] Confidential (2016) Fresh Netflix Account x15, Available at:https://socialengineered.net/thread-82040.html?highlight=netflix (Accessed: 15 July 2016).

 [3] FBI (2016) Increase in Insider Threat Cases Highlight Significant Risks to Business Networks and Proprietary Information, Available at:https://www.ic3.gov/media/2014/140923.aspx (Accessed: 15 July 2016).

 [4] Dalia Hatuqa (2015) Hamza Bendelladj: Is the Algerian hacker a hero?, Available at:http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html (Accessed: 15 July 2016).

 [5] Amnesty International (2016) ISRAEL AND OCCUPIED PALESTINIAN TERRITORIES 2015/2016, Available at: https://www.amnesty.org/en/countries/middle-east-and-north-africa/israel-and-occupied-palestinian-territories/report-israel-and-occupied-palestinian-territories/ (Accessed: 6th Aug 2016).

 [6] BBC (2015) US bank hackers get long jail term, Available at:http://www.bbc.co.uk/news/technology-36101078 (Accessed: 15 July 2016).

 [7] Financial Times (2011) The sabotaging of Iran, Available at:http://www.ft.com/cms/s/2/7d8ce4c2-34b5-11e0-9ebc-00144feabdc0.html (Accessed: 16 July 2016).

 [8] Ellen Nakashima and Joby Warrick (2012) Stuxnet was work of U.S. and Israeli experts, officials say, Available at: https://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html (Accessed: 16 July 2016).

 [9] Neta Alexander (2016) Did the Israeli-American Stuxnet virus launch a cyber world war?, Available at: http://www.haaretz.com/israel-news/.premium-1.730842 (Accessed: 16 July 2016).

 [10] JOSEPH MENN (2015) Exclusive: U.S. tried Stuxnet-style campaign against North Korea but failed – sources, Available at: http://www.reuters.com/article/us-usa-northkorea-stuxnet-idUSKBN0OE2DM20150529 (Accessed: 16 July 2016).

 [11] DAVEY WINDER (2015) State-sponsored cyber spies target business secrets, Available at: http://raconteur.net/business/state-sponsored-cyber-spies-target-business-secrets(Accessed: 16 July 2016).

 

Why are Social Engineers successful?

by

To fully understand how to protect oneself from Social Engineering attacks, it is important to understand which human traits Social Engineers exploit to gain passage to the desired target.

One of the greatest tool in the arsenal of a Social Engineer is the skill of manipulation. Combine this with deception and influence and a good Social Engineer would gain access to an account in minutes, which a brute force attack would take hours, days or more to crack.

Social Engineers employ a variety of tactics to trap their targets in to performing actions of their choice. It could be something as simple as gaining the trust of someone over the phone to get confidential information, to setting a bait for someone to access a compromised website via phishing methods.

Social Engineers are the modern equivalent of con artists, with the only difference that the latter uses non-technical methods to cheat people out of their hard earned money. The reason Social Engineering is so effective is because victims often give in to authority. A Social Engineer disguised as a health and safety office with a fake ID, citing ‘surprise visit’ as the reason for access can easily gain entry to a premises, provided they execute the job with commanding confidence and control.

According to Kevin Mitnick, Social Engineers primarily target these human attributes, to gain what they want [1]:

  • Trust
  • Desire to be helpful
  • Sympathy
  • Human Gullibility

Apart from the attributes specified above, people generally tend to avoid conflict and follow instructions. Social Engineers exploit these virtues and relies on lies and falsehood to further their cause.

Social Engineers are also good at manipulating the darker side of humans. There are reported instances in which Social Engineers have offered rewards and bribery to greedy employees, in order to gain access to specific information. The use of brainwashing, blackmail and playing with people’s fear is another successful strategy Social Engineers tend to employ, to achieve their objectives.

Kaspersky Lab is a known name in the market of security solutions. In a report published in 2015 [2], Kaspersky reports an increase of 163%, compared to 2014, in successful installation of ransomware on monitored computers, with a specific family of ‘Trojan-ransom.html.agent’ capturing the highest share of the market at 38%. The realisation of unbreakable ransomware, deployed by click-baiting, phishing, viruses or malware, is gaining such momentum that even the best in IT security are now advising members of the public to just pay up to get the files back.

Joseph Bonavolonta, from the FBI commented on the problem:

“The ransomware is that good, to be honest, we often advise people just to pay the ransom.” [3]

The success of ransomware can be loosely attributed to Social Engineering techniques hackers are increasing employing to get their victims to pay up. Instead of simply asking the victims to pay the ransom money to gain access to the files, hackers are now playing with the fear of people by displaying messages of threatening nature, to get more successful ransomware closures.

In the instance specified below (Figure 1), once successful encryption takes place, ransomware falsely claim to have detected child pornography on the victim’s PC and advise them to pay up or face up to five years in prison and inclusion on sex offenders register, for life.

A

Figure 1 – Ransomware Sample Message [4]

This nature of threatening message is enough to send chills down the spine of even the strongest among us. Common sense dictates the victims to just pay up a modest amount in their local currency, rather than going through the hassle of proving their innocence to the authorities.

The example listed above, shows that Social Engineers target every exploitable aspect of human attributes. Social Engineers are excellent at tapping into emotions, and they frequently use that skill to influence their victims into performing action, which are detrimental to their own good.

Fundamental human vulnerabilities, which are cruelly exploited by Social Engineers, are listed below.

1- The Key – Gaining Trust

Social Engineers usually target someone who is in a position of authority, or at minimum be in possession of privileged information, which is useful for Social Engineers. For an employee to reach that level, they naturally have to go through certain steps with in their company to prove their competence. Therefore, it is safe to assume here that majority of the people being exploited by the Social Engineers do have expertise and reasonable proficiency, in their line of work. Yet, we see from the evidence again and again how easily Social Engineers fool people in to handing over sensitive information.

In 2015, a twenty year old teen gained access to CIA Director John Brennan’s email account by using Social Engineering. In an interview published by the Wired magazine [5], the teen explains how easily he manipulated the staff of two separate companies to gain access to the account which, as one can imagine, contained email and documents of top secret nature.

Describing the attack, the teenager named by the magazine as ‘Phobia’, confessed that he was not alone when he caused the breach and was assisted by two other partners, who worked in coordination to execute the attack. ‘Phobia’ reveals that once they had set their eyes on the target, using public information avenues and online directory, they identified John Brennan’s phone number and then performed reverse lookup to discover that he is a customer of Verizon.

Impersonating as a Verizon employee, they contacted Verizon’s customer services and explained that they are on a call out but their company’s supplied PDA is broken. They gained the trust of customer service representative and tricked her in to disclosing John Brennan’s account number, last four digits of his bank card, verification pin, a backup mobile number and AOL email address.

Once in possession of this information, the attacker contacted AOL to reset security on email account. They were able to pass authentication as they had already been in possession of vital verification information, provided to them by Verizon.

Over the course of next few days CIA director John Brennan became aware of the breach and unsuccessfully tried regaining access to his account. Each time John Brennan resets the password to his personal AOL email account, the attackers would call AOL back and reverse the changes.

The teen explains in the interview that the attack was executed because of his political believes. Precisely, three days after they gained access to the account, the CIA director permanently closed down his email account. The attacker then rang John Brennan on his personal mobile number and when John enquired what is it that he wants, the attacker replied:

“We just want Palestine to be free and for you to stop killing innocent people.” [5]

This attack would not have been successful, had Verizon employee conducted some background checks on the impersonator, before handing over confidential information. However, the attacker was successful in gaining absolute trust of the customer service representative, with his charm and confidence.

This example illustrates how gullible some people can be. Even with the experience, plenty of cross-checking resources available at their disposal and all the knowledge, some people walk right in to the trap. Such people are ideal targets of Social Engineers.

2- Displaying Obedience to Authority

Humans are wired to respect authority. From a young age, we are taught by the elders to give respect and listen to people in authority. This implies obeying parents, teachers, law, and when one enters a professional life this extends to managers, bosses and superiors who demand that level of adherence.

Stanley Miligram explains in his book Obedience to authority: An experimental view, that:

“Facts of recent history and observation in daily life suggest that for many people obedience may be deeply ingrained behaviour tendency, indeed, a per-potent impulse overriding training in ethics, sympathy and moral conduct.” [6]

This idea given to us by the society that commanders deserve absolute respect and obedience, and those who disobey them are labelled insurgents and frowned upon by our culture, has instilled such unnecessary fear into the hearts of some that they have forgotten the virtues of challenging authority, even when there exists a reasonable suspicion about the motives of the person giving directions. This is precisely another psychological vulnerability in humans, which Social Engineers so eagerly exploit.

To prove this point, we examine a study conducted by researchers in three mid-western hospitals in US. Reporting on the study, Dr. Robert Cialdini writes in his book – Influence: The Psychology of Persuasion [7], that a group of researchers comprising of doctors and nurses became increasingly troubled about the high level of obedience displayed by the mid-level nurses to physicians.

A study was conducted by the concerned researchers on twenty-two separate nursing stations, involving various wards from the three pre-selected hospitals. A researcher makes an identical phone call to the nursing stations and falsely identifies himself as hospital physician. The impersonator then instructs the nurses to administer an unsubstantiated dose of a drug (Astrogen) to specific ward patients.

The author lists four reasons why that request should have been challenged by the Nurses.

  • In direct violation of Hospital’s policy, drug prescription should not have been accepted over the phone.
  • The drug itself was not cleared for use on the patients due to their symptoms/illnesses.
  • The dosage requested on patients was dangerously excessive.
  • The order came from someone Nurses had never met or talked with before on the phone.

Once the call was disconnected, in ninety-five percent of the instances, the nurses proceeded to the drugs cabinet and secured the requested drug for administration. It was only when the nurses started moving towards the patient’s room, they were stopped by secret observers and the nature of the study was disclosed to them.

This experiment and its outcome itself, speaks a thousand words. Along with the reasoning expressed by the author above, and combining it with the fact that the medicine was not suitable for the patient in question, nurses should have questioned the validity of the instruction.

Johnathan Rusch comments on this particular study in his paper – The Social Engineering of Internet fraud, that:

“People are highly likely, in the right situation, to be highly responsive to assertions of authority, even when the person who purports to be in a position of authority is not physically present.” [8]

We have heard and witnessed this attitude exhibited by subordinates on many occasions, which often leads to difficulties further down the line. Take for example the story of a drunken Latvian co-pilot, who was ready to take off from Oslo airport in August. The Guardian [9] reports that the Pilot was seven times over the legal alcohol limit when he entered the plane. Despite the strict no-tolerance policy on alcohol at the airport, the Pilot managed to get through a series of security checks before making it to the plane, but was never challenged either by airport security or by his colleagues, despite being visibly drunk. The authorities only intervened after a concerned passenger raised the alarm, just before take-off. It is safe to assume that potentially multiple casualties were prevented that day, after the arrest of the Pilot.

This example perfectly illustrates the harm that comes from not challenging a person of authority (when an obvious concern exists), as well as the benefit that comes from when a legitimate objection is raised, due to a suspicious and out of the ordinary behaviour. Hence, the evidenced from the data reviewed so far suggests that being respectful and courteous is another thing, but becoming exceptionally compliant when orders are issued from superiors, is an unhealthy attitude with detrimental consequences and is indeed a psychological flaw in some people, which is being actively exploited by Social Engineers.

3- Exploiting naivety

Social Engineers thrive on people’s naivety. Once we take into account the fact that some of us can be genuinely innocent, ignorant, lack Internet usage experience (new users) and couple this with natural gullibility, we realise that those members of our society are publicly holding an ‘open to exploitation’ placard in their hands.

This ignorance can only be overcome with education, awareness and practical experience. But, until that happens, this branch of our society is a ‘sitting duck’ for attackers. Quickly seizing on this opportunity, criminals and Social Engineers know that new and less experienced Internet users are more susceptible to falling for Phishing scams, which can earn them millions, if not billions in revenues.

Consumer Reports magazine [10] disclosed that the damage inflicted by Phishing scams in 2008 was $483 millions in the US alone. This is quite a modest amount if we take into account the combined losses which can be incurred by other types of Internet crimes, such as viruses, click-baiting, spywares, hacks etc. What’s more surprising is that despite losing vast amount of sums to Internet crime each year, it is US where majority (49%) of Phishing domains are hosted, as reported by McAfee in 2015 (Figure 2).

b

Figure 2 – Phishing statistics [11]

Although the responsibility to provide a safer and crime free Internet also falls on the shoulders of Crime prevention and enforcement agencies, we can assume from sheer lawlessness we witness on Internet, that the they have failed this task miserably. Due to the fact that Internet criminals can be very hard to trace, and phishing and crimes of such nature are classed as low level misdemeanours, this has resulted in continuous year on year growth of cybercrimes on Internet.

As we suffer from continuous after effects of  recession, many crime prevention agencies had to sustain massive budget cuts. This appears to have diverted available policing resources being spent more on serious crimes such as murder, rape etc.

As discussed above, people’s nativity also plays an important factor in making a cybercrime successful. Just like a toddler, with no real life experience, finds the fire fascinating and will make attempts to feel it, unless forcibly stopped, people with less Internet experience generally give in to the curiosity and temptation of clicking, when they see enticing subject lines such as the one listed below in Figure 3.

c

Figure 3 – Typical HMRC Phishing email sample [12]

As immoral and unethical as they are, Social Engineers are smart people and are quick to act once they see a window of opportunity. Natural disasters and celebrity gossip news is also a popular way scammers attempt to grab attention of their potential victims and tempt them to click on shared links. Scammers understand public’s genuine interest in current trending events, which they happily exploit by creating links with attention grabbing headlines. These links are then shared and spread across the Internet, through compromised accounts.

The idea usually is to get people to click on the links, which leads them to a malicious website that infects their computers with malware or obtain their login credentials, while at the same time using the profile of newly acquired victim to further spread the scam. An example can be seen below in Figure 4.

d

Figure 4 – An example of malicious link on Facebook which leads the victim to a compromised website [13].

Currently, with the increasing accessible availability of private information online, due to inadequate personal privacy practices, Social Engineers are using social media for more precise targeted attacks, directed against the person they have already researched online. Attackers cleverly “chat up” the victims about topics of common interest, before befriending them for further contact. The objective is often to gain their trust, extract useful information and then utilize that information for financial gain. The same technique is also applied and used for other nefarious reasons, such as coercion, blackmail, extortion and similar other crimes.

Independent UK broke a story [14] in 2015 in which they reported that a middle aged divorcee sent almost one million pounds to someone called ‘Chris Oslen’ in South Africa, who she had never met in real life. The online newspaper reported that the couple got to know each other online in 2013 and shortly after began long distance relationship.

The scammer claimed to be an Italian businessman, on a trip to South Africa. As their relationship got stronger, the scammer made up a few stories about losing his passport and falsely being imprisoned for money laundering. He then asked the victim to send him some money for lawyer’s fee, bail money, food, hotel expenses and over a period of 18 months, successfully managed to extract £910,000 from the victim.

In an interview given to a US TV program called ‘Dr. Phil Show’, the victim made these concluding remarks:

“I am 95% certain that Chris (the scammer) is telling me the truth – that this is legit.” [14]

Even though in the same interview she had admitted noticing considerable change in the accent of the scammer, whist speaking to the him over the phone.

“He sounded Italian, now his accent’s kind of changed, I don’t know if he is adapted to where he’s at… in Benin.” [15]

This unfortunate case bears all the hallmarks of a typical online scam where a Social Engineer becomes an online social acquaintance of the victim through a dating websites or social media, gains the trust of their victim and then proceeds to manipulate the person, in order to get money, by telling fabricated stories.

However, unscathed trust of the victim towards the scammer, brings this famous proverb to mind:

“There is no patch for human stupidity.” – Unknown

Unfortunately, there is no quick fix available (yet) which can intervene and stop naive humans from trusting dangerous and cunning individuals. Preventative hardware and software solutions will only work to a certain extent and will fail once the command is assumed by an inexperienced person.

The disastrous trend in the enterprise to invest in the technology, but not the people, usually turns in to a huge regret once a breach occurs. A company can install ten different types of firewalls and instruction detection systems to protect data, but these measures are useless in stopping someone from handing over their credentials to an attacker, in a well organised Social Engineering attack.

 

 

 

References

[1] K. Mitnick (2012), Ghost in the Wires. My Adventures as the World’s Most Wanted Hacker. Little, Brown and Company.

 [2] Kaspersky (2015) Kaspersky Security Bulletin 2015, Moscow, Russia: Kaspersky Lab.

 [3] John Zorabedian (2015) Did the FBI really say “pay up” for ransomware? Here’s what to do…, Available at: https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-really-say-pay-up-for-ransomware-heres-what-to-do/ (Accessed: 23rd June 2016).

 [4] Unknown (2015) Ransomeware Sample Message, Available at: http://blog.yoocare.com/wp-content/uploads/2012/06/Federal-Bureau-of-Investigation-International-Police-Association-Moneypak-Virus.jpg (Accessed: 23rd June 2016).

[5] KIM ZETTER (2015) Teen Who Hacked CIA Director’s Email Tells How He Did It,Available at: https://www.wired.com/2015/10/hacker-who-broke-into-cia-director-john-brennan-email-tells-how-he-did-it/ (Accessed: 24th June 2016).

[6] Stanley Milgram (2010) Obedience to authority: An experimental view, 1st edn., London, UK: Pinter & Martin Ltd.

[7] Robert B Cialdini (2007) Influence: The Psychology of Persuasion, 1st edn., US: Harper Business.

[8] Jonathan J. RUSCH (Unknown) ‘The “Social Engineering” of Internet Fraud’, [Online]. Available at:http://www.isoc.org/isoc/conferences/inet/99/proceedings/3g/3g_2.htm#r19 (Accessed: 27th June 2016).

 [9] Jennifer Rankin (August 2015) Drunk airBaltic crew included co-pilot at seven times legal alcohol limit, Available at:https://www.theguardian.com/world/2015/aug/18/drunken-airbaltic-crew-included-co-pilot-at-seven-times-legal-alcohol-limit (Accessed: 29th June 2016).

 [10] Consumer Reports (June 2009) State of the Net 2009, Available at:http://www.consumerreports.org/cro/magazine-archive/june-2009/electronics-computers/state-of-the-net/state-of-the-net-2009/state-of-the-net-2009.htm (Accessed: 9th July 2016).

 [11] McAfee Labs (Feb 2015) Threats Report, California, US: Intel Security.

 [12] Sandra Donnelly (2014) Warning: Phishing emails from HMRC, Available at:http://www.scott-moncrieff.com/news/news-updates/warning-phishing-emails-from-hmrc1 (Accessed: 9th July 2016).

 [13] Jose Hernandez (2014) El “malware” reina en facebook, cuidate de los enlaces,Available at: http://piel-l.org/blog/37247 (Accessed: 12th July 2016).

 [14] Lizzie Dearden (2015) US woman sends man in Africa she has never met almost £1 million because they are ‘in love’, Available at:http://www.independent.co.uk/news/world/americas/us-woman-sends-man-in-africa-she-has-never-met-almost-1-million-because-they-are-in-love-10080278.html (Accessed: 12th July 2016).

 [15] The Dr. Phil Show (2015) Why A Woman Sent Online Lover She’s Never Met More Than $1.4 Million, Available at: https://youtu.be/FBwD_xLj_x8 (Accessed: 12th July 2016).

Social Engineering ‘Exploitation Techniques’

by

Social Engineering is a continuous and ongoing threat. If executed well, against those unprepared to combat this contest, the perpetrator can get access to what ever they had set their eyes on, with minimal effort. For this reason, it is important to understand possible routes which are normally used by Social Engineers to trap people. Being able to recognise an attack type, might help a person set into automatic ‘alert mode’, preventing them from becoming an unfortunate victim.

A breakdown of common tools and techniques used by Social Engineers, are listed below.

1- Phishing

Phishing is an ultimate form of deception. With phishing, a Social Engineer tricks the target into thinking that they are communicating with a legitimate and trusted source. However, in reality the attacker is almost always in full control and can see the sensitive information, which is given up by the victim.

By far, email is the most popular method of luring victims to a specially drafted webpage, which records all information. However, the attacker may also make use of other medium of communications, such as phone calls, social media, online chatting and spoofed websites promoted through malicious plugins, malwares or other compromised websites, to allure the victim and make them give up their personal, financial or other sensate information.

2- Spear Phishing

Spear phishing is an advanced type of phishing attack in which the attacker is already in possession of some information about their target. The attacker makes their move in a targeted attempt and use the information, which is relevant to the victim, to gain their confidence.

Due to a large number of people in the developed world using social media and not utilising the full potential of privacy settings on offer, Social Engineers often harvest specific details about their targets from this medium and other online services such as 192.com.

By using this personalised method, a Social Engineer can enhance their chances of a successful attack. They can quickly gain the trust of their victims and persuade them into divulging sensitive information i.e. business or financial data, trade secrets etc.

3- Quid pro quo

As the name suggest, in this type of attack the attacker tempts the target in to giving up sensitive information in exchange for a favour or a gift. For example, a Social Engineer may ask an employee of a company to share a confidential file with them, in exchange for a brand new smart phone.

This type of offer sounds dubious and should raise immediate suspicion in a normal person’s mind about the motives of the individual making the offer. Upon contact, it is sensible for an employee to record as much details about the attacker they can, and then pass over the information to a manager in-charge, so some type of action can be taken to deter the attackers from attempting the attack again.

4- Baiting (Road Apple)

Social Engineers conduct baiting (also known as Road Apple) by leaving malware or virus infused USB or CD near the target’s location. In a place where they know their potential victim is likely to be. This could be right in front of their office, at a time when they are expected to enter or exit the office, or they could leave it right outside their target’s home.

It must be noted here that CD’s are not as frequently used now as a bait, because use of this technology is in continues decline. ‘Rubber ducky’ or the likes of ‘USB armoury’ are the weapon of choice for attackers due to their capability to act as an injection attack platform, by tricking the computer into thinking that the device being attached is a HID (human interface device) keyboard.

The idea is that once the target sees the ‘bait’, they will pick it up and out of curiosity, insert it into their computer at home or at the office and inadvertently install the malware or virus. Once installed, the malicious application will allow the attacker to gain access to the computer and perform tasks remotely.

5- Pretexting

Pretexting is an art of creating a false scenario and by presenting oneself as an authoritative figure, which makes the target comfortable in divulging information they normally would not. For instance, after gathering sufficient information about the potential victim online (through social media and Internet), the attacker may call the victim on their phone and tell them that they are speaking from their bank to discuss some suspicious transactions on their account. To gain the trust of the victim and appear legitimate, the attacker will reveal correct date of birth and address of the victim (obtained through Internet), and then request to victim to confirm account details so they know that they are speaking to the account holder.

Typically, once the trust is established the victim will be prepared to divulge any information about their account. Exploiting this weakness, the attacker gathers as much private information about the victim as they can, before calling the victim’s bank. In possession of up to date private information about the victim, through false impersonation, the attacker can potentially reset security on the account and maliciously carry out financial transactions on victim’s behalf, without them knowing.

6- Tailgating

Tailgating is a physical Social Engineering approach in which an unauthorised individual attempts to gain access to the secure target location by following ‘tailing’ an authorised worker. The objective is to gain access to a location and then to acquire valuable sensitive or confidential information. This is achieved by introducing a malware to the computers located in the target area or by impersonation and acting as someone in charge, and extracting information by physically interacting with employees on site.

7- Pharming

Pharming attack, which is a combination of words ‘Phishing’ & ‘Farming’, tricks the victim into thinking that the website they are browsing is legitimate, when in fact they are surfing an identical but forged version of the original website. By DNS cache poisoning or unauthorised modification of ‘Hosts’ file, the attacker can deceive the system into thinking that the website being visited is genuine, when it is not.

Pharming requires little or no direct contact between the victim and the attacker as most of the attack is conducted by technical manipulation of technology. However, this attack is still classified as a tool employed actively by Social Engineers, because of the trickery involved in making the victims think that they are browsing the intended website. Employing this type of attack provides high degree of success, which makes this type of attack a weapon of choice for Social Engineers.

8- Trojan Horse – Gimme

This is another method where a Social Engineer needs minimum physical interaction with the target. This technique exploits natural curiosity and greed of the victims and tempts them into clicking on an attachment of an email, with malicious application.

The attacker usually sends an email to a batch of recipients on the list with an attached virus. The email offers the recipients free screensaver, or an antivirus, or another popular software of some value to the users. In this type of attack, negligence and naivety of the users benefits the attacker and consequently those who trust the originator and install the application from the attachment, inadvertently gets malware or Trojan horse virus on their system.

Social Engineering ‘Prevention Techniques’

by

Social Engineers have the potential to cause some serious damage to their victims, which could be social, economical or reputational. It is now important more than ever to understand what precautions can be undertaken to prevent, alleviate and contain the devastation that can potentially be caused as a result of a Social Engineering attack.

The section below consists of some of the common Social Engineering mitigation strategies, which companies and individuals could use to protect themselves from Social Engineering attacks.

1- Physical Security

For any security conscious business, first and foremost importance has to be strong physical security, enforced throughout the organization and consistently on everyone. Without tighter controls and lax security, attackers will have little trouble physically accessing stations, they need, to launch their digital attack. In addition, once clear and concise security policies are established and implemented, they should be periodically tested, to determine the state of security awareness among staff members, to resolve gaps, if any are identified. It is also equally important for the the staff to be continually reminded that the possibility of an attack is real, which can occur at anytime without warning.

It is a good practice to have signs around the entrance of work, reminding employees to not plug-in any USB drives or any other digital device they find around the premises and submit them to relevant depart for expert analysis, and also to be vigilant and report any suspicious behaviour to security. It may also be a good idea to have employees acknowledge and sign reminder of best security practises each month.

Physical security could be bolstered with an all round CCTV coverage and clearly defined human perimeter defence space on the premises. Installation of protective physical barriers, security lightings, alarms, motion detection systems and the use of biometrics to identify employees, could go a long way in protecting a business from a potential attack.

With sufficient physical controls in place, it may be possible for a company to repel a substantial Social Engineering attack. But without implementation of strict physical security protocols, the company is keeping their doors open to unauthorised visitors with malicious intents, to visit and intrude the premises, place malwares, Trojans, spywares and circumvent the controls to access the desired data.

2- Internal/Digital Security

Another logical step one should take in the fight against Social Engineering is rolling out a series of digital protective services and software tools, to negate the risks of attacks. It is also worth pointing out here that although use of digital security services may be effective to combat certain types of Social Engineering attacks, they may turn out to be completely useless in other types of Social Engineering attacks. For example, a reliable spam protection guard with an updated blacklist, compounded with an antivirus/malware protection and a good firewall, may go a long way in protecting a company from phishing attacks. But these measure will be completely useless against physical baiting or tailgating.

However, this does not necessary means that enterprises should not invest in software protection mechanisms, because they provide partial protection. When it comes to protection of digital data and assets, the rule of the thumb is that – the more security measures are undertaken, the better.

To negate some of the technical risks that arise from Social Engineering attacks, use of sandboxing mechanisms can be very productive. Sandboxing is the creation of an isolated virtual machine, use of which will protect the network from propagative malwares, with tendencies to spread itself over the domain, even if an employee inadvertently plugs-in a compromised USB flash drive into their computer. Use of sandboxing against some visual deception attacks is so effective, that some popular browsers i.e. Chromium or Firefox, have built in sandboxing technologies to prevent exploitation through Internet browsers.

Other dedicated measures such as proactive monitoring, aggressive user authentication/accounting and use of targeted machine learning and analysis algorithms to observe normal system behaviours, that can self-educate itself to distinguish between legitimate and illegitimate user actions and data/packet inconsistencies, can prove to be very effective mitigation strategy against Social Engineering attacks. Machine and behavioural learning systems, in particular, have become so efficient that they are now capable of detecting and stopping sophisticated Social Engineering attacks i.e. Spear phishing.

The internal security mechanisms described above and many other security solutions available through online specialist vendors can serve as a powerful shield, which can be used to protect businesses from Social Engineering attacks. Upon implementation, these solutions may requie continuous manual monitoring. For example, daily, weekly or monthly analysis of the attacks, that have been detected and blocked, is necessary to ensure legitimate connections are not being unnecessarily stopped.

These digital protective measures may block the first few attack attempts by Social Engineers, but what businesses needs to understand here is that Social Engineers and hackers are devoted and working full time to find exploits, if they have a good motivation to hack a particular company. It’s a cat and mouse game where the system may be able to block certain number of attempts, but then the attacker might gain an upper hand and find a technical exploit which gives them the access they require. By continually analysing attack attempts and upgrading the infrastructure accordingly, businesses can better protect themselves from these attacks.

3- Implementation of efficient Security policy & procedures

Because of the ever changing dynamics in todays IT world, it is crucial that the managers and employees alike are aware of the current security polices and procedures of a company. The security policy contains procedures and guidelines, which dictates data and asset protection methods of an organisation.

It is imperative to have a concise and clearly defined set of rules for maximum effectiveness and should be available to all employees regardless of their ranks. But these policies should also be protected from unauthorised access, which could help the attackers to gain insight into the inner workings of a company. The lack of clear security policy can in effect become the cause of overwhelming non-compliance among employees, leading to successful attacks and fines from authorities.

One of the greatest benefit of enforcing security policies and procedures (i.e. policy on data protection, prohibition of business related information on social media, policies on the use of bring your own device-BOYD), is that not only it protects the company from intruder attacks, but also from potential lawsuits that may arise in case of a successful attack and crackdown from local authorities because of business non-compliance. In addition, a well maintained and regularly updated policy, which is the end result of compressive research, updated laws, lessons learned from previous attacks and derived from policies of other successful businesses in the same industry, can result in greatly reduced risks.

Implementation of security policies also aligns with computer use at work. An employee wilfully accessing a compromised website, or due to a result of a phishing attack, will put the enterprise at more risk because of their workstation being connected to the network. Potent and effective computer access and authorisation policies along with competent firewall and robust and reliable enterprise antivirus should be sufficient to put a stop to any inadvertent exposure to potential harm, to the company’s IT infrastructure.

4- Penetration testing

When a company has employed enough security measures and feel confident that it has protected itself from an attack, at that stage, it is a good idea to get a second opinion from an established and professional penetration tester. Primary purpose of a penetration test is to determine technical vulnerabilities and weaknesses in the network, systems and applications being used by the business. As well as testing the resilience of the company’s digital assets, many penetration testing firms also offer their services to determine the security outlook of business employees.

By employing the same tactics as a malicious Social Engineer, but with company’s consent, an official penetration tester will attempt to access the system by human manipulation, direct hacking or using other tricks such as telephone pretexting, phishing, bating, tailgating or other browser based exploitation attacks. Once the simulated attack is over, the firm or professional leading the attack presents the employer with a detailed report of the vulnerabilities identified, probable causes of weaknesses and remedial strategies, which the business can follow to patch up the identified fragility.

If the focus of simulated attack was internal employees, as well as infrastructure, then the company may also discover what human manipulation technique was used to gain access to the desired information. The information obtained can be very useful in hardening the network and employees in preparation for a real life attack.

To defeat the cancer of cyber crime, companies will need to go above and beyond normal business practices to stay on top of the game. The security challenges in today’s digital world are dynamic, daunting and convoluted to say the least. Therefore, robust cyber security and continual testing of infrastructure and employees should be the top priority of companies. A holistic and comprehensive strategy that deals with risk management, cyber security and with the aid of automated technology, that can identify security gaps, will help the businesses go a long way in protecting themselves from the dangers of cyber crime and Social Engineering attacks.

5- User training and security awareness

Because people are easily accessible and evidently more exploitable, compared to technology, the human element in businesses remains most vulnerable to Social Engineers. Policies to ensure strong passwords, two-factor authentications for work login, top of the range firewalls and IDS really do not matter if employees do not know the importance of keeping their pin, passwords and access card safe. The fact is, none of the security measures matters, because a company’s security is only as strong as their weakest link, which in this case is employees.

Social Engineers and hackers have been aware, since the inception of technology, that the human link in any technology equation is always the most exploitable element. Humans are the mouldable key that can be easily manipulated to gain entry to any network, system or data. They know that the human heart and flesh is weak. Which is why the trend to access targets by ‘technology only’ is changing. Obtaining information from someone under false pretenses, manipulation, deceit and coercion is now conventional.

In essence, the most effective mitigation strategy of dealing with Social Engineering is education. With periodic and systematic security training, guidance and frequent reminders on the need to stay on guard and staying vigilant against suspicious behaviour, businesses can effectively turn their weakest link into the strongest.

It is vital for employees to understand the significance of protecting sensitive information. As well as the importance to know how a Social Engineer might strike. With awareness they can develop the knowledge of various attack vectors and establish capability to differentiate between a dispersed or a direct attack. With education, employees can learn that a Social Engineer won’t directly say “Give me access code for the server room, please?”. Instead they will tie little pieces of information they have acquired over time, decipher cues and signals given to them by multiple employees and then join all the pieces of the jigsaw puzzle, to unearth the information they have been after.

Although preparatory work for training and the actual delivery itself can be manually intensive and costly and the long term benefits may be uncertain at first, but this is the plunge companies will have to take if they wish to fortify themselves against Social Engineering attacks. Absolute security can never be guaranteed, but by playing smart and educating employees on security awareness, companies can turn their ignorant workers into educated and resourceful watchmen, essentially turning them from liability to an asset.