What is Social Engineering?
Once again, the Social Engineering Capture The Flag (SECTF) competition at DEF CON was a huge success. Social Engineering (SE) is is basically hacking the human element in an organization, tricking the victim into giving the attacker sensitive information about the target. Attacking the human allows an attacker to bypass the physical (security guards, door locks, cameras, etc.) and technical controls (firewalls, IDS / IPS, antivirus, etc.) to gain information that can be used later to defeat those controls.
Why should I be concerned about Social Engineering?
According to the 2015 and 2016 Verizon Data Breach Incident Report (links below), SE based attacks (primarily phishing) were not only near the top of the list but were up 23% from 2015. The focus for this year’s SECTF was computer security companies, proving that anyone can fall victim to this type of attack. Contestants were able to get information about the network, antivirus, web filtering technology used and even the name of the security guard as well as getting the targets to visit websites and submit sensitive information. Tools like the Social Engineering Toolkit (SET), Maltego and Datasploit (which was debuted at Black Hat this year) also continue to improve, making access to much of the information necessary for a successful SE attack easier to access (for the good guys and the bad guys).
So, what can I do to protect myself and my organization?
Unlike vulnerabilities in physical and technical assets, there are no patches available to mitigate SE attacks. The key to mitigating SE attacks is threefold, training, communication and testing. Train your employees, users, etc. on how to spot a potential SE attack. Give them clear communications channels to test their suspicions (if someone claims to need sensitive information on behalf of the CEO, give them a clear path to the CEO or a known representative of the CEO to verify the request). Test the organization regularly with SE based attacks like phishing and vishing campaigns to verify that everyone knows and is following policy and use failures as a training tool so that they aren’t repeated in an actual attack.
If you would like more information on Social Engineering or the services that Piratica can provide to help your company identify and avoid potential Social Engineering attacks, contact us to schedule an appointment to speak with our sales team.
- What is Social Engineering – https://en.wikipedia.org/wiki/Social_engineering_%28security%29
- 2015 Verizon DBIR – http://news.verizonenterprise.com/2015/04/2015-data-breach-report-info/
- 2016 Verizon DBIR – http://news.verizonenterprise.com/2016/04/2016-verizon-dbir-report-security/
- Social Engineering Toolkit – https://www.trustedsec.com/social-engineer-toolkit/
- Maltego – http://www.paterva.com/web7/
- Datasploit – http://www.theregister.co.uk/2016/08/15/hacker_trio_crafts_datasploit_tool_for_easy_social_engineering/