Archives

Dimensions of Social Engineering

Social engineering attacks now represent one of the most advanced-persistent threats to privacy. From bogus want-ads to online spear-phishing attacks, social engineering is becoming more and more prevalent as a means of data breach and identity theft. This article provides a brief introduction into the many dimensions of social engineering attacks.

What is social engineering?

In the IT security context, social engineering involves the manipulation of people, instead of technology, to breach an enterprise’s security system. Despite advances in technology, social engineering remains one of the largest security risks. In fact, the majority of highly damaging security penetrations are the result of social engineering, rather than electronic “hacking” or “cracking.”

Social engineering is known as an advanced persistent threat, as it often involves a group that has the ability and intent to persistently and effectively target a specific entity to carry out a malicious deed. Social engineering attacks are ‘advanced’ since they can cut across all four types of identity theft (i.e. financial identity theft; employment identity theft; medical identity theft; and criminal identity theft). These kinds of attacks are also ‘persistent’ because there is no way to absolutely rid an organization of the threat, as it involves the element of human error in a very fundamental way. There is no way to prevent individuals from making mistakes. For this reason, the best ways to prevent social engineering attacks are through education, training, practice and repetition of security procedure and policy.

Human Persuasion

Social engineering relies on a comprehension of human behavior, as well as the ability to persuade others to release information or perform actions on the attacker’s behalf. Studies have revealed that humans have certain behavioral tendencies that are exploitable through subtle manipulation. There are some individuals who are naturally skilled in the art and science of manipulation, while others are able to develop this skill through practice and through positive (as well as negative) reinforcement. In social engineering attacks, perpetrators use these tendencies and motivators to encourage certain responses in the target victim.

Some examples of social engineering attacks include:

  • Fear of job loss or other personal embarrassment may cause an individual to release sensitive information if he/she believes it will prevent the unwanted outcome.
  • Desire for prestige (e.g. promotion, raise) might be stimulated in the target to induce boasting, which often results in inadvertent information release.
  • Overworked or tired employees tend to make mistakes, so it is often possible to predict when people are more likely to be susceptible to manipulation. For instance, attacks may be carried out during high stress times, such as the end of the month, end of the quarter, or around lunch hour.

Attack Cycle

As mentioned earlier, social engineering attacks can be incredibly diverse. However, experts have observed a pattern that is both recognizable and preventable. The social engineering attack cycle progresses through the following stages:

  1. Information Gathering – During this stage, attackers will use a variety of techniques and strategies to collect information about their targets. For instance, this can be the acquisition of a phone list, or accessing Social Security numbers, dates of birth, mothers’ maiden names, system architectures or organizational structures/procedures. This data will be used as a foundation for building rapport with the target victim, or someone connected to the target.
  2. Relationship Development – Attackers exploit people’s tendency to trust authorities or experts in order to develop a rapport with their targets. This can range from a single phone call, to building a relationship slowly over a number of weeks or months. The relationship with the victim places the attacker in a position where they are trusted.
  3. Relationship Exploitation – In this stage, the attacker exploits the target into revealing sensitive information (e.g. credit card numbers, passwords, vacation schedules, etc.) or performing actions (e.g. reversing telephone charges, opening a new account, etc.) that would not normally happen. This action or information can be the attacker’s end goal, or this can be used in the next stage of the attack cycle.
  4. Execution of Attack – At this point, the attacker will execute the cycle to reach the final objective. Attacks commonly involve a number of these cycles, along with traditional cracking methods and some physical information gathering.

Social Engineering in Action: HBGary Case

The HBGary case is an infamous example of social engineering. At HBGary Federal, a multibillion dollar government security contractor, the Anonymous group of hackers accessed a protected database and downloaded a vast amount of extremely damaging emails that were sent by the company’s CEO at the time. Anonymous then posted the emails on the internet. HBGary’s website and Twitter accounts were hacked as well. The scheme involved a fraudster using the CEO’s personal email account to contact the IT help desk to obtain the necessary network passwords.

Summary

This article offers a closer look at social engineering attacks, which involve the manipulation of people, instead of technology, to breach an enterprise’s security system. They are considered advanced-persistent attacks and rely on both technical knowledge and ability to manipulate victims’ trust. The article introduces the social engineering attack cycle: 1) information gathering; 2) relationship development; 3) relationship exploitation; and 4) execution of attack. Finally, the article discusses the HBGary case, a recent example of a social engineering attack conducted by the group Anonymous.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam and the Certification Foundation Course and Exam (Foundations), a privacy professional should be comfortable with topics related to this post, including:

  • Privacy expectations – consumer perspective, organizational practices (CIPP/IT; II.A.a.; II.A.b.)
  • Online security (Foundations; III.B.d.)
  • Privacy and email – commercial email (Foundations; III.B.i.i.)
  • Online social media and social networking services (Foundations; III.k.i.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>