What is Social engineering?
The weakest link in any organisation's information security is its internal personnel. Attackers need information about their targets in order to perform attacks and one of the easiest ways to get valuable information for this purpose is having it provided by the target organisation's own personnel, and this is social engineering.
What is social engineering in IT security?
Social engineering is the group of techniques used to obtain confidential information: usernames and passwords, credit card numbers, trade secrets... This is achieved through deceitful techniques and manipulation by cybercriminals that incite the user to perform a certain action.
We must not confuse it with reverse social engineering, where the attacker acts passively, i.e. they perform an action to get the victim to voluntarily reveal the information without being asked for it. For example, they might damage the victim's computer in some way, so that the user asks them to fix it and they then access the information.
What it is used for?
It is used to obtain important information for carrying out attacks on targets, obtaining financial and business advantages, or causing damage and harm.
Types of social engineering
In social engineering, attackers use social skills to trick their victims and get personal information, such as credit card numbers, bank account details or confidential information regarding organisations or their ICT systems, and then launch attacks or commit fraud.
The types of social engineering are:
- People-based: involves interaction with individuals, normally over the telephone. With the pretext of being a legitimate or authorised person, the attacker interacts with people from the organisation to obtain sensitive information, i.e. pretending to be personnel from the IT Department. This fraudulent practice is known as vishing.
- Computer-based: using technology to obtain the information required for their attacks, e.g. via e-mails that seem like they are from a legitimate organisation or organisations and that contain links to malicious sites that request people's sensitive data. This last deceitful technique is known as phishing.
- Developing malware apps that imitate popular apps and infect the devices to obtain sensitive information through SMS messages with links to malicious sites.
How can it be avoided?
We cannot avoid the risk of experiencing a social engineering attack, but we can adopt a series of basic security recommendations:
- Develop and deploy an IT security policy and the technical instructions and procedures to support it.
a. User and password management.
b. Control physical access to the facilities.
c. Control logical access to the systems and the network.
- Train and raise awareness among employees regarding the organisation's IT security instructions, procedures and policy and security best practices.
- Establish formal agreements with employees regarding the security policy, procedures, technical instructions, acceptable use of equipment, security best practices and possible penalties for not complying with them.
- Run awareness campaigns on social engineering and tests to detect how effective the measures taken by the organisation are in defending it.
Social engineering attacks are usually for obtaining sensitive data, often a person's passwords or codes and business information. The best defence, in these cases, is training and familiarity with security best practices.