Don’t Overlook Social Engineering

The confidence trickster has long been the bane of business. Whilst the Eiffel Tower may well have been “sold” a couple of times to unwitting marks, increasingly, todays con artists are more likely to make their move online; though the scams are often just as exorbitant.

Social engineering is the art of exploiting fickle human nature to gain access to raw data, passwords, intellectual property, bank accounts, and other digital assets. By focusing on the human element, much of the technological protections that organisations put in place can be circumvented. Appeals to authority, greed or vanity, or simply exploiting peoples’ willingness to be helpful can all land an attacker with criminal access to lucrative digital assets.

Common types of social engineering attack include:

Phishing

The most prolific, this attack usually comes in the form of a fraudulent email that mimics an official email from a bank, boss or co-worker. The resulting email exchange is then used to gather snippets of information useful to the attacker, such as passwords or bank details, or take them to a link that installs malware on to the network.

Spear Phishing

The same as the above, except the target has been surveyed ahead of time, and efforts to con them out of data are carefully tailored to their circumstances. Such attacks might involve a lot of work on social media to identify and profile likely marks.

Water holing

This involves compromising a website that targeted users are known to visit. Whilst a mark is less likely to click on a link from an unsolicited email, they are more likely to click on a link on a website they trust. By scoping victims’ social media activity it’s possible to figure out sites they visit, whereupon links can be inserted into the compromised website. The user then clicks one of these links, downloads tailored malware to their computer, and unwittingly hands control of the network to the attacker.

Baiting

Sometimes access to a network can be gained without using the internet at all, at least initially. This technique involves leaving some kind of removable media around where it can be found, such as a USB flash drive, and installing some tailored malware to the device. When someone puts the flash drive into a computer on the network, the malware installs itself in the system and gives the attacker access to the network.

These are some of the most common social engineering approaches, but there are many others. The one thing they all have in common is exploiting human weaknesses to circumvent technological protections.

Many organisations emphasised battling technological threats through improving their technology, testing for susceptibility to outside threats from the internet, and monitoring of network break-ins. However, to avoid the risks of a socially engineered network attack, more than this is required.

Cyber security employers are desperate for experienced social engineering experts

Owing to some fairly major and high profile social engineering attacks, more and more attention is being paid towards this field by employers who are waking up to the threat. A changing attitude within the industry has highlighted the skills gap suffered in the UK and made the case for improving the expertise of security professionals in this field.

If you are interested in transitioning from being an IT generalist to an information security specialist, then further training will be a must if you don’t have the pre-requisite hands-on experience. As a part of this, in order to make yourself as hireable as possible, it’s well worth ensuring that you’ve made sure to get some practical experience or training that specifically deals with detecting and preventing social engineering cyber-attacks. A common gripe among hiring managers in information security is the tendency for candidates to focus on their knowledge of systems and software and overlook the human element of security.

Many cyber security courses now offer course material on social engineering to reflect the change in attitude as companies increasingly realise the risk; some courses focus on social engineering exclusively, whereas others include social engineering as a part of their wider generalist syllabus.

You can find a list of our social engineering courses here.

Courses that specialise in social engineering are an excellent choice for existing IT pros who are looking to expand upon their fledgling information security skill set, or whose careers have not led to much experience in this field. As employers overwhelmingly value experience, targeted training in this field can be very helpful in making your existing experience more relevant; increasing awareness of social engineering in the current and future workforce is a vital step in closing the skills gap faced by the UK.