Social engineering isn’t always used for negative purposes but in the IT world today, social engineering has become a very popular way of gaining personal information and other data. Social engineering is an exploitation of normal human nature and behavior, making it one of the hardest tools to combat. Social engineering works by convincing a user to perform an action, such as clicking a link, which can then gain unauthorized access to personal and confidential information. Social engineering can occur in many different ways, through emails, phone calls, and other methods. Email hoaxes are most commonly used and seen today. No matter the method, the intention of all social engineering attacks is to convince the user (victim) to reveal information that otherwise would not be shared.
Social engineering can grant one access to all sorts of information including names, address, contact information, credit card numbers, E-mail addresses, and so on.
Phishing – Phishing attacks are mostly aimed at stealing someone’s identity or credentials. With phishing the attacker is basically “fishing for information,” hence the name. Phishing attacks can take place in various forms and types of communication including emails, phone calls, instant messaging, forums, message boards, and other methods.
Hoaxes – Hoaxes convince a user to complete a certain action that then lowers their IT security. Hoaxes are usually done in the form of emails sent to victims that instruct victims to complete a certain action in order to protect themselves, such as “click this link to download a program to rid your computer of viruses.” hoaxes are often seen and emails and are popularized through the success of having victims forward the hoax email to friends and relatives. Malicious software linked to a hoax can do all sorts of damage to a computer, including deleting booting files and folders as well as installing registry keys and other types of viruses-infected files.
Shoulder surfing – Shoulder surfing doesn’t require direct contact with a victim. Instead the attacker is able to observe the target entering information through the use of a keypad or keyboard. Looking over the victims shoulder to watch keystrokes is the easiest method though some attackers may use camera, binoculars, and other tools to gain sight of confidential information such as PINs, entry codes, credit card numbers, and other data. Being aware of your surroundings is the best way to combat shoulder surfing.
Dumpster diving – Sifting through dumpsters, trash cans, and other waste receptacles is often considered to be dumpster diving. Dumpster diving, from a computer-users’ standpoint, involves an attacker going through specific locations to gather and use information from print outs such as printed emails, documents, spreadsheets, and so on. Dumpster diving can be easily solved through the use of a pre-set discarding plan where documents are shredded, burned, or sent to a company for proper discarding.
User education and awareness training – Combating the effectiveness of social engineering can be hard as the attack technique has become so sophisticated and almost natural. The best way to help fight against social engineering attacks is to educate users and keep them up-to-date on social engineering trends. This means educating users on the importance of only opening emails from solicited users, avoiding clicking unknown links, keeping personal email use to a minimum, avoiding opening spam emails, being aware of their surroundings, and only sharing information with those who need it. Users should know what social engineering is and should be well aware of the tell-tale signs of an attack. Some businesses may opt to undergo social engineering drills where situations are pre-set to see how well users understand the importance of being aware and how much educating them has either helped or not.
Though user education and awareness is ongoing, advancing and is definitely a necessary part of the battle against the effectiveness of social engineering and the risks it brings, recent studies have shown that education and training isn't a true cure for social engineering. In fact, these studies showed that employees are still very likely to click on infected links and files from emails. The nature of human curiosity and the convincing tones of most social engineering attacks are what make the method so reliable and effective for those looking to gain personal information and data.
No comments:
Post a Comment