Incident Response, TDR, Threat Management

Social engineering: How it’s used to gain cyber information

As society becomes more dependent on digital information and devices, social engineering will remain one of the greatest threats to any security system. In the context of information security, social engineering is an action or tool used by cyber criminals to get information from people about systems or personnel.  

By impersonating someone with the authority to access documents or configurations,  cyber criminals use social engineering to get information like passwords, networks, devices, firewall information and much more. Social engineering can be done through the internet, email, or even a phone call. This technique takes a little longer depending on how hard the security policy of the company and the sensitivity of the information. This is where the target template comes into play.

A target template is information about a target for a social engineering attack, be it one person or a corporation. The goal of the target template is to figure out what attached to what. Who is in charge? Who runs the IT system administrator position? There are plenty of ways to access this information using specialized techniques that enable an individual to bypass security. These techniques have been further advanced by new software tools for penetration testing around social engineering.

A lot of old techniques such as tailgating, quid pro quo, and dumpster diving still work, as most people do not follow security regulations as vigorously as they should. Out of all of these techniques, pretexting is still one of the most effective.

Pretexting is creating an invented scenario to establish legitimacy in the victim's mind. Usually it is made up of an elaborate lie with a good amount of details in order to establish legitimacy. Some social engineers do this by posing as an executive of the company they are trying to pilfer information from or posing as a friend of the person they are victimizing. By doing this, they establish the victims trust and therefore it makes it very easy to obtain their personal information. Here are some key indicators you should look out for to prevent yourself from becoming a victim.

If you receive an email from a friend with a link or download that you were not expecting to receive, double check with them to make sure it is legitimate. This is an easy way for social engineers to get your information, because once you click the link or download, they can gain access to your machine.

Beware of emails that appear to be “urgent,” ask for help, claim that you have won a prize, or emails that require you to verify your information. These are all different schemes to get you to enter your information in a quick matter where you may not even second guess what you are doing.

While social engineering attempts can be hard to spot, there is a way to stop it. First off, deploy a security program and frequently update it. You'd be surprised at how many companies still don't do this. The program includes anti-virus software, firewalls and email filters.

It's also important to have a set of security guidelines for when you're discussing information on the phone. If information is very sensitive and should only be accessed by a specific person, make the person come pick it up face-to-face. The same goes with password security. Most security policies will make it so not even a systems administrator will ask you for your password. 

Burn bags and paper shredders will also create challenges for the dumpster diver who's looking for discarded sensitive information. If the information on documents is shredded then burned, there is no information for the social engineer to get.

When you receive unsolicited emails asking for specific information, make sure you do your research to ensure it is legitimate. If the message does contain a sense of urgency, slow down and take a second to think about what you're about to do, and confirm the sender and their intent; be extra cautious when clicking on links that you are not familiar with.

If the correct steps are taken and you are aware of which information is trustworthy versus which is not, you should be able to avoid social engineering hacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.