Today information security is one of the greatest concerns of all developers, testers and common users. QA engineers perform testing in order to reveal security flaws and vulnerabilities. Nevertheless, even a high security system can be hacked as it is operated by a human being. For this purpose a special technique is used – social engineering. The article by Anna Andreeva, security testing engineer.
In information security and its offshoot of security testing, the term “social engineering” is used to describe the science and art of psychological manipulation. Social engineering is used to collect data, get confidential information, access systems, etc. According to statistics, 55% of losses related to violation of information security are caused by employees. This number is large enough to pay our attention to the attacks on the human factor.
The psychological manipulation has a number of peculiarities:
- No considerable expenses
- No special knowledge
- Long duration
- Difficult to monitor (no logging)
A human’s mind sometimes is much more vulnerable, that a complicated system. That is why social engineering is aimed at obtaining information with the help of a person, especially in the cases when a system can’t be accessed (e.g. a computer with vital data is disconnected from the network).
A common approach to attacks includes the following steps:
- Gathering facts (often using social networks)
- Developing a relationship of trust
- Suppression of traces
The general principle of an attack is a misrepresentation. To fish for information social engineers use a variety of tactics and schemes aimed at the emotions, weakness, or other personal characteristics, such as:
- Empathy and compassion
- Greed and a desire for quick results
- The fear of the authorities
The most widely used social engineering schemes
Phishing scams are the most common attacks. They aim to gain access to sensitive user data – login and password. Some phishing emails are poorly crafted as their messages often contain mistakes. Nevertheless, these emails are focused on directing victims to a false website where they need to enter login credentials and other personal information.
Pretexting attacks are used to develop a sense of trust using a made-up scenario. As a result, a person gives certain information, or performs a specific action. This type of attack is usually carried out on the phone. This technique often requires no prior research.
This technique exploits the curiosity or greed of the potential victim. The attacker sends an e-mail with an important anti-virus update or a free movie attached. This technique remains effective until users blindly click any hyperlink.
Quid pro quo
These attacks promise a benefit in exchange for facts. For example an attacker can call a company and under the pretext of technical support propose to install the “necessary” software. Once the victim agrees to install the software the attacker gains an access to the confidential data.
Tailgating (also called “piggybacking”) is a method to enter a restricted area simply walking behind a person who has legitimate access. Tailgating can’t be applied in companies where employees have to swipe a card to open the door.
It is evident that social engineering results in the number of such grave problems as financial and reputational losses and information leak. For this reason it is vital to take all the measures to resist it.
If you don’t want to become the next victim of social engineers remember the following rules of protection:
- Don’t use the same password for authorization in external systems and the company’s account.
- Do not open emails from untrusted sources.
- Lock your computer anytime you leave your workplace.
- Install anti-virus software.
- Know your company’s privacy. All employees should be instructed on how to behave with visitors. If you meet a stranger wandering through the building alone, you should have the necessary instructions.
- Disclose over the phone and in person conversation only the really necessary data.
- All documents on the projects should be removed from the portable devices.
If you still believe that social engineering doesn’t worth attention read about Victor Lustig (the man who sold the Eiffel Tower twice) or Robin Sage (the fictional femme fatale that gained access to secret information using social networks).