This is the first post of a three post series about the dangers of Social Engineering. This first post discusses the true weak link in IT Security: the human. The second entry will be the dangers of Social Engineering itself and the final post will be ways to protect yourself, and educate others in your office on how to avoid becoming victims.
In the wonderful new world of BYOD (Bring Your Own Devices), IT Security has seen a rapid shift in processes and how it must protect the end users. Security software layers are porous, end-point antivirus and firewalls are only as effective as the people maintaining them. There is no perimeter left with BYOD; your employee is your perimeter. Today what you need is a human firewall.
There are many ways that a potential hacker can attempt to circumvent your network; and security software can only go so far. By far, the most effective attacks are what is called Phishing, and Spear Phishing, which both play into Social Engineering.
A whopping 91% of cyberattacks and the resulting data breach begin with a “Spear Phishing” email, according to research from security software firm Trend Micro. This conclusively shows that computer users, not the systems themselves, really are the weak link in IT security.
Phishing and Spear Phishing are techniques of fraudulently obtaining private information. Phishing can be considered a ‘spray and pray’-type attack; mass e-mail thousands of accounts and hope for a few bites. Spear Phishing is a targeted attack that employs tricks that amount to Social Engineering.
One example of a spear phishing attack that I read about recently described someone obtaining access to the Chief Executive Officer’s e-mail account and e-mailing a senior accountant to complete a wire transfer for him as he was away. The e-mail was made up to sound exactly like the CEO. There was only one discrepancy in the e-mail, the hacker used the CEO’s first name to sign the e-mail. The accountant had received enough e-mails from the CEO to know that he never uses his first name. This is what caused the e-mail to be questioned and the attempt thwarted.
Now, this doesn’t mean that Anti-Virus and Anti-Spam are irrelevant. Yes, their effectiveness has decreased over the years, but they still offer an important layer of protection. Viruses, like the infamous CryptoLocker, are still making rounds and modern anti-virus software is using more sophisticated methods of detecting them. Most social engineers, however, are not even looking for a technical vulnerability. They are targeting you, the human.
I won’t get into detail the different ways Anti-Virus and Anti-Spam sniff out malicious e-mails, and documents. That can be a conversation for another day. A lot of viruses can have their effect negated by rigorous backup practices. Social Engineering can have much more devastating consequences.
In my next post, I will discuss what Social Engineering is and the forms it can present itself to you and your users.