The dictionary definition of SOCIAL ENGINEERING, for the purposes of information security, is:
“the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”
As you can determine from the accepted dictionary definition, there are an array of techniques and tools that are used to mount a social engineering attack or deception on an organisation.
Some of these you may have heard of;
Phishing (malicious emails)
Vishing (Phishing over the phone -voice phishing)
SMiShing (using an SMS – text message systems)
Impersonation
Anyone involved in security understands that, human behaviour is a key element of security process design. It is key to ensuring that the policies and procedures, which are developed to protect an organisation’s critical information are followed and adhered to. Attackers (hackers, scammers, fraudulent actors, pentesters and con artists) all focus on exploiting not just the technical aspects of an organisation, but also exploiting the cognitive vulnerabilities of an organisation’s workforce, through deception and social manipulation. Professional 'Human Hackers' or more accurately Social Engineering professionals, such as Jenny Radcliffe have been explaining this exploit for some time.
Using social engineering techniques to gain valuable corporate information can be a lucrative undertaking. See the article below regarding Robert Kerbeck.
Social engineering is one of the easiest routes to sensitive data, especially when workforce members haven’t been trained in how to recognise and combat it. Social engineering is less predictable than regular network hacking attacks. Everyone who works for your organisation is a potential target, from the receptionist to management. Unfortunately, your workforce is liable to make mistakes, humans are fallible but with regular and meaningful interactive social engineering training, you can stop most social engineering attacks from reaching success.
SIASS offer a social engineering awareness briefing, that can be delivered to organisational personnel. The purpose is simply to raise awareness and 'prime' employees to consider social engineering attack methods when conducting their roles.
For more information, please contact us.
Commenti