After working in the information technology and services industry for a while now, it has become more clear that one of the main causes of a cyber-attack is simply a human error.
Human error can be considered a threat to the company’s assets, due to the lack of awareness among personnel on the topic of cybersecurity and mechanisms of data protection.
Attackers manipulate and deceive employees by making them think they are a legitimate entity in order for them to give out sensitive or confidential information that may assist the attacker in gaining access to the system and escalate privileges to get to their target and achieve their intended goal; this form of attack is called Social Engineering.
Social Engineering consists of a number of techniques that the attackers may use in order for them to gain access to the desired system. One of the most popular Social Engineering attacks is Phishing.
Phishing by definition is the act of impersonating a legitimate entity and luring individuals into giving out Personally identifiable information by sending them emails, calling them or texting them. Employees unaware of this type of attack will be convinced that the email or text message they received is not a scam, and might provide information about themselves or about the company.
Emails sent by the attacker consist of a link to a website, that looks exactly like the original one. When the employee clicks on the link, it will redirect them to the page customized by the attacker and asks for user input which will be saved and sent to the attacker. Other emails might include a malicious attachment which when the user downloads, installs malware on the device and starts spreading on the network.
Spear phishing is used more often when targeting a company as it consists of a carefully designed and crafted email, using public information available on social media, which is sent with the sole purpose of getting a single individual to respond. One response can be enough for the attacker to achieve his goal.
Some attackers might impersonate the identity of the CEO, and send emails to the finance department asking them to transfer money urgently or requesting account information.
The impact social engineering may cause to the company or organization is considered high. A mistake by one employee can cause a data breach or a malware infection to the whole system which will cost a huge amount of money to recover.
Recommended countermeasures that an organization can use to minimize the impact of a social engineering attack, consists of:
- Conducting security awareness sessions regularly for employees to raise awareness among this topic and the consequences that follow.
- Construct security regulations for employees to follow in these situations.
- Strong security defense mechanisms in the company’s infrastructure.
- Email filtering in order to detect phishing emails and mark them as spam.
- Physical security, as social engineering, doesn’t only consist of emails and phone calls but can be done in person.
- Come up with a strong incident response plan in the event of a breach occurring.
Author: Bassam Saffarini.