What Does Social Engineering Mean?
Social engineering is an umbrella term for any security exploit that relies on people's willingness to be helpful. A successful exploit depends on whether or not the attacker can trick someone else into making a mistake.
The purpose of a social engineering attack is to provide the attacker with legitimate credentials that they can use to exploit a digital or physical target. This attack vector relies on the attacker's soft skills to gain initial access and hard skills to escalate privileges.
Social engineering was initially associated with the social sciences. However, the way it is used today is most often in reference to cyber and physical security.
Techopedia Explains Social Engineering
Social engineering is as dangerous and harmful as any other cybersecurity attack.
Types of Social Engineering Attacks
Spear phishing is a common social engineering technique. For example, a phisher may send an email to addresses at a target company asking a user to verify security information. The email is made to appear legitimate and from the IT staff or senior management, along with a warning for major consequences if the required information is not provided. As with a regular phishing attack, the victim clicks a link that goes to a site the hacker sets up to gather the sensitive information, generally with the look and feel of the real website. After obtaining the info, the hacker has the ability to access the company's network by using a legitimate login.
Dumpster diving refers to a literal search of an organization's garbage for information that can be used to access a company's network. Companies often discard sensitive information, including system manuals, which intruders use to access information systems. In some cases, un-erased and complete hard drives with extremely sensitive information are discarded, allowing a dumpster diver to easily boot up and obtain information.
Importance of Security Awareness Training
Cybersecurity is everybody’s responsibility. It can be difficult to keep employees up-to-date about the latest phishing, smishing, spear phishing, business email compromise (BEC) or ransomware attacks. That's where security awareness training comes in.
A cyber breach initiated through social media can occur in any department at any time. Security awareness training will keep social media attacks top-of-mind and help reduce your organization's compliance burden.
Social Engineering Quiz Questions
Start by asking some basic questions like the ones below* and then organize future trainings based on knowledge gaps.
1. What best practices should you apply to personal and professional social media use?
a. Regularly review and update privacy settings
b. Speak your mind about anything without concern
c. Follow all applicable laws and your organization’s policies
d. Never post confidential information about customer, patients, or clients
e. Remove all privacy settings to reach a broader audience
The correct answer is a, c and d.
Feedback: Regardless of whether you use social media for entertainment or you are responsible for your employer’s online presence, you should follow all applicable laws and policies for using these platforms, review and update privacy settings regularly (as they may be different for each platform and are subject to change), and never post confidential information, like a financial information or a healthcare patient’s protected health information (PHI). You should always be mindful of what you post, including content that could be taken out of context, be misused, or be harmful to someone else. And it is unwise to remove all privacy settings, even if you’re trying to go viral. Effective social media policies and associated training can help organizations of all sizes support their workforce while promoting security.
2. What should you do if you have been targeted by a social engineering attack?
a. Know your organization’s policies and procedures for reporting social engineering
b. Avoid clicking suspicious links or opening suspicious attachments
c. Hold the door open for all guests to your office to be polite
d. Verify with whom you are speaking by way of another source before providing personal information
e. Avoid reporting a lost or stolen badge until you’re sure it’s missing
The correct answer is a, b and d.
Feedback: In a social engineering attack, someone tries to take advantage of our natural desire to trust and help others. Unlike traditional hacking, an attacker uses their social skills to obtain or compromise information about an organization or its computer systems. Social engineering attacks can occur through email, over the phone, through text messages, and even in person. You should understand your organization’s policies and procedures, avoid clicking suspicious links or opening suspicious attachments, and verify callers before providing personal or confidential information. You should not hold access-enforced doors open for others or wait to report a missing badge that could be used to access the building or to blend in. Effective defenses against social engineering include ensuring your workforce understands and is prepared to respond to these various types of attacks.
3. What types of threats should you be aware of to better protect your organization and its information systems?
c. Social Engineering
d. Human Error
e. Theft of company assets
The correct answer is all of the above.
Feedback: All the choices listed are threats to an organization, including viruses, malware, social engineering, human error, and theft of company assets. Security awareness training helps employees learn about common social media attacks and how to support security safeguards.
4. Which of the following can you do to better support security in your organization?
a. Use strong passwords that are long, complex, and unique
b. Work from home on the weekends without authorization
c. Install software updates
d. Use multi-factor authentication to secure your accounts
e. Allow a roommate to borrow your work laptop to check their email
The correct answer is a,c and d.
Feedback: Security best practices include strong passwords, installing patches and software updates, and using multifactor authentication to secure your accounts. You should only work from home if permitted and company assets should not be used by non-employees. Securing an organization’s data requires a proactive approach towards security.It is important that all users with access to sensitive information understand the security safeguards in place required to protect it. Effective training and awareness campaigns help to reinforce these safeguards.
*Editor's note: We'd like to thank Kuma for the quiz questions above.