Social Engineering: Everything you need to know.

Social engineering


What is Social engineering?

Social engineering is a method of obtaining the necessary access to information based on the characteristics of human psychology. 

The main goal of social engineering is to gain access to confidential information, passwords, bank data, and other security systems. 

Although the term social engineering appeared not so long ago, the method of obtaining information in this way has been used for quite some time. 


CIA and KGB officers who want to get some state secrets, politicians, and candidates for deputies, and we ourselves, if we want to get something, often without even realizing it, we use methods of social engineering.

In order to protect yourself from the effects of social engineering, you need to understand how it works. Consider the main types of social engineering and methods of protection against them.

Types of Social engineering attacks


Pretext: Pretext is a set of actions worked out according to a specific, pre-compiled scenario, as a result of which the victim can give out any information or perform a certain action. Most often, this type of attack involves the use of voice tools such as Skype, phone, etc.


To use this technique, an attacker must first have some information about the victim (employee’s name; position; the name of the projects with which he works; date of birth). 

An attacker initially uses real-world queries with the name of the company’s employees and, after gaining confidence, receives the information he needs.

Phishing: Phishing is an Internet fraud technique aimed at obtaining confidential user information - authorization data of various systems. 

The main type of phishing attack is a fake email sent to the victim, which looks like an official letter from a payment system or bank. 

The letter contains a form for entering personal data (pin codes, login, and password, etc.) or a link to a web page where such a form is located. 

The reasons for the victim’s confidence in such pages can be different: account lockout, system breakdown, data loss, etc.

Trojan horse: This technique is based on the curiosity, fear, or other emotions of users. The attacker sends a letter to the victim via e-mail, in the attachment of which there is an “update” of the antivirus, a key to a monetary gain or compromising information on an employee. 

In fact, the attachment contains a malicious program that, after the user launches it on his computer, will be used by an attacker to collect or modify information.

Qui about quo (service for service): This technique involves an attacker contacting a user by e-mail or corporate phone. 

An attacker may introduce himself, for example, as a technical support officer and inform about the occurrence of technical problems at the workplace. 

Then he reports on the need to eliminate them. In the process of “solving” such a problem, the attacker pushes the victim to take actions that allow the attacker to execute certain commands or install the necessary software on the victim’s computer.

Travel apple: This method is an adaptation of a Trojan horse and consists in the use of physical media (CD, flash drives). 

An attacker usually throws such a carrier in public places on the company's territory (parking lots, canteens, employees' workstations, toilets). 

In order for an employee to become interested in this medium, an attacker can put the company logo and some signature on the medium. For example, “sales data”, “employee salary”, “tax report” and more.

Reverse social engineering: This type of attack is aimed at creating a situation in which the victim will be forced to turn to the attacker for "help." 

For example, an attacker can send an email with the phones and contacts of the “support service” and after some time create reversible problems in the victim’s computer. 

In this case, the user will call or contact the attacker by e-mail himself, and in the process of “fixing” the problem, the attacker will be able to obtain the data he needs.


How to recognize social engineering techniques


You should beware of any unsolicited offers of help, especially those that offer links from third parties. 

As a rule, in such cases, we are talking about the tricks of social engineering. This rule is all the more relevant if the user is required to provide credentials or banking information.

In this case, there is no doubt about fraud, as self-respecting financial institutions will under no circumstances request credentials via email. mail. In addition, we strongly recommend that you check the sender's address of your suspicious email message. mail and make sure its legitimacy.

How to protect yourself from social engineering

The main way to protect against social engineering methods is to train employees. All company employees should be warned about the danger of disclosing personal information and confidential company information, as well as ways to prevent data leakage. 

In addition, each employee of the company, depending on the division and position, should have instructions on how and on what topics you can communicate with the interlocutor, what information can be provided for the technical support service, how and what the employee of the company must inform in order to receive one or other information from another employee.

User credentials are the property of the company.


It should be explained to all employees on the day of hiring that the usernames and passwords that were given to them cannot be used for other purposes (on websites, for personal mail, etc.), transferred to third parties or other company employees, who are not entitled to it. 

For example, very often, while on vacation, an employee can transfer his authorization data to his colleague so that he can do some work or see certain data at the time of his absence.



It is necessary to conduct introductory and regular training for company employees aimed at improving knowledge of information security.


Conducting such briefings will allow company employees to have up-to-date information on existing methods of social engineering, and also not to forget the basic rules on information security.

Mandatory is the existence of safety regulations, as well as for instructions to which the user should always have access. The instructions should describe the actions of employees in the event of a particular situation.

For example, in the regulation, it is possible to prescribe what needs to be done and where to go when trying a third party to request confidential information or credentials of employees. 

Such actions will allow you to calculate the attacker and prevent information leakage.

Employees should always have up-to-date antivirus software on their computers.


You must also install a firewall on employee computers.

In the corporate network of the company, it is necessary to use systems for detecting and preventing attacks.


It is also necessary to use confidential information leakage prevention systems. All of this will reduce the risk of phytic attacks.

All employees should be instructed on how to behave with visitors.


Clear rules are needed to establish the identity of the visitor and his accompaniment. Visitors should always be accompanied by one of the company employees. 

If an employee meets a visitor unknown to him, he must inquire in the correct form what purpose the visitor is in this room and where is his escort. If necessary, the employee must inform the security service about the unknown.

It is necessary to limit the rights of the user in the system.


For example, you can restrict access to web sites and prohibit the use of removable media. Indeed, if an employee cannot get to a phishing site or use a flash drive with a “Trojan” on a computer, then he will not be able to lose personal data.

Based on all of the above, we can conclude: the main way to protect against social engineering is to train employees. It is necessary to know and remember that ignorance does not exempt from responsibility. Each user of the system should be aware of the dangers of disclosing confidential information and know-how to help prevent leakage. Forewarned is forearmed.

Books on social engineering

Here are some books on social engineering from which you can learn about social engineering in detail.

Kevin Mitnick "Ghost in the wire".

Social engineering the art of human hacking.

Kevin Mitnik, William Simon “The Art of Deception”.

Remember that everyone is able to master the art of controlling the actions of others, but these skills must be used for the benefit of people. Sometimes it’s useful and convenient to guide a person and push him toward solutions that are advantageous to us. But it is much more important to be able to identify social hackers and deceivers, so as not to become their victim; much more important and not to be one of them yourself. We wish you wisdom and useful life experience.

Some frequently asked questions on Google


Q. Is social engineering is illegal?

A. Yes, Social engineering is illegal if you are doing this in an illegal way. If you have mastered yourself in social engineering by reading books of famous hackers. Then you must use this technique to benefit the people.

You must be thinking about how to benefit people from social engineering. You can provide awareness about social engineering and must give people ideas about how to tech protective measures against social engineering attacks or how to protect yourself from social engineering,

Q. Why do people or hackers use social engineering?

A. People or hackers use social engineering to exploit a human vulnerability in order to gain personal and sensitive information about the particular human which is an illegal activity.

Q. Types of social engineering attacks?


We have given a detailed explanation of the types of social engineering attacks above.

The types of social engineering attacks are as follows:

A. 1. pretext.

2. Trojan horse.

3. Phishing.

4. Qui about Quo.

5. Travel apple.

6. Reverse social engineering.
  

Q. What are social engineering skills?

A. You can develop and know about social engineering skills by reading the books that we have mentioned above.


Conclusion

The purpose of this article is to create awareness about social engineering attacks. Because nowadays these attacks are being performed on a large scale. 

The attack method could be anything by the way you can read the books that we have mentioned above. Because those books are written by the world's best hackers.

Post a Comment

Previous Post Next Post