How the neglect of the human factor of security has contributed towards the increase in social engineering attacks – Part 1
By Jamil Jaward - Mar 2019
A 2015 survey by McAfee found that 97 percent of consumers could not identify phishing emails (Source: McAfee). This suggest that while most of us are aware of what a phishing email is, we are bad at avoiding them in practice, because scam artists are perfecting their behavioural skills in tricking unsuspecting consumers to click on the links sent in these emails. Surprisingly, 55 or older are more likely to identify phishing over their younger peers aged 18-29. 71 percent of those 55 or older effectively identified what phishing is, as opposed to 61 percent for the other age group (Source: Wombat Security).
Phishing is one of several techniques used by social engineers. It involves the cloning of a legitimate website, and sending a convincing e-mail inviting the recipient to visit the website via a link. The intention is to deceive the e-mail recipient into disclosing personal information. As the number and sophistication of attacks increases against technology, so too are the technologies available as countermeasures to thwart these attacks, forcing attackers to come up with even more innovative ways of exploits. As a result, the focus has now shifted to the weak link in the security system, manipulating humans to compromise security or divulge confidential information.
Kevin Mitnick a security consultant, and at one time, FBI’s most wanted hacker and social engineer, asserts that experts who tests clients’ computer systems using social engineering techniques to break into them are nearly 100 percent successful. This success is not based on the supremacy of the social engineers but rather on the weakness of human behavioural and psychological tendencies to trust and be naturally helpful. While many organizations have lost confidential information through social engineering, the human factor remains the greatest risk to security and the number one reason for the increase in successful attacks.
Social engineering is the art of manipulating humans into performing actions that compromise security or divulge confidential information by exploiting the human element of trust. Social engineers can use a variety of methods to compromise security or gain access to sensitive information without being detected; these methods are grouped into five major categories, telephone attacks, email, website, in-person and cell phones, with hundreds of attack techniques under these categories used to gain physical access to restricted areas or sensitive information.
While, the concept of social engineering is not new, most people cannot comprehend how relatively easy it is to pull-off; in fact, everyone is susceptible to it and has at one time been
a victim of it. The greatest experts of all time social engineering are our parents. How many times growing up as kids have we been manipulated by our parents? From clever stories to get us to eat our vegetables, to scary stories to ensure compliance, as a result, we are psychologically hardwired and susceptible to manipulation than we think.
Social engineering attacks come in many forms, classified as either human-based or technology-based, but with the fundamental goal of achieving something by deception using a four-step approach: information gathering, relationship development, exploitation and execution. Social Engineering is a serious problem that remains the greatest threat to organizations globally, and cannot be eliminated completely. The success of social engineering relies predominantly on several facets of the weak human element of security.
…in part II, the psychology of social engineering and how to mitigate it.