What is Social Engineering and how is it a cybersecurity threat?
Are people the weakest link when it comes to security? Often the answer can be yes, because of how helpful people can be. The accidental leak of information may occur because the target wants to be helpful, or he may believe that “corporate” is behind the questions. Albeit, social engineering may seem like something simple, but it is a skill as much as it is an art. A simple definition of social engineering is that it is the act of manipulating human behavior to achieve an attacker’s malicious intent(s). You can see social engineering being a big cybersecurity threat live on display at DEFCON, specifically at the Social Engineering Village (SEVillage).
Social Engineering example at the 2019 DEFCON SEVillage?
The SECTF (Social Engineering Capture the Flag) event was focused on alcohol, tobacco, and firearm companies, and we made it in during the alcohol portion. The first contestant was a woman with a soft Australian accent, who displayed a strangely contradictory personality of confident yet bashful under the persona of someone from IT in the New York branch of a popular beer manufacturer. She may have started by asking what browser the target used the most, but she ended with conversation with much more valuable information on the OS and version currently in use. After she finished her turn, next a man with a cool and confident voice got onto the phone. Posing as someone in IT, he was quick to ask questions without being overwhelming. For instance, when one of his targets had moved too slow on opening his browser, he made sure to make some small talk about the weather to keep the target from thinking too much about the why behind his requests. Finished with his turn, he left the booth and the next person that went it was a woman who had a voice that was confident, but this time was different. Her voice sounded authentic, not as though she was trying to alter her pitch or tone, rather she maintained the same voice she used normally. The main advantages she had were the confidence, experience, and knowledge on how to maneuver the social situation. The only things these three different contestants were confidence and being accommodating. This is probably what a football fan feels like watching his favorite team. By the end of each call, the participant was to get the target to land on the social-engineering cybersecurity training site as a puzzle piece for the security team to understand what happened and what issue to tackle next.
Why is social engineering and cybersecurity awareness training important?
This event was just as enlightening as it was entertaining. Watching these three slowly take information that could compromise the company was astonishing. One major take away for me wasn’t just the desire to come back, but to prepare for social engineering attacks from affecting the company isn’t necessarily to anticipate a personality, rather whitelisting information that can be given over the phone i.e. vishing, in an effort to prevent leaks. At Totem.Tech, our employees go through an annual cybersecurity awareness training, which includes social engineering aspects, like phishing campaigns to help our employees actively practice phishing detection. To motivate our staff to have fun with this exercise, we add a competitive aspect where the employee who notices the most phishing emails receives a prize e.g. Amazon gift card. We believe at Totem.Tech that cybersecurity awareness training should incorporate positive reinforcements like fun prizes to promote a culture where cybersecurity hygiene/posture is embraced and supported. Contact Totem.Tech today to transform your organization’s biggest cybersecurity vulnerability into its greatest defense against cyberattacks.
What are some free resources on social engineering and cybersecurity awareness training?
SANS Institute:
- Securing the Human – “You Are A Target” Poster
- Securing the Human – “Security Awareness Roadmap” Poster
- Securing the Human – “Don’t Get Hooked!” Poster
Trend Micro – Free, Cloud-Based Phishing Simulation Tool
Gophish – Free, Open-Source Phishing Simulation Tool
–Miguel Vara
Cybersecurity Technician