noun_Email_707352 noun_917542_cc Map point Play Untitled Retweet Group 3 Fill 1

Security awareness to resist social engineering

Today's threat landscape is dynamic, and together with technological development, changes are taking place so quickly that it is difficult to keep up.

Håkon Haugsten Hansen / May 18, 2022

For several years, organized crimes on the internet have been a fact. The methods of spreading malicious code have evolved from common worms and viruses to tailored malware that are customized and aim to attack a specific selected business.

By having access to the internet, the attackers could be everywhere and anyone. The attacker could attack the technical systems (utilize technical vulnerabilities), the humans controlling the systems (utilizing cognitive biases), or a combination of these two.  

Bugs in the human hardware

When attacking the human(s) controlling the system, the attacker takes advantage of  psychological manipulation techniques, where they influence human(s) to perform actions or disclose confidential information. This attacking technique is often referred to as social engineering, which is based on specific attributes of human decision-making known as cognitive biases. In comparison to technical vulnerabilities, social engineering use known cognitive biases as a bug to get past the human firewall. In fact, a staggering 98% of cyber-attacks rely on humans falling victims to social engineering.

Six principles to understand social engineering

In theory, psychologist Robert Cialdini established six principles upon which social engineering relies heavily upon. The six key principles are: 

  • Reciprocity – People tend to return a favor. In social engineering, the attacker could imply that the victim must do an action in return or just imply that there will be a negative consequence if a certain action is not performed. 
  • Commitment and Consistency – If people commit, orally or in writing, to an idea or goal, they are more likely to honor that commitment.  
  • Social proof / Consensus - People will do things that they see other people doing. In social engineering, the attacker could imply that this is a normal procedure to increase the likelihood of adherence from the victim. 
  • Authority - We tend to obey figures of authority. In social engineering, the attacker may pose as authority to increase the likelihood of adherence from the victim. 
  • Liking / Familiarity - People are easily persuaded by other people whom they like. In social engineering, the attacker may pose as a known likable figure to increase the likelihood of adherence from the victim. 
  • Scarcity / Urgency - We perceive something to be more valuable when it is less available. In social engineering, the attacker could imply that it is “limited time only” in their request to increase the likelihood of adherence from the victim. 

The attacker utilizes these principles when performing vishing, smashing, and phishing attacks. All these attacks have that in common that they are performed against a human victim with the aim of them disclosing information. 


Security culture is an important firewall

Having employees with knowledge of how to spot social engineering attempts is and will remain to be, important to reduce the risk of being attacked. Academic research establishes that employees often do not see themselves as part of the organization's information security firewall, and often take actions that ignore organizational information security best interests.2 Furthermore, research clarifies the need for having an information security culture as a continuous process to improve security. This is also backed by digital development and the evolving threat landscape.

One example is the development of Deepfakes – a technique utilizing artificial intelligence to create a video or voice of a person in which their face, body, or voice has been digitally altered so that they appear to be someone else or doing or saying something which they never did or said. Today, attackers use this technology in vishing to create attacks that are challenging your employees’ knowledge to spot social engineering attempts in a much greater way than before. Just a few years back, in 2020, a bank in Hong Kong was scammed for 35 million dollars, where the attackers were using deep voice.


Are your employees ready?

  Learn 10 top tips to prevent Cyber attacks here

 

Håkon Haugsten Hansen
Senior Consultant Cyber Security, Tietoevry Connect

Author

Håkon Haugsten Hansen

Senior Consultant Cyber Security, Tietoevry Connect

Share on Facebook Tweet Share on LinkedIn