What is it?
A human-centric manipulation technique that uses deceptive tactics to trigger emotionally driven actions that are in the interests of a cybercriminal or attacker.
Why is it important?
Exploiting people can be an effective means for criminals to bypass security processes and technology controls. Social engineering can be used to create a point of entry into a computing device, application, or network via an unsuspecting person.
Why does a business professional need to know this?
Social engineering attacks can cost millions of dollars. Recently, MacEwan University was the victim of a phishing attack(Huffington Post 2017) that fooled employees into changing banking information for a major vendor. As a result, nearly $12 million was transferred to the attackers.
Social engineering can take many forms. It includes phone scams, face-to-face manipulation and deception, email-based phishing attacks, targeted spear phishing of specific individuals, and whaling attacks, which are aimed at senior executives. Social engineering poses a tangible business risk for security professionals, executives, and boards of directors alike.
Social engineering through phishing is a growing threat to individuals and organizations of all types. According to the 2016 Verizon Data Breach Investigations Report(Verizon 2016), 30 percent of targeted individuals will open a phishing email message, with 12 percent also opening attachments or URLs which may contain malicious code.
Over the past two years, a new type of social engineering attack targeting senior executives and financial departments has emerged. Known as whaling (because big fish
are the targets), these attacks seek to deceive employees to authorize six, seven, and even eight-figure fraudulent wire transfers.
Countering social engineering requires organizations to think beyond technology-based defenses such as email filtering, firewalls, or endpoint detection. An effective technique to defend against social engineering is to identify and manage employees at risk and create an educated workforce that is aware of all forms of social engineering.
Engaging leadership and employees in managing the risks of succumbing to social engineering attacks can be an effective proactive strategy. Further, this creates a critical cultural shift from cybersecurity as an IT-centric service to cybersecurity as a shared responsibility.
References
- (Beauceron) Social Engineering: Beauceron Security. Web page with resources and definitions related to social engineering.
- (Huffington Post 2017) MacEwan University defrauded of $11.8M in online phishing scam: Canadian Broadcasting Corporation (2017). Describes how a Canadian university was defrauded of $11.8 million after staffers fell prey to an online phishing scam.
- (Verizon 2016) 2016 Data Breach Investigations Report: Executive Summary: Verizon (2016). PDF. Detailed analysis of more than 100,000 cybersecurity incidents in 2015, including 2,260 confirmed data breaches in 82 countries.
- (Alperovitch 2016) Bears in the Midst: Intrusion into the Democratic National Committee: Alperovitch, Dmitri (2016). Crowdstrike. Analysis and findings identifying two separate Russian-intelligence-affiliated adversaries -- Cozy Bear and Fancy Bear -- present in the computer network of the US Democratic National Committee (DNC) in May 2016. Discusses details of the attacks and provides links to related articles on the subject.
About David Shipley
David Shipley is a recognized Canadian leader in cybersecurity, frequently appearing in local, regional, and national media and speaking at public and private events across North America. He is a Certified Information Security Manager (CISM) and holds a bachelor of arts in information and communications studies as well as a master of business administration from the University of New Brunswick (UNB).
David helped lead the multi-year effort to transform UNB’s approach to cybersecurity. He led UNB's threat intelligence, cybersecurity awareness, and incident response practices. His experience in managing awareness programs, risk management, and incident response helped shape the vision for the Beauceron platform.
Term: Social Engineering
Email: david@beauceronsecurity.com
Website: beauceronsecurity.com
LinkedIn: linkedin.com/in/dbshipley
I just read the following in the Symantec ISTR March 2018 report:
"If you’re going to be attacked, the chances are that initial
compromise, the gap in the fence the attackers sneak
through, is going to be created by social engineering rather
than anything technically sophisticated such as exploit of a
zero-day vulnerability. Spear-phishing emails are the number
one means of attack we’ve seen used, meaning a well-crafted
email, sent to an unsuspecting staff member is the most likely
source of compromise and can be the trigger to a potentially
serious security breach."