Hacking the Human Mind – Exploring Social Engineering Attacks
Cybersecurity is one of the fastest growing areas of the technology industry today. Large scale cyber-attacks and the media coverage thereof has helped draw attention to the pressing need for better defenses. Organizations have begun to invest more in protecting their assets and in 2018, worldwide spending on information security products and services reached over $114 billion, an increase of 12.4% over the previous year. This is without doubt a positive development, but businesses must be aware that the cybersecurity chain is only as strong as its weakest link.
It is for this reason, that while across the globe, billions of dollars are being spent on all manner of security technologies and services, hackers have begun turning their attention to a vital, though often overlooked, component in the security equation. And one for which no straightforward or simple means of protection is apparent – human behavior.
How Cyber Criminals ‘Hack the Human Mind’
There are a number of techniques that attackers use to manipulate users by taking advantage of their trust and naivety. These are commonly grouped together under the term ‘Social Engineering’.
Social engineering is the mastery of manipulating people in a such a way as to trick them into performing malicious actions – either against themselves or their organization. This could take the form of an attacker pretending to be someone else in order to steal sensitive information or luring the victim into unwittingly carry out an action that jeopardizes either their security, or that of the organization for which they work.
Social Engineering is one of the easiest, yet most effective attacks against enterprises. A large number of organizations have been pouring significant amounts of capital into technologies that can protect their infrastructure but continue to ignore the weaknesses arising from human behavior. And this has resulted in their failure to keep their data secure.
Social Engineering attack can be performed through a variety of means. These include:
- Email: This vector is commonly used in phishing, spear phishing or whaling attacks.
- Social Media: Attackers exploit social media platforms with attacks that involve malicious apps, fake friends, watering-hole attacks, and the usage of leaked data and exposed passwords.
- Criminals Activists: Malicious insiders, hacktivists and others can also execute social engineering attacks.
Social Engineering Attacks are on the Rise
Researchers have estimated that between 2013 to 2017, the financial impact that social engineering has had on organizations has been in excess of $1.6 billion. It is also worth noting that globally, approximately 83% of companies report that they have experienced social engineering attack and out of this group, around 83% of social engineering-based attacks have been successful in their goal of compromising enterprise networks or gaining access to private data.
Below we can see a graph which outlines the volume of attacks via three key vectors for the period 2016-2018.
It is clear from this data that the number of compromised accounts, a key factor exploited in social engineering type attacks, is on a clear upward spike.
In line with the global trend, through 2018, Help AG saw a growing number of social engineering attacks being carried out against organizations in the UAE. While some among these were targeted, others were part of larger mass scale attacks. It was also apparent to us that the majority of these attacks were motivated by the hope of financial gain.
Unfortunately, even for mature organizations with the right incident detection solutions and procedures, it takes on average five months to detect a typical social engineering attack. This makes the process of investigation and mitigation tricky because after such a long time has elapsed, it is hard to determine the root cause. Furthermore, with the information or access they could have gained from such attacks, over this extended time-frame attackers could deepen their penetration into the network and carry out other malicious activities such as implementing Advanced Persistent Threats (APTs).
Combating the Threat of Social Engineering
It is clear then that organizations should expect that the threat from social engineering will only worsen. This warrants a solution to the question of what the best way is for organizations to be prepared for such attacks.
At Help AG, we advise our customers that it is always best to educate users on a frequent basis and to isolate the impact of the attack to smaller scale. It is also very important to conduct frequent Technical Social Engineering and Red team/Blue Team drills (which are offered by leading security service providers) to assess their organization’s security posture.
Help AG offers extensive and advanced social engineering simulation attacks, wherein our team of ethical hackers have managed to gain network access or compromise enterprise accounts with a success rate of nearly 95%. Of course, unlike hackers who then use this access or account information for malicious intent, our team provides customers with a clear understanding of where their vulnerabilities lie and works with their IT teams to provide and implement a remediation plan. Help AG also provides awareness training to assist the organizations and their employees in staying a step ahead of attackers and thus avoid becoming victims of social engineering attacks.
So, while it pays to leverage best-in-class security technologies that are seamlessly integrated, it is equally important to pay attention to the human aspect of security, thereby strengthening every critical link in the security chain.