Social Engineering Attacks
In discussing Social engineering in the context of cyber security, it is important to remind ourselves the mission of Information Security discipline. Information Security is about protecting the Confidentiality, Integrity and Availability of information. (C.I.A) Information contained in databases or other storage devices should not be accessed by unauthorised persons, or modified without the right permission . Information should always be available to be accessed by duly authorised persons. This is the overall mission of information security, and its tied to the continuity of any business.
Social engineering attacks pose a simple but effective hack into an organisations information assets. With the prevalence of cyber attacks in our hyper connected world, it is important that the general public are aware of basic and simple ways to protect their information from theft prying eyes or unauthorised disclosure
Social Engineering uses deception to get individuals to disclose confidential information especially access credentials which can then be used to gain access to a system.
An attacker using Social Engineering can bypass the strongest and most well designed security system. The attackers merely gains the confidence of the target person and may directly ask for the user name and or password or other confidential and private information. Attacker may also gather social information that may be used in a password guessing attack from platforms such as Facebook, Instagram or Snapchat.
An example of a social engineering attack is someone (threat agent) making a phone call to the target person pretending to be from IT support or some market research organisation. In so doing, the attacker acquires the users credentials and subsequently gains access to the system.
Following a successful Social Engineering attack, the hacker may elevate his or her privileges in the system to realise their goals and mission.
Awareness-The main countermeasures to Social Engineering attacks is awareness, personnel should be aware of such schemes and should never divulge access credentials on phone , via email or clicking on an unknown link.
Training– Targeted training to sensitise groups about such schemes will reduce the risk of a potential breach using such tactics
Education– Staff should be encouraged to learn more about the importance of information security and how it is intertwined with the overall continuity of the business or organisations.
There are many companies out there offering Education and training in information security awareness . For example Y-Digital Technologies a UK based boutique Cyber Security and training consultancy provides first class training and education in this area. Companies must act to mitigate social engineering attack threats without delay
Yemi Oluleye Bsc, MBA IT, MILM, ACIB , Certified TOGAF Architect. CISSP
Security Consulting & Training