São Paulo/SP – September 08, 2022. Social engineering can be applied in several ways, whether through interactions made in person or miles away, from a computer or phone.
*By Bruno Batista
The term social engineering is widely used to define a series of malicious actions or activities that are achieved through human interaction, where a threat agent makes use of psychological vectors to manipulate users and influence/induce a desired behavior, thus obtaining sensitive information or small security bugs that can be leveraged into a larger action that unfolds in many steps.
According to Joe Gray, in his book “Practical Social Engineering: A Primer for the Ethical Hacker” (On Starch Press, 2011), unlike other areas within Information Security, which make use of concepts from Computer Science, Systems Administration, Programming and Database Administration, Social Engineering borrows most of its main concepts directly from Psychology and therefore social engineers must always be up to date with the development of psychology and human behavior. Having these concepts in mind and knowing how to apply them in practice for malicious purposes puts the Social Engineer at an advantage over Security Solutions on the market, however technological and innovative they may be.
An internal environment that has undergone an intense process of hardening it can still be compromised through flaws in the so-called “Layer 8 of the OSI Model”, which is the hypothetical layer used to refer to user error, human error. In other words, as much as there is a mature environment, a single mistake by an employee can threaten the entire structure of the business, serving as a gateway to an even greater threat.
Social engineering can be applied in a variety of ways, whether through interactions done in person or miles away from a computer or phone. The main types of social engineering techniques are:
- Phishing – The most common type, cheap and scalable due to the possibility of reaching a very high number of users at once. It uses techniques that aim to provoke an immediate reaction from the victim, using a convincing and urgent pretext.
- Spear Phishing – Similar to Phishing, but focused on a single institution or person. It is a technique that can receive many benefits from the application of OSINT or from simple interactions with employees, aiming to understand the business and the company structure, its hierarchy and processes. From this, it is possible to create a scenario that fits very well to a specific context and then manipulate someone to perform an action that will bring some advantage to the attacker. A single employee of the target department who performs the desired action may be enough to compromise the environment.
- vishing and smishing – Both are variations of Phishing, but each uses a specific medium. Vishing (Voice + Phishing) – which is one of the most applied techniques in Brazil – is done through phone calls or VoIP services, where the victim is induced to take actions quickly due to the dynamics of the conversation or to share sensitive and confidential information. without noticing. Smishing (SMS + Phishing) makes use of messaging applications such as WhatsApp and Telegram, or the cell phone's own SMS service, again seeking to induce someone to perform an action or to click on a malicious link that has been shared. during the course of the conversation.
- Baiting – This technique makes use of human curiosity, where physical storage media with malicious content can be left in a strategic location, such as in a restaurant frequented by employees during lunch hours, which is then found by one of these employees, who ends up intrigued to know what is stored there and then uses the device in a corporate environment or at home and ends up allowing the execution of the malicious content stored there, which can start a series of new events.
- Dumpster Diving – It is a technique that consists of searching in the corporate trash for possible information, parts and devices that may be sensitive to the company in some way. It is necessary to apply a safe disposal policy to avoid such vectors.
- shoulder surfing – It is basically observing the actions of someone who is using a cell phone or computer, in order to discover and memorize information and passwords that can be useful later.
- tailgating – This technique requires the face-to-face action of a social engineer in order to enter a restricted environment, makes use of the victim’s compassion and good intentions, who seeks to help in a complicated situation, such as when someone is carrying something heavy with both hands and cannot use it. their access card to the server room, for example, where the victim then uses their own card to open the door and walks through, receiving a thank you afterwards without knowing the problem they created.
It is possible to conclude that social engineering attacks are definitely a problem of concern, and to prevent employees from being victims of similar actions, it is important to create awareness plans and campaigns, in addition to making clear the possible consequences that this type of attack can cause. for the company and for each individual. In addition, it is recommended that periodic tests be applied to test the maturity of the company and employees in responding to these activities.
How can we help?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law Suit, People and Technology.
through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!