Cyber Defense_Part 2 -1.jpgSocial engineering is one of the strategies used to breach organizations. This occurs when a hacker tries to manipulate another person’s actions, which then allows the hacker to gain access.  Gartner states, “By 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk.[1]” Sadly, cyberattacks are becoming a normal course of business, with the FBI reporting in 2016, their Internet Crime Complaint Center (IC3) “received a total of 298,728 complaints with reported losses in excess of $1.3 billion”[2]. Verizon reported that within the Healthcare industry, the data breach fell into three categories: “69% Medical, 33% Personal, 4% Payment.[3]

In order to respond appropriately to the threats, it’s important to understand how they work. Here are 5 common social engineering attacks:

 

Phishing

This technique may be the one with which you are most familiar. Attackers mock up emails that look like they are coming from a legitimate person or organization.  These messages often ask for you to take action in order to respond, click on link, call this number, and then you are directed to a fraudulent site or person who will gather valuable personal information like bank account or credit card numbers.

The Anti-Phishing work group published a report, and their analysis included brands that were targeted throughout the first half of last year. “This continues a years-long trend in which a few hundred companies are attacked regularly, from every few weeks to every day, while a smaller number of companies are attacked intermittently. Over time a few companies fall off the lists completely, to be replaced by new and up-and-coming targets of opportunity.”[4]

One of the ways to combat this tactic are to run drills with your organization, and create a coordinated training activity where “phishy” emails get sent to the organization, and those who fall prey will receive additional training. You can also reward those employees who self-report suspicious emails. 

 

Spear Phishing/Whaling

Similar to phishing, whaling got its moniker from targeting bigger fish, i.e., political representatives or high level business executives. In many of these cases, the hackers order financial transactions that get approved by an unsuspecting bank or company employee, who simply think they are responding to a legitimate request. The victim may not be a high level employee – but they are often in roles where they have day-to-day access to company funds, i.e., accounting. [5]

Refining your business processes may help reduce the risk of a breach. If there are multiple layers of financial approvals, there is a higher chance that this type of behavior will be identified.

 

Pretexting

With this social engineering tactic, the attack comes from someone pretending to be someone legitimate, whether it is impersonating an internal colleague, or a trusted business partner. This method is a variant of spear fishing, but with the pretexting scenario, the attacker interacts with the target, which lends a feeling of legitimacy to the interactions. Again, the goal would be to get money or perhaps to get access to sensitive data within the organization.[1]

The same mitigation strategies for phishing would apply here.

 

Watering Hole

Hackers take an existing legitimate site, for example, an industry organization, and they modify a piece of code on the site that allows malware to get through. When people visit the site, they click on various elements such as drop downs or search boxes and have no idea they have been exposed. This method is also used to compromise external wifi hot spots.

When working remotely in a public place, also use your VPN, since a public wifi hotspot has less security. [2]

 

Tailgating

While many social engineering tricks come from online behavior, tailgating is a classic ruse that works in the real world. An attacker follows an authorized person into a building or office suite. This may be a risk, even if there’s a security badge/card reader in the scenario – the intruder simply skips that step. Now, they are free to walk around the office, and may target an unattended laptop, or server room for their next stop.

According to Security Magazine, “More than 70 percent of respondents believe they are currently vulnerable to a security breach from tailgating.”[3] Educating your employees about the risk and clearly communicating reminders can help them become more vigilant. Adding a physical barrier (badge/locked door) is another mitigation.

It is disheartening to note that according to Verizon’s annual DBIR report, 12% of attacks come from within, and within healthcare, the story is even worse, a whopping 68% of breaches are internal, and only 32% external, and 6% from partners [4]. Fortunately, there are behaviors that you can adopt to help minimize the risk, including business process improvements, organizational change management, which includes training and communication. This integrated approach allows you to fully engage with your employees, so they better understand the risks and how to avoid them.

Read more insights on Cyber Security & Cyber Defense

 

  1. https://www.gartner.com/doc/3332117/special-report-cybersecurity-speed-digital
  2. https://pdf.ic3.gov/2016_IC3Report.pdf
  3. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
  4. http://docs.apwg.org/reports/apwg_trends_report_h1_2017.pdf
  5. https://www.perspectiverisk.com/another-fishing-synonym-ceo-whaling/
  6. http://searchsecurity.techtarget.com/news/450417923/Pretexting-is-a-rising-threat-according-to-2017-Verizon-DBIR
  7. https://www.csoonline.com/article/2614643/security/watch-out-for-waterhole-attacks----hackers--latest-stealth-weapon.html
  8. https://www.scmagazineuk.com/the-evolution-of-darkhotel-from-wi-fi-to-complex-social-engineering/article/685834/
  9. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/