Social Engineering: The Human Element of Data Breaches
Introduction
Social engineering is the art of manipulating people into divulging confidential information or taking certain actions. As cybersecurity has improved, attackers have increasingly focused on exploiting the “human element” rather than trying to break through technological defenses. Significant data breaches rarely occur these days without some degree of social engineering. As the saying goes, “humans are the weakest link in cybersecurity.” In this article, I’ll provide an in-depth look at how social engineering enables data breaches and why humans are so susceptible to manipulation.
What is Social Engineering?
Defining Social Engineering
Social engineering refers to the psychological manipulation of people into disclosing sensitive information or performing certain actions like installing malware. The core concept behind social engineering is that humans tend to trust other people and want to be helpful. Attackers exploit these natural human tendencies to bypass technological security controls.
Common social engineering techniques include phishing, pretexting, baiting, quid pro quo, and tailgating. Social engineers may use these techniques individually or in combination to take advantage of human psychology. Their goals are to gain information, access, or the compliance of their targets.
Differences from Physical Security Attacks
Social engineering differs from physical security attacks like physically breaking into facilities. With social engineering, attackers exploit psychological vulnerabilities rather than physical ones. They manipulate targets into handing over login credentials or sensitive data rather than stealing it directly.
While both attack vectors aim to bypass security controls, social engineering does not require directly confronting or subverting physical security measures. This makes it an attractive, low-risk option for attackers seeking sensitive data.
Why is Social Engineering Effective?
Exploiting Human Nature
Social engineering taps into fundamental aspects of human nature. Most people aim to be helpful, particularly towards authority figures. We also have an instinctual curiosity when presented with something enticing but forbidden. Unfortunately, attackers leverage these natural human tendencies to their advantage.
Specific psychological triggers targeted by social engineers include:
- Reciprocity – We tend to return favors and gifts
- Scarcity – Rare or exclusive opportunities pique our interest
- Authority – We defer to people in leadership positions
- Liking – We comply with requests from people we know and like
Skilled social engineers carefully craft their attacks to take advantage of these psychological drivers. As social creatures, we have innate vulnerabilities that technology alone cannot fully protect.
Bypassing Technical Controls
While organizations invest heavily in technological defenses like firewalls and anti-malware software, these controls are not foolproof. Tactics like phishing emails allow attackers to completely sidestep technical security controls.
Once a target clicks a malicious link or opens a harmful attachment, attackers can often gain a foothold on systems and networks. This initial access provides the opportunity to escalate privileges, move laterally, and complete their objectives.
Advanced attackers may use social engineering to directly target IT staff and system administrators. By compromising people with elevated access, attackers can stealthily bypass technical controls.
Common Social Engineering Techniques
Phishing
Phishing attacks use email, phone calls, or fraudulent websites to deceive targets into giving up sensitive information. Phishing emails masquerade as legitimate messages from trusted sources like banks, insurers, or employers. Well-crafted phishing emails create a sense of urgency or importance to encourage targets to act.
Once targets input information or click a link, attackers gain access to login credentials, financial information, or personal data for identity theft. Over 90% of cyberattacks involve phishing attempts to some degree.
Pretexting
With pretexting, attackers invent a false “pretext” or scenario to trick targets into divulging information. Pretexting often relies on impersonation – social engineers may pretend to be IT staff, police, bankers, or anyone perceived as having authority. These fake personas pressure targets into handing over sought-after data.
An example is an attacker pretending to be an IT helpdesk employee needing a password reset. Unsuspecting targets, wanting to help fix the supposed issue, provide their credentials to the attacker.
Baiting
Baiting refers to offering something enticing to targets in exchange for diverting security measures. This may involve promising desirable goods or services if the target performs a certain action that compromises security in some way, such as disabling antivirus software.
Baiting tactics appeal to natural human curiosity and desire. Attackers bait targets with things like music, movies, software, or adult content. When targets try to access the content, they end up installing malware.
Quid Pro Quo
Quid pro quo involves offering a service or benefit to targets in exchange for information. For example, an attacker may pose as a researcher offering to pay interviewees for answering some survey questions. Buried among the legitimate questions are ones designed to collect sensitive data.
People are more likely to divulge personal information when they feel they are getting something of value in return. Attackers exploit this tendency, often posing as researchers, pollsters, or marketers to gain compliance.
Tailgating
Tailgating or “piggybacking” involves physically following an authorized person into a restricted area. The attacker walks in right behind or along with the authorized person to bypass physical access controls.
Security awareness is key to preventing tailgating. Authorized individuals must be alert and willing to question anyone trying to enter without using their own access credentials. Attackers often dress like legitimate personnel to avoid suspicion.
Real-World Social Engineering Examples
RSA Breach
In 2011, hackers used phishing emails and social engineering tactics to infiltrate RSA Security and steal data related to their two-factor authentication products. The stolen information enabled the hackers to access the systems of RSA customers, including major defense contractors. RSA ended up replacing the compromised SecurID tokens at huge cost.
NotPetya Attack
The NotPetya cyberattack that caused over $10 billion in global damages in 2017 started with a phishing email. An email disguised as a job applicant’s resume contained malware that gave the attackers access to the Ukrainian company’s systems. From there, the wiper malware spread rapidly across networks.
Twitter CEO Fraud
In an elaborate CEO fraud scheme, a scammer posing as Tesla CEO Elon Musk convinced a Twitter employee to provide employee credentials. The scammer used the credentials to tweet from Musk’s account in an apparent bitcoin scam. Twitter had to delete the fraudulent tweets and temporarily restrict Musk’s account.
Defending Against Social Engineering
Security Awareness Training
Ongoing security awareness training is key to mitigating social engineering risks. Training equips employees to identify and respond appropriately to phishing attempts, unusual requests, and other red flags. Roleplaying exercises help build skills to combat real-world social engineering.
Limiting Access
Following the principle of least privilege limits the damage attackers can inflict through social engineering. Restricting access to sensitive systems and data and requiring multi-factor authentication for critical functions helps contain compromised accounts.
Policy Enforcement
Enforcing strong security policies provides employees clear guidance for dealing with unusual requests and other suspicious activities. Strict approval processes for financial transactions, data sharing, and system access changes reduce social engineering risks.
The Ongoing Threat of Social Engineering
As long as human psychology remains exploitable, social engineering will continue posing risks for organizations. While technology provides some protection against external attacks, it cannot defend against internal manipulation. Regular security awareness training combined with robust access controls and policies offer the best safeguards against this insidious threat vector.
