Security+: Social Engineering Attacks (SY0-401)
Please note: this article is based on information about the previous version of the Security+ exam (SY0-401), which expired in May of 2018. For updated information, please see our up-to-date Security+ listing.
Social engineering focuses on the weakness of the human factor. As long as an institution has personnel, there is a risk of being penetrated via social engineering. Researching information about personnel can be applied in various forms of traditional fraudulent practices and informational attacks. The Computing Technology Industry Association (CompTIA) regards social engineering as one of the key domains in its Security+ training (SY0-401) certification. It enriches security professionals’ knowledge about the effectiveness and countermeasures of various social engineering attacks. This certification is recognized by the Department of Defense of the U.S. (DoD) as the baseline qualification of Information Assurance Technical (IAT) level 2 and Information Assurance Management (IAM) level 1 in its DoD Directive 8570.
Social Engineering Techniques and their countermeasures
Although social engineering is closely associated with cybersecurity today, it is not limited to vulnerabilities of computer and network systems; it goes beyond remote cyberattacks. Many traditional practices of information interception are still of high importance in obtaining valuable information about the target. In the Security+ certification, candidates have to be familiar not only with the social engineering attacks via the Internet and social media, but also with certain classical, yet pragmatic, data theft approaches in physical situations. Most important, candidates should become proficient about existing countermeasures and in what ways they should be adapted to handle social engineering. While security software products can defend the institution in many ways on the network level, physical security should not be underestimated or neglected when it comes to social engineering attacks.
Shoulder surfing is the simple act of watching the target from behind his back or from any unnoticeable angle when he enters delicate information such as a graphical and alphanumeric password, personal identification number (PIN), telephone number, or email address on a computing device. This tactic is mostly effective in crowded places such as ATMs, airports, train stations, cybercafés and public libraries. The attackers can take advantage of the surroundings to discreetly peek at the victim while he reveals his sensitive information. Besides, with hidden cameras and handy spy tools, the attacker can conduct shoulder surfing from a greater distance, or even remotely.
The proliferation of digital devices in all aspects of our daily and professional life requires regular data input to authenticate actions. It is therefore crucial that the data input is well protected to avoid the view of a third party. Before entering sensitive information, the concerned personnel have to verify the professional and, more important, the public surroundings if there are any suspicious people attempting to shoulder-surf the relevant information. Besides, using multiple authentication methods, for example, a password combined with screen swipe, to enhance the difficulty of memorizing the information is a preventive measure. One further protection step is to adopt screen protection products to slash the off-axis visibility of the device. In addition, shoulder surfing can be facilitated by trust between people. A victim can fall into the hands of a fake friendship and lower his alertness of being shoulder surfed. This aspect must be emphasized when sensitive information input is being performed in front of a “friend.”
Tailgating refers to an unauthorized, uninvited or unregistered person following a polite employee or resident to enter a restricted building. This courtesy can open the door to a person having malicious intentions to cause damage for other employees and occupants of the building. In cybersecurity, tailgating can lead to scenarios like installation and alteration of surveillance devices in a building. Its effectiveness originates from natural social courtesy. Most of the time, people will hold the door for the disabled, the elderly, and people carrying heavy items. The attacker can disguise himself to fit in these social conventions to enter the building of his real target. Once he successfully enters a restricted building, he can carry out schemes with immeasurable consequences.
Tailgating can be dealt with by several effective methods. The most obvious one is installing physical barriers, such as mantraps, turnstiles, and surveillance cameras, at the entrance as along with security guards. Building users have to enter the premises with smartcards, devices, or badges, while temporary visitors must register their personal details to get access to the building. This measure can be retrofit to any building to ensure security and facilitate investigation. Personnel of all levels and departments must be aware that they should not committ the honest mistake of inviting unauthorized and potentially malicious people to their working environment.
Dumpster diving is gaining physical access to the dumpsters of the target. It is unsurprising that institutions generate a great deal of paperwork in their daily routine despite the green and paperless office culture. In such a work environment, a lot of sensitive information is printed, circulated, and then disposed of. Institutions have to handle this large number of documents with exceptional care. Traditional practices like shredding and burning machines are essential equipment for institutions of any sizes. They should be careful not to confuse the priority of recycling and data protection. Otherwise, even internal employees can do dumpster diving to take advantage of their employer.
In addition, dumpster diving can be performed in the virtual recycle bin of computers. It is a prerequisite for the IT team to use appropriate software to shred and erase confidential information completely on the computer. Some institutions may underestimate this practice because they might not have technical understanding about hard-disk storage. This is exactly the same as the physical scenario.
Impersonation is the act of pretending to be a legitimate person or institution. It is an indispensable tactic in social engineering. Using the identity of a senior, trusted, or authorized individual to lure the victim into providing sensitive information is the basis of impersonation. This can be done via different channels, namely, telephone, a physical visit, email, or courier. As in the example of tailgating, impersonation can be as simple as pretending to be a pizza delivery driver, law enforcement officer, or business partner to enter a restricted building.
When doing it remotely, the attacker can use spear-phishing email or a fake customer service call. These methods demand some basic information about the target as well as high impersonation skills. In particular, the fake customer service call strategy is highly persuasive, especially when the attacker intimidates the customer service officer by pretending to be a legitimate user desperately wishing to regain control of his account. In order to resist impersonation, regular training for the customer service and personnel having regular contact, remotely or physically, is obligatory to ensure they will follow a rigorous set of procedures to verify the identity of a visitor or message sender.
Whaling is a form of spear-phishing. It targets C-level executives and decision makers so that, if the scam works, the attacker will be able to maximize his gain. The phisher gathers essential information about the internal procedures of the target institution or C-level executive. Then he makes use of that information to fabricate orders for the subordinate colleagues. As the order seems to come from senior management, employees with insufficient security awareness might not question the authenticity of the message, but just follow it. Whaling has become a popular cyberattack in recent years. Corporations like Mattel and Snapchat have fallen prey to whaling in 2015 and 2016 respectively.
In a top-to-bottom corporate structure, the order of senior management is seldom questioned by the subordinates. This characteristic makes whaling a powerful social engineering attack. Nonetheless, junior personnel can always verify the veracity of such messages with several elementary steps. First, they can check the sender’s contact details carefully. They can hover the mouse over the sender’s link/URL to check if it comes from an authentic source. The real sender is usually disguised under some short name or masquerade links to lure the target. Second, they should always refer to the authentic company directory to contact the relevant co-workers, by phone or email, instead of following the specific contact information in the message. Most important, they never provide passwords, banking information, or other sensitive details in replying to these messages.
Vishing and Smishing
Vishing is a combination of voice over IP (VoIP) and phishing. Fraudulent phone calls are not novel scams. Before the introduction of the Internet, impersonated phone calls were a popular scam practice. However, the VoIP technology encourages vishing because the attacker can call the victim from anywhere in the world without worrying about his caller ID, landline, and other easily trackable sources of his identity. In a way, this environment facilitates international vishing. A multidimensional social engineering attack combining vishing, whaling, and other impersonation techniques can therefore pose considerable risk to the target institution.
The first step to counter the risk is to block all automated calls. This can considerably reduce the number of attack attempts. When it comes to more personalized attacks, it is important to be reminded not to take any immediate actions. For example, the most frequently impersonated institutions like banks never request their customers to take immediate action over the phone. In addition, being alert to verify further the identity of the caller always helps as a general rule.
Hoax (Virus & Prizes)
A hoax is false information leading the audience to believe and act according to the intentions of the hoax maker. Hoaxes regarding viruses, network intrusions, and computer performance optimization alerts are common tactics to lure the victim to download malware or a spy tool. This can also be achieved by informing the victim that he has won a prize, for examples, an iPhone, a voyage, or a car. Internal hoaxes about updating security software can be particularly useful into luring the victim to download some malware.
Having anti-virus software updated and firewall enabled 24/7 is the frontline defense against automated hoax. Downloading applications, files, and documents via authentic platforms is essential because they will have done an initial security check on the items hosted on their platform to ensure they will not help spread hoaxes.
Social Engineering Mitigation in the Workplace
The high exposure of personal information on the Internet makes it almost impossible to avoid attackers from adopting various social engineering techniques to infiltrate their institution. There is no way to stop the attackers, so the only fundamental solution is prevention. Educating and improving the security awareness of employees and other relevant stakeholders about social engineering mitigates significantly the risks as well as enhancing the security robustness of the institution.
In fact, the various forms of social engineering attacks, whether they are physical or telegraphic, exploit human weaknesses through seven underlying principles, authority, intimidation, consensus and social proof, scarcity, urgency, familiarity and liking, and, most important, trust. Candidates for Security+ certification should be familiar with these rules, as they provide an objective perspective in case studies and demonstrate how the victims can be set up.
The principles of authority, trust, and urgency are often observed in whaling and other impersonation scenarios. Situations such as an urgent work message coming from a senior manager, an electrician knocking the door to fix power supply problems, or a law enforcement officer calling to acquire information about someone would hardly make people doubt their professional authenticity. Moreover, adding intimidation in the implementation of whaling, vishing, and physical impersonation enriches the realness of the swindle scenario. Customer service officers are likely to be pressured when receiving angry customers and may thus reveal the information the fraudster desires.
In addition, the remaining perspectives, familiarity and liking, consensus and social proof, and scarcity, are often used to lure the victim to take actions such as claiming a prize, updating an antivirus software, providing sensitive data for a fraudulent site coming from an (impersonated) acquaintance, to name a few. It is natural for people to react immediately when there is a time limit for claiming a prize, responding to a questionnaire, or updating their system without too much forethought.
Therefore, these underlying principles in social engineering have to be exhaustively considered when it comes to designing and establishing procedures for employees and other interested parties to follow if they receive suspicious messages, calls, or individuals. Report mechanisms in case of suspected attempts to acquire sensitive information should be established. More important, workshops for non-technical personnel should be regularly held to inform them about evolving social engineering tactics. Social engineering, is first of all, a human attack. The attacker takes advantage of the indifference and ignorance of non-technical personnel about institutional cybersecurity to succeed their objectives. Constantly reminding these personnel about the risk of compromising the first security gate is vital. It prevents them from falling prey to various forms of phishing, vishing, and other remote attacks.
In a way, social engineering is associated too closely with the technical aspect and cybersecurity, making people forget many of its traditional and physical sides. The Security+ certification reminds security professionals of the underlying principles about human weaknesses as well as how they can be exploited to develop effective cyberattacks with the help of technology. Having a comprehensive understanding about how people act and react in society helps create a robust training for employees of all levels regarding social engineering.