One of the most effective methods for breaking through a company’s cyber defenses is social engineering hacking. Let’s take a closer look at this common cybersecurity threat.
When most people think of cyberattacks and the social engineering threat, they picture a scene from an action movie in which a teenage computer whiz spends thirty seconds furiously typing on a computer keyboard and gaining complete access to the Pentagon’s databases. In the real world, this isn’t how hacking actually works.
The good news is that hacking the Pentagon is a lot harder than Hollywood makes it look. The bad news is that hacking is still effective and is increasingly more lucrative.
For these reasons, hackers have developed an arsenal of tools and techniques to defeat organizations’ defenses and have learned to stick with what works.
Often organizational cyber defenses are technology-based. They focus on identifying and protecting the holes in a company’s cyber defenses created by programming flaws or misconfigurations.
Social engineers target the holes in corporate defenses created by human beings. This involves attempts to gain personal information to, in turn, get access to the organization.
Humans can be lazy and typically doing the “right thing” from a security perspective is hard. Social engineers capitalize on this and take advantage of the way people’s minds work to get past a company’s defenses. Since this is usually easier than bypassing technology-based barricades, it’s one of the most common types of cyberattacks.
There are basic impulses and instinctive reactions that most people share. Social engineers know this and take advantage of core human psychology to manipulate people into doing what they want.
In the February 2001 issue of Scientific American, Robert Cialdini published an article called The Science of Persuasion in which he described the six basic principles of persuasion.
According to him, a person is more likely to comply with a request if:
Out of context, it may seem easy to resist these impulses, but social engineers are experts at deceiving people.
If a request comes from someone in management, it’s probably legitimate, right? But do you really know all of the management by sight? Or would you assume that someone in a suit that you just saw chatting with the CEO was legitimate? Probably. However, that could just be a social engineer who “accidentally” ran into the CEO at the coffee shop around the corner and struck up a conversation that lasted until they made it back to work.
All that it took to breach company security was putting on a suit and hanging around drinking coffee until an opportunity presented itself.
Social engineers are good at what they do and what they do is find inventive ways around your company’s security.
Social engineering attacks are some of the most successful types of cyberattacks in existence.
Phishing attacks, social engineering attacks over email, are the most common method of delivering malware to a user’s computer. The fact that the attacker uses technology makes it easier to mass-produce.
According to research, 93% of data breaches are linked to phishing and other social engineering incidents. With the number of successful data breaches reported recently, this means that phishing, and social engineering, is a wildly successful attack vector.
The 2018 Phishing by Industry Benchmarking Report explains this threat if your industry is at risk, and how to protect yourself. Download it now!
In the end, social engineering comes down to someone making a request that they are not authorized to make. No matter what pretext the social engineer is using, they’re trying to get their target to do something that they’re not supposed to do. Nor would they normally agree to do it.
If they were authorized to make the request or give the order, then there is no problem.
This means that defeating social engineering attacks is actually straightforward:
Worst case, you cause a minor delay and inconvenience. Best case, you may have protected your company from a major cyber incident.