Last week, we talked about multi-factor authentication (MFA) and the importance of having more than one “lock on your door.” One of the techniques used by attackers that MFA helps to prevent, is Social Engineering.
Social Engineering is the tactic of manipulating, influencing, or deceiving a user into taking an action that isn’t in their (or their company’s) best interest and often leads to unauthorized access to an account or secure physical location. The goal of social engineering is to gain the trust of authorized persons and then exploit that relationship to gain access to a network or secure physical location that would normally be out of reach for the attacker.
The most common form of social engineering is a phishing email. Someone pretending to be a trusted entity within an organization or group asking for access, phishing for passwords, or otherwise manipulating a trusted user into allowing access to the false sender or requester. Social Engineering can take many forms, however, and phishing emails, though the most effective and popular route to take, are only one form. Another popular route is via phone. Social engineering phone calls are becoming increasingly more popular as they add legitimacy by talking to a “real person” who has some information associated with a company or one of its employees. The most effective method of foiling social engineering phone calls is by asking identifying questions that only the authorized user should know (i.e. Security Questions, date of birth, college ID, and other personally identifiable information that an organization should have that an attacker does not).
Some other forms of social engineering include:
Tailgating: A physical breach in which an attacker manipulates their way into a restricted area. The attacker may impersonate a delivery driver, custodial worker, or another employee and “tailgate” a legitimate employee by asking if they’ll hold the door.
Scareware: A manipulation tactic that involves victims being overwhelmed with false alarms and claims of compromise. Victims are deceived into thinking their computer or other systems have already been infected with malware, or a virus, and the only way to get rid of it is by installing software that grants remote access for attackers, or by paying the attacker a sum of bitcoin to preserve data or avoid blackmail.
Baiting: An attack used to get an authorized user to give out their password or other authorization willingly without the knowledge that they’ve done so. Most commonly, a form of physical media is used in baiting. For example, a thumb drive or other storage device left in conspicuous areas where users will find them and hopefully connect them to their computers. When a malicious storage device is connected, the malware is automatically installed on the system that logs keystrokes or otherwise scrapes credentials from the user.
So, now that we know some forms that social engineering can take, how do we protect ourselves from it and notice the signs?
Be wary of suspicious emails. Even if you know the sender, and the message seems suspicious, it’s best to contact the sender directly through another form of communication to verify legitimacy, and you can always report any suspicious emails by sending them directly to cybersecurity@vsc.edu.
MFA offers protection against compromised passwords. With MFA enabled, attackers are not able to get into accounts without a secondary piece of information (often a push notification or text, as explained last week).
Avoid plugging in unknown devices. If you discover a ‘dropped’ thumb drive or external storage device, report it and return it to your local IT Helpdesk for screening.
Avoid putting personal information on Social Medias. Social engineers scour the internet for any personal information on a target. The more information that is publicly available on various social medias, the more likely it is that an attacker can send you a targeted spear phish or leverage personal information to gain physical or digital access to a system.