Human gateways: why social engineering is a risk factor not to be underestimated in companies
Cyber criminals manipulate staff members in a company to gain access to the corporate network
There were 16 new malware strains per minute on average in 2017. That was the discovery made by analysts at G DATA Software AG. Criminals on the Internet use perfidious tricks to gain access to confidential company information by manipulating staff members - an activity known in technology jargon as social engineering. G DATA points out what IT managers need to look out for.
Companies generally focus on protecting themselves against specific attack vectors that target the corporate network, ranging from malware such as ransomware, Trojans and viruses, to system misconfigurations and DDoS attacks. One vulnerability frequently underestimated as a gateway by IT security managers is social engineering.
Long gone are the days when staff in HR departments received cryptic email applications from supposedly interested parties. Poor grammar or spelling mistakes used to suffice as an indicator of a bogus or dangerous message. These days, cyber criminals prepare themselves better for an attack, because they have been learning too. According to findings in the Social Engineering Attack Framework report, there are six stages that such an attack goes through:
- Step 1: Attack planning
- Step 2: Gathering information
- Step 3: Preparation
- Step 4: Establishing the relationship
- Step 5: Manipulating the relationship
- Step 6: Debriefing
One good example is a recruiter in a company who frequently accesses social media platforms to look for suitable candidates. The keyword here is ‘scouting’. If a suitable candidate seems to have been found, contact is established with him/her. Criminals are aware of this too and set up fake profiles that they can use to contact the HR manager at the right moment. The perpetrator tries to get information about the HR employee, before building trust with his counterpart and sending a letter of application to the HR employee, referring to the congenial exchange via social media. This concept promises greater success than proactively writing a standardised application. It contains a brief, concise piece of text, with a picture and a PDF attachment. The email and attachment are opened and the malware is run on the computer. The attacker has consequently manipulated the staff member into opening the file. This might be ransomware that encrypts critical files and demands a ransom to decrypt them. It might also be a Trojan that records keystrokes and sends them back to the attacker. In other words, login passwords are recorded and henceforth supplied to the cyber criminal.
Social engineering is used wherever people can be manipulated and a suitable key promises money for the attackers. This could be valuable staff information, actual access data or access to confidential documentation that discloses a trade secret. According to research by IT industry association Bitkom in 2017, digital espionage, sabotage and data theft cause German companies damages of around 55 billion Euros every year. As the trend in attacks of this type is gaining in popularity and is on the increase, higher levels of damage can now be expected. The solution to this attack scenario is awareness training for staff.
The first step for IT managers is to make staff members aware of social engineering. For example, G DATA Advanced Analytics, a subsidiary of G DATA Software AG, offers this service. With awareness training, attacks of this type are easier to detect and can be prevented. For example, staff here learn that emails need to be regarded critically, that no sensitive data should be divulged over the phone, and that no links that lead to a login page, for example, should be opened.
Another equally important step is good security software that provides phishing protection. In this way, many attacks can be averted in advance. Such software significantly aids staff and relevant emails that are actually important for daily work are processed more quickly. In other words, the risk of falling victim to a social engineering attack that could cause financial damage is minimised.