Table of Contents
IT Security Experts have been saying this for years: IT security training is a fundamental element of any cyber security program for any company. All the statistics released by the most renowned security companies confirm this yearly, identifying human error to be the most common cause of data breaches, exfiltration attempts, and IT security incidents.
Cybercriminals know this well, and that's the reason why they are increasingly focusing on "social engineering techniques" - psychological manipulations having the goal of tricking users into making security mistakes or giving away sensitive information - as a vector of their attacks.
In this post, after a brief overview of the most used social engineering techniques, we'll give some high-level advice to help organizations protect themselves against this kind of cyber threat by raising the IT security awareness of their staff with an IT security training program.
Social Engineering Techniques
Cyber attacks based on social engineering may be attempted in many different forms: the only common thing they have in common is the fact that human interaction is always involved in the hacking attempt process. Here's a list of the most common social engineering techniques used these days.
Let's start with one of the most popular social engineering attack types, which (unfortunately) everyone knows even too well: phishing begins with an email or other fraudulent communication sent for the purpose of luring a victim. The message appears to come from a reliable sender.
If the deception is successful, the victim is persuaded to provide confidential information, often on a scam website. Sometimes, malware is also downloaded to the victim's computer.
Spear Phishing is a sub-type of phishing, which differs from its more general counterpart for the targeted nature of the attack. More specifically, spear phishing attacks are perpetrated by sending highly personalized messages, which the scammers package using public information collected about the victim, such as: the job field, the role played in the company where they work, the interests they cultivate, the area where he lives, tax information and any other information that may emerge from social networks. Such specific details make the emails credible in the eyes of the victims and increase the likelihood of the user opening malicious links or attachments.
Spear Phishing emails are typically written in a workmanlike manner, tailored to each victim: the attacker can pretend to be an interested supporter of a cause shared by the target, impersonate someone known to the victim, or use other social engineering techniques to gain the trust of the victim. This simple, yet very important difference is what makes spear phishing much more dangerous (and effective) than common phishing.
Baiting is a social engineering technique based upon exploiting people's curiosity: its main goal is to allow criminal hackers to launch an attack using an infected storage device, such as a USB pen drive "abandoned" in strategic places.
The technique is very simple. The infected device is left unattended in a strategic position near or within the target company, where it is likely that it will be noticed by one or more employees, arousing their interest and hopefully (by the means of the hacker) inducing them to seek for its content using one of the organization's computer. As soon as the device is connected to that computer, the damage is done: the malicious program will self-execute and try to infect the whole company's network, installing the intended malware (ransomware, tunnel, worm, and the like).
What makes baiting one of the most subtle and dangerous cyber threats is the psychological aspect: curiosity is an innate instinct, deeply rooted in human nature, which can be easily exploited to push the victims to do what the hacker wants.
It's worth noting that baiting scams don’t necessarily have to be carried out in the physical world: there are a lot of online baiting schemes, such as those using enticing ads or websites trying to encourage users to download a malware-infected application (to download stuff, access exclusive content, and so on).
The term "scareware" identifies a class of malicious software whose installation is often suggested to users through fraudulent marketing techniques: today they are most commonly grouped under the malware class known as Rogueware or FraudTool.
Scareware tools are mostly spread through the internet using "legitimate" real marketing campaigns, as well as fraudulent spam campaigns. The software tool is often presented as a tool for OS maintenance, antimalware, or speed/optimization processes. Their names are typically created with the intent of recalling known and reliable products, which is clearly an attempt to reassure users about the quality of the software and the seriousness of those who develop it. The main goal of scareware tools is to encourage the user to voluntarily download and install the software on his/her computer. Needless to say, the installation process will require the victim to give the tool administrative privileges (which are then used to install malware, uninstall the existing antivirus, and so on).
A typical scareware vector (which is also the main reason for its name) is a fake-ad appearing on the user screen in the form of an "emergency" pop-up, warning the potential victim that his/her OS is infected with some computer viruses or suffers from serious anomalies which could easily be fixed by downloading, installing and executing the scareware tools.
Pretexting (giving pretexts) works in a similar way to phishing, but through different means such as telephone calls, interviews, or other techniques, always using the typical techniques of social engineering. The hacker/criminal presents himself as an employee of a legitimate company to induce you, with rather elaborate lies, to provide personal and confidential information. He may introduce himself as an employee of your credit institution, public office, telephone company, or pay TV station and tell you that there is a problem with your account that can only be resolved if you confirm your personal information. your social security number, login credentials, and other similar data.
The tone of the phone call can be the most disparate: from the conciliatory one to the anxious one, passing through rigid, detached, or particularly bright tones. It's all part of the game: to push the user into doing what the hacker/criminal wants - allowing access to restricted resources, systems, services, or physical spaces.
Risks and costs of Data Breaches
Preventing cyber-attacks and data breaches from happening is of utmost importance for any organization because they will easily have a major business impact, such as:
- Economic loss. Cyber attacks cause huge economic losses, regardless of who is affected. Let alone the mere economic loss, the costs of a cyber attack also affect other important aspects, such as: the cost for emergency management, costs resulting from the loss of know-how and sensitive data, credibility, and brand image.
- Loss of time resources. A great deal of time is required to resolve the problem related to the breach of cybersecurity. In many cases, the computer attack results in the stoppage of production and work activities because it is not possible to access the computer system or management software. Furthermore, to clean up a computer system that has suffered an attack, technicians must be able to analyze it from top to bottom and restore a correct level of security.
- Legal costs. A hacker attack is a criminal act, which legally forces the company to perform a number of (potentially costly) activities: typically, following a cyber attack, sensitive information, patents and technologies are dispersed. If the attack also involves the violation of the privacy of some individuals, it would also be necessary to carry on several tasks required by the GDPR, such as informing the data owner, the data controller(s), and the local Data Protection Authorities (DPAs).
Now that we have enumerated the most used social engineering techniques (and the risks they may entail), let's spend a couple of minutes to understand what makes the role of the human factor so relevant in the overall system from an IT Security perspective.
If we think about it for a minute, we can easily see how any protection tool - even the most complex and advanced ones - can do little if used incorrectly if it is deactivated or if those who work in the company perform actions that undermine its function. When faced with irresponsible behavior by an individual, even the most powerful firewall, antivirus, or SIEM can easily become useless or ineffective.
If a user with enough privileges manages to disable the antivirus and then plugs in a (possibly infected) USB pen drive, for example, there's little that System Administrator can do: sure, they could prevent standard users from disabling the antivirus, and/or connecting unauthorized USB pen drives, and save these privileges for admin users only... but even System Administrators are not immune to that kind of mistakes - unless they are properly trained.
Furthermore, there are a lot of scenarios where you simply cannot block a standard user from performing potentially harmful activities: from phishing e-mail messages to fake websites, not to mention scams and even physical breach attempts - what if the hacker shows up at the company's front door dressed as a postman to deliver a package, and manages to reach an unattended client? Are you sure that your organization has the proper awareness (and processes) to stop such a scenario from causing serious harm?
The importance of an IT Security Training Program
The best thing that we do to raise such awareness is to define (and apply) a good cyber security training process. Pay attention to the term that we have used: a training process, not just a course. A good IT Security training course can be the initial part of such a process, but if it's not backed with a platform that provides training on-the-job activities, daily assistance, and a common knowledge-sharing repository, the attendees will easily forget everything within a couple of months. It goes without saying that such a process should be tailored to the characteristics of the organization, which will also help to customize the training part - and to closely link it to the protection tools implemented at the level of IT infrastructures and company policies.
By adopting such an approach, it would be possible - for example - to perform some phishing simulation scenarios to "accustom" employees to systematically report suspicious messages to IT managers. This will greatly help the organization to be prepared in advance for what could (and most likely will) happen someday, greatly mitigating the risk that the human factor will negatively affect the overall response.
It's important to understand that IT Security Competence does not derive solely from conceptual knowledge of the topics, yet also from real-life case histories, practical exercises, and field analysis: in other words, IT security training must strongly take into account the practical aspect. For this reason, defining and applying a good cybersecurity training process is crucial for any organization that seriously wants to minimize the risks coming from this kind of threat.