Social engineering in the context of information security is the practice of psychologically manipulating a target with the aim of getting the target to disclose sensitive information or perform actions that put the information system (IS) or personal data at risk, based on several human traits such as forgetfulness, greed, impatience or, of course, trust.
But although social engineering is the hacking of humans, what is its real impact on IS security?
Is there any way to be protected from it? Firewalls for humans?
Social engineering – or people hacking – has always been an entry point of choice for cybercriminals, since it does not necessarily require advanced technical skills in computer science, but instead requires knowledge in psychology, or even sociology.
Social engineering attacks usually start with a simple email, phone call or text message. There are also more advanced methods such as "Bad USBs", or malicious USB keys.
Some attacks are even done through direct contact with the victim. In this scenario, the hacker select victims based on a list of predefined criteria. The attack is carried out by creating a bond of trust, a shared gain with the victim, or by threatening and blackmailing the victim to disclose passwords or information about the security solutions used. In some cases, the victim may also be prompted to click on a link or image that contains a Trojan horse or other malware.
The reason why social engineering attacks have such an impact on information security is that they are part of targeted attacks, which are often silent crises that directly affect data confidentiality without challenging the visible functioning of the IS. These crises are difficult to determine and to treat conclusively.
In this kind of crisis, the human being is the weakest link in the system, which no security system considers for preventing attacks.
Now that we know what might happen, how do we protect ourselves?
From an IS security point of view, there is nothing better than vigilance! Training and user awareness alone are the keys to the struggle. To be effective, any action must go beyond posting on company walls or sending emails to discuss digital security issues. To reach the largest number of employees and to make them aware of this subject, the best thing to do is to plan training sessions illustrating different attack scenarios – including interventions by real hackers – who will not only be able to give users an idea of the state of mind of cybercriminals and the way they operate, but will above all be able to show users the best practices for ensuring data security in general.
Several online training courses are already available, such as the MOOC SecNumacadémie which was created by the experts of the French National Agency for the Security of Information Systems (ANSSI). It provides for an awareness-raising scheme related to the threats of cybercrime.
In addition, many training organizations, such as Numeryx University have focused their training programs on cybersecurity.
With this perspective, each company will have a team of cyber defenders – a whole army of vigilant users capable of detecting computer attacks – an additional layer to its security policy!
