The CommunityBanker 16 Finally, after weeks of addressing each vulnerability in your network, you are relaxing with a sense of relief. Then suddenly, you are bombarded with reports that users are being locked out from important files and systems due to a ransomware attack. Unfortunately, you realize you overlooked the most important vulnerability — the human element. It’s no secret that humans are easily exploitable, becoming a fan favorite for malicious actors to access corporate systems. Let’s dig deeper into social engineering and review the steps to prevent a successful attack. What is Social Engineering? Social engineering is an attack based on deception to trick users or administrators at the target site into revealing confidential or sensitive information1. Often, the attack involves impersonating C-level executives, members of the IT department, or companies like Microsoft to obtain information such as passwords or sensitive details for a more complex attack. The mediums of these attacks are phone calls, emails, or texts. How do hackers prepare for these attacks? These attacks do not happen overnight. Many social engineering attacks have been prepared for weeks or even months, crafted for each victim following the Social Engineering attack cycle. The attack cycle comprises four steps: Information Gathering, Establishing a Relationship, Exploitation, and Execution. 1. Information Gathering is the most important step in a social engineering attack. The more information the perpetrators have, the better and easier their attack will be. Information gathering could be from social media posts, finding the target victim’s interests, and discovering who the target’s supervisor is to create a phishing attack. 2. Establishing a Relationship: This step evolves around contacting the target and using the information gathered to support their fake identity. Attackers can use social media, email, phone calls, or texts to contact the target. 3. Exploitation: This step signals the attacker has a relationship with the intended victim and is ready for the attack. The attacker sends a link that appears to be in the interest of the target or the target’s organization. These links typically ask the recipient to enter credentials or other personal information. 4. Execution: Well done! The hacker made it in before anyone was even aware of it, cleaning up their mess and leaving no trace behind. The different types of Social Engineering attacks Social engineering is an umbrella term for the many ways hackers attempt to manipulate vulnerable targets. In 2021, phishing attacks accounted for 90% of all data breaches2. With the constant development of new attack modes, one of the best ways to protect oneself and the employees of an organization is by identifying the different types of attacks. Below are three common methods of attack that can be used: • Phishing: This is the most popular mode of attack businesses see today. Phishing is a social engineering technique where the attacker sends a fraudulent email Social Engineering: Attacking the Human Element By Jonathan Ramirez, Security Support Technician, CoNetrix
RkJQdWJsaXNoZXIy ODQxMjUw