In the article Information security: roadmap and competency model We have presented the thesis - one of the most vulnerable places in information security is people. For example, you can build any absolutely impenetrable defense. But what good is it if an employee receives a call on behalf of the CEO from a fake number and in an imitated voice, and the employee does everything he is told.
That is why in almost 50% of cases an attack on a company comes through the use of social engineering. But what is social engineering? How does it work and how to protect yourself from it? Let's figure it out.
Content
What is social engineering?
Social engineering is the collection of data about a person/organization followed by psychological manipulation of the person. All for the sake of him performing certain actions. For example, he said 3 numbers from the back of the card, took out a loan and transferred it to the scammers, launched a program on his work computer, or simply transferred money from the organization’s account to the scammers’ account.
Technicians
So what social engineering techniques are there?
Pretexting
Almost everyone is familiar with this method - conducting according to a pre-developed scenario during personal interaction. For example, you get a call from the “bank security service” and lead you according to a pre-prepared scenario. Ultimately, you must either take the required action or disclose the required information.
Such attacks are characterized by preparation when they find out a person’s name, position, work projects, etc. All this is necessary to build trust.
Phishing
Typically, phishing works through email. You receive a letter, for example, again from the bank. The letter contains a link that you need to follow and pay the fine or confirm your details. The letter itself looks very believable thanks to the logos and its tone. Next, you enter confidential data (logins, passwords, etc.), and they leak to the attackers.
Trojan horse
Here they work on curiosity or the desire for a freebie. The same email may contain an attachment, for example, with a free version of a popular program. Next, the person installs the software in which the virus is embedded. And then we get either file encryption, or banners with pornography on the entire tap, or silent collection of data from the computer, etc.
Road apple
This is a variant of a Trojan horse, only here the work is carried out not through email, but through physical media. A person can go from the parking lot to the office and find a branded flash drive, and then everything is like in the Trojan horse scheme: infection and a full range of entertainment.
Qui about quo
The hacker calls the company at a random number, introduces himself as a technical support employee and asks if the victim has any technical problems. If there is (and most likely there are), pre-texting begins, so to speak: the employee takes the necessary actions, and the attacker installs malware.
Reverse social engineering
Here the work is done in reverse - the victim is forced to call the attacker and ask for help.
For example:
first, the victim receives a letter in the mail that says “if you have problems with your computer, call such and such a number”;
then a problem arises when the Internet disappears;
then the victim herself turns to the attackers.
Who falls for social engineering and how?
You may say: “What kind of kindergarten? Why do we need this? But we recommend looking at the statistics below. She's a stubborn thing.
The most effective scheme now is phishing. And with clicking on the link, entering your credentials on a fake site and launching a suspicious file, everything is clear. But who enters into further correspondence and communication with hackers?
Thus, according to research by Positive Technologies, in 88% of cases, ordinary company employees enter into correspondence: accountants, lawyers, managers, etc. Moreover, 25% of them are department heads. And this is middle management. Detailed statistics are shown in the graph.
At the same time, people, after switching to phishing sites, begin to enter different variations of their passwords, including for personal accounts, double-checking whether they made a mistake. After all, the site gives an error that the login and password are not suitable. In some cases this was repeated 30–40 times!
And a huge increase in efficiency comes from creating a real email address, for example, a fly-by-night company.
We will also provide a list of letter topics that inspire people with the most confidence.
Can we say that these people are inattentive? Yes and no. Let's look at a practical example. One of our partners used the delivery services of a large company. But at one point, when he was waiting for the parcel, he received a letter: “Ivan Ivanovich, your parcel has arrived! Follow the link and select a convenient time for delivery." That is, the attackers obtained a database with personal data and sent targeted mailings. Could you avoid falling for such a trick?
Our opinion is that such sad statistics on user behavior are associated both with a decline in attentiveness and with the increase in the ingenuity of attackers. Multi-factor authentication is also used through social engineering (when we enter a login, password, and then we receive a code in an SMS or application).
Countermeasures and recommendations
1. Training
The most basic way to protect against social engineering is training. He who is forewarned is forearmed. It is also necessary that employees have clear instructions and reminders about how, what topics they can talk to the interlocutor on and what they cannot, and what information they need to obtain from him to accurately authenticate the interlocutor.
Let's take a closer look at what needs to be taught:
Working with passwords
It is necessary to explain that you cannot have the same passwords on personal and work PCs. In addition to the risks of social engineering, there are now regular leaks from databases.
Rules of behavior with visitors
Clear rules are needed to establish the identity of the visitor and accompany him. One of the company employees must always be with the visitor. If a company employee encounters a visitor wandering around the building alone, he must have the necessary instructions to correctly determine why the visitor is in that part of the building and where he is being escorted. After all, such a guest can easily plant a flash drive with malware.
Rules for the presentation and authentication of “friends”
The company should have clear rules about how you define “friend or foe”, as well as what can be communicated to “outsiders” and what cannot.
We ignore and do not communicate with suspicious interlocutors
Your voice may be recorded for later use and replacement. If necessary, hang up and call the official technical support number. This is also important because attackers know how to fake numbers.
Working with mail
When working with mail, we check the senders of letters and links inside documents (what kind of hyperlink is there). We do not open suspicious attachments and links and do not fall for “hype” email topics (events, layoffs, bonuses, emails not delivered).
Here you need to understand that any investment poses a danger:
ZIP and RAR archives – attackers love to hide malicious files in archives, and by unpacking the archive, you can immediately infect your PC.
Microsoft Office documents - Word documents (.doc, .docx), Excel spreadsheets (.xls, xlsx, .xlsm), and presentations may contain malicious macros. Microsoft even removed these macros in the latest versions of Office due to information security.
PDF files are a format that allows you to create and execute JavaScript scripts. Also, documents often contain phishing links.
ISO and IMG disk images – virtual copies of CDs, DVDs or other discs may also contain malware
Ignore the "urgency"
Attackers like to put pressure on the urgency of the situation and create stressful situations.
Use two-factor authentication
Update software on personal equipment
Maintaining digital hygiene
If you are the first person in the organization or one of the first, then you will be monitored. Yes, you always want to share your victories, and this is necessary for the promotion of the company. But there needs to be a balance, and it is best to avoid publishing inside information and personal events.
2. Exercises
It is necessary to periodically conduct exercises and analyze the results, understand the reasons, adjust training programs and materials