CASES.LU

Glossary

  1. ▹ Antivirus
  2. ▹ Assets
  3. ▹ Authentication
  4. ▹ Availability
  5. ▹ Basic criteria for risk analysis
  6. ▹ Computer Hacks
  7. ▹ Confidentiality
  8. ▹ Control
  9. ▹ Cryptography
  10. ▹ Cybercrime
  11. ▹ Cybercriminals
  12. ▹ DRP – Disaster Recovery Plan
  13. ▹ Data backups
  14. ▹ Data loss
  15. ▹ Defacement
  16. ▹ Disinfect machine with a live CD
  17. ▹ Disposal
  18. ▹ Email
  19. ▹ Firewall
  20. ▹ Human error
  21. ▹ IDS/IPS
  22. ▹ Image rights
  23. ▹ Impact
  24. ▹ Integrity
  25. ▹ Internet and copyright
  26. ▹ Legal Aspects
  27. ▹ LuxTrust
  28. ▹ Malicious Codes
  29. ▹ Malicious websites
  30. ▹ Network segmentation
  31. ▹ Password
  32. ▹ Patches
  33. ▹ Phishing
  34. ▹ Physical faults
  35. ▹ Securing a fixed workstation
  36. ▹ Physical theft
  37. ▹ Recommendations for securing a file server
  38. ▹ Recommendations to secure a server connected to Internet
  39. ▹ Recommendations to secure a Web server
  40. ▹ Removable devices
  41. ▹ Risk processing
  42. ▹ Spam – unwanted emails
  43. ▹ SSL/TLS – encryption technologies on the web
  44. ▹ Update softwares with Secunia PSI
  45. ▹ Security Charter
  46. ▹ Social engineering
  47. ▹ Threat
  48. ▹ Virtual Private Networks (VPNs)
  49. ▹ Vulnerabilities
  50. ▹ Web of Trust - WOT
  51. ▹ Web filter – Proxy
  52. ▹ Why is it important to protect your computer?

Social engineering

In brief

Social engineering is a technique that aims to access confidential information or certain assets by manipulating people who have direct or indirect access to it. One example of social engineering is phishing.

Social engineering doesn’t just apply to the IT domain, it can also occur in daily life and, in particular, at the workplace. As soon assets of a certain interest are at stake, attacks like this type may appear.

The human factor is the focal point of social engineering attack techniques. In essence, it is the intelligent manipulation of our natural propensity to trust. Relationships based on unearned trust are developed in a calculated way, most often through simple conversation, and are then exploited to gain as much profit from the situation as possible.

Social engineering can take place over the phone, by email , through social networking or, of course, in the physical presence of the attacker.

How does it work?

Social engineering techniques exploit certain human vulnerabilities and vulnerabilities in the targeted entity’s organisation. In fact, it’s human nature to want to help others and trust people who are polite and friendly, even if they’re total strangers. It all depends on the situation and the way in which the wrongdoer(s) present(s) themselves to us. Very often, a simple request asked in a direct manner by the attacker may be all it takes to get the victim to respond sincerely.

The aim of the attack is to make a person do something that they wouldn’t normally do; the attacker’s motivation being to obtain information that they cannot normally access. In an increasingly digitalised world, this very often (but not always) comes down to obtaining authentication information.

An attacker may, for example, initially try to establish a relationship of trust with a member of staff with whom they will spend a certain amount of time trying to uncover information about the targeted company. It is therefore not uncommon to meet attackers with an in-depth knowledge of the jargon employed by the company’s business line and the procedures it has put in place. This makes it easier to make internal contacts and to place requests which may otherwise appear suspicious.

From the employee’s point of view, they are presented with a person who seems to be aware of internal procedures and who uses the same jargon. In a large company where it is difficult to know everybody, the employee has no reason to be suspicious and often ends up cooperating. Thinking they are doing their job correctly, they have no reason to refuse to help a person who they believe to be a colleague.

Very often, the victim only realises they have been tricked after the fact, once the attacker has already left the premises without leaving a trace, but in possession of precious information.

Other strategies are also possible, notably with regard to picking up clues that lead to information. The attacker may present themself as an investigator looking into the business of the targeted person or entity. In particular, they may ask a serious of innocuous questions, amongst which is hiding one to which the answer is of particular interest to the attacker.

The attacker may also adopt a completely different strategy, for example, by putting their victim at an impasse and presenting themselves as the only person who can solve their problem. In the majority of cases, the victim will cooperate and will respond without batting an eyelid at the attacker’s specific questions.

Protective measures

Behavioural measures

  • Before going on a business trip, read through the Ministry of the Economy and Foreign Trade’s be-safe programme
  • Do not reveal internal information about your work or company on social networks
  • Do not respond to illicit requests for information (whether in person or by telephone)
  • Any information, even seemingly insignificant, must be considered important and therefore protected.
  • You should also be vigilant regarding seemingly harmless Internet surveys and quizzes.
  • Alarm bells should ring if a person you don’t know becomes very curious. Even if the questions do not directly relate to confidential information.
  • Do not click on unsolicited or suspicious-looking links in emails or on social networks. If in doubt, contact the (supposed) sender to check if the email is legitimate (see also email – best practice, malware: best practice.
  • Never share your Internet or computer login details or password with anyone, even if the request seems very credible. Your company’s IT department does not need them and will never ask you for them. The same applies to banks, online shops or any other services that might ask you for information via email.
  • Never carry out orders for a stranger, whether by telephone, email or direct contact if these orders concern sensitive information.
  • If in doubt, check the identity of your phone or computer contact. On the telephone, you could, for example, ask your correspondent for their telephone number and call them back once you’ve verified it. This preventative measure is a good way to tell if your correspondent actually does have authorised access to the telephone line they’re calling you from.
  • If in doubt, do not make impulsive decisions. Take some time to reflect, so that you free yourself from the aggressor’s pressure. Don’t worry about asking an unknown correspondent to call you back the following day. Doing so will give you chance to consider the situation carefully and resolve the issue calmly.
  • Always log off web sites and other pages online using the button provided for this purpose. If you don’t log out manually, the session may remain open and make it easier for the attackers to gain access.
  • Never open an email attachment from an unknown or suspect sender. The same goes for suspicious files on websites. Attachments like these may contain Trojans that give an attacker access to all of the files and data stored on your computer (See also: email – best practice, malware: best practice).
  • Never leave paper documents containing sensitive information in plain view. Likewise for documents thrown in the bin. Make any documents you no longer need illegible.

Further information

Table of Contents