Social engineering in the context of information security is the practice of psychologically manipulating a target in order to induce it to divulge sensitive information, or perform actions that jeopardize an information system (IS), or jeopardize a target’s personal data, based on a number of human traits such as forgetfulness, greed, impatience or, of course, trust.
But if social engineering is the hacking of humans, what will be the real impact on IS security?
In that case, is there any protection? Human firewalls?
Social engineering, or people hacking, has always been a prime entry point for cybercriminals, as it doesn’t necessarily require advanced technical skills in IT, but rather knowledge of psychology and even sociology.
Attacks based on social engineering usually start with a simple e-mail, phone call or text message. There are also more advanced methods, such as “Bad USB” or malicious USB sticks.
Some attacks even involve direct contact with the victim. The attacker selects his victims based on a pre-established list of criteria. The attack is carried out by creating a bond of trust and shared gain with the victim, or by threatening and blackmailing the victim into divulging passwords or information on the security solutions used. In some cases, the victim is also invited to click on a link or image containing a Trojan horse or other malware.
The reason why social engineering attacks have such an impact on information security is that they are part of targeted attacks, which are often silent crises that directly affect data confidentiality without calling into question the visible functioning of the IS. These crises are difficult to materialize and deal with definitively.
In this kind of crisis, the human being is the weak link in the system, with no security measures in place to prevent attacks.
Now that we know what’s likely to happen, how can we protect ourselves?
When it comes to IS security, there’s no substitute for vigilance! User training and awareness are the only keys to success. To be effective, actions must go beyond putting up posters on company walls or sending out e-mails to talk about digital security issues. In order to reach as many employees as possible and raise their awareness on this subject, the best approach is to plan training sessions illustrating different attack scenarios, incorporating the intervention of real hackers who can give users an idea of the mindset of cybercriminals and their way of operating, but above all showing users the best practices for ensuring data security in general.
Several online training courses are already available, such as the SecNumacadémie MOOC produced by experts from the French National Agency for Information Systems Security (ANSSI). It provides an awareness-raising tool on the threats posed by cybercrime.
In addition, many training organizations, such as Numeryx University, have focused their curricula on cybersecurity.
With this in mind, every company will have a team of cyber-defenders, a whole army of vigilant users capable of detecting computer attacks: an additional layer to its security policy!