Cyber Security Tutorial

Cyber Security Overview Cyber Security Introduction Cyber Crime Cyber Space Cyber Criminals Cyber Law Cyber Attackers Types of Hackers Functions of Cyber Security Method to Improve Data Security Cyber security frameworks Importance of Cyber Security Types of Cyber Security Cyber Security Fundamentals Applications of cyber security Cyber security in education sector Cyber security in health care industry Cyber security tools Cyber security policies Types of security policies Characteristics of cyber security policies Digital signature Cyber Security Standards NIST- National Institute of Standard and technology Information Technology Act ISO - International Standard for Organization ISO certification PCI DSS Standard FINRA Difference between Information Security and Cyber Security Cyber Security Vulnerability Elements of vulnerability management Social Engineering Vulnerability Assessment Vulnerability management Types of cyber security vulnerabilities Identification of security vulnerability Types of social engineering attacks Penetration Testing Penetration Testing Tools Types of penetration testing Process of Penetration Testing What is Phishing Elements of cyber security Difference between Spoofing and Phishing Difference between Network Security and Cyber Security Difference between Ethical Hacking & Cyber Security Role of artificial engineering in cyber security Cyber Forensics Definition Cyber Security job qualifications Cyber Security Prerequisites Cyber Security Identity and Access Management What is Cyber Forensics Different Types of Cybercrime Different types of cybercrime Tunneling Techniques in Cyber Security

Social Engineering
2022-07-04 00:03:51

Social Engineering

Introduction

In the cyber, people/humans communicate via the internet. Still, as we know, humans are the root of errors or mistakes, knowingly or unknowingly, and cyber criminals exploit these mistakes for their benefit. When a situation arises where humans are manipulated to share their confidential information in communication, then it is termed social engineering.

“Social engineering – Malicious activities accomplished through human interactions."

“Social engineering is an art of manipulating human psychological  actions or mistakes  during working on internet or handling the cyber situation."

While using social sites, applications and other social activities, humans make some mistakes and make a platform for hackers/criminals to exploit human error to gain private information, valuables or access. Cybercriminals take full advantage of human psychological doings, and it means actions taken by a human under pressure which open the doors for hackers to enter the system used by humans. 

Social Engineering

Social engineering tactics are used by criminals to exploit users' natural inclination to trust and hack your software. That's why social engineering is a user behaviour manipulation technique where attackers get to know what can motivate user action and deceive and manipulate the user effectively.

Social engineer attackers exploit a user’s lack of knowledge with two goals:

  • Sabotage: It refers to the condition of disrupting/ corrupting data to create harm or inconvenience.
  • Theft refers to stealing or obtaining personal information, money or access to a device/ network.

The strategy of social engineering attacks

Social engineering attacks came into existence due to attackers' persuasion and confidence. Because of behaviour, users find themselves being misled and suck kinds of behaviour are:

  • Heightened emotions
    Emotions are the easiest way attackers use in an emotional state; most humans take irrational or risky actions. This weakness gives the attacker a chance of emotional manipulation and keeps their hand up in any interaction. Types of emotions used in equal measure to convince the human are:
    1. Excitement
    2. Anger
    3. Sadness
    4. Fear
    5. Curiosity
    6. Guilt
  • Trust
    Attackers can be professional hackers or smart people who did enough research on the target to craft a narrative so that users easily believe it and cannot raise suspicion. Here confidence plays an important role as the attacker ultimately lies to the user to make them believe in the invaluable and trueness of social engineering attacks. The nature of helpfulness comes with the trust and creates a problem for users. Attackers create a dummy to breach the trust of users. For example, cybercriminals target two or three company employees after researching about the company and sending them an email which seems to be coming from the targeted employee's manager. The email is about sending the password for the accounting database to the urgency of the manager's need to ensure everyone gets paid on time. They make users believe that managers need it urgently, and hence they get trapped by criminals and share confidential information.
  • Urgency
    Attackers sometimes raised time-bounded situations among users and motivated them to compromise under the guise of a serious problem requiring immediate action. In urgency, attackers use time-sensitive opportunities or request tools, which can also override your critical thinking. For example, multiple tempting offers, rewards, and prizes notification come in front of the user with a time boundation of action; otherwise, they may disappear.  

Method of preventing social engineering attacks

  • Safe communication and account management habits
    The online communication platform is vulnerable as it has common targets like email, text messages and social media. Users must take these preventive measures:
    • Use of multifactor authentication – Using a single password for multiple online accounts is not safe, and mainly for business & banking services, it results in disaster. So, multifactor authentication is the best solution that adds extra layers of security to verify the user's identity during the account login. It can identify the user using temporary passcodes sent via text messages, fingerprint or facial recognition and via call.
    • Do not click on unwanted links in any emails or messages- The user must not click on the unwanted email or messages sent for promotions and other purposes. One must check and identify or verify the URL, whether it's legitimate or officially verified. Users must investigate and find the URL's official version before clicking the link.
    • By using a password manager or strong password - Each the password is different from the others and must be created by following password rules to make it a strong password like the use of the uppercase letter, lowercase letter, numbers, special symbols etc., one can choose a long and unpredictable password and more than this user might use a password manager to store and remember the password safely.
    • Do not share your details – People love to socialize online rather than physically sharing small details like school name, pet name, favourite colour, star, food etc. which become a source of information to hackers to crack the password or security questions. Users must opt to set up the security question as memorable but inaccurate; by doing this, you make it harder for a criminal to break the account. For example:
      Security question: What’s your favourite game? Then instead of "cricket", write "crawling" that could completely throw off any prying hackers.
    • Stay alert in making online friends – Connecting with people worldwide via the internet is a common method of social engineering. On some social platforms, there is no boundation; therefore, people make fake accounts and conduct frauds. Therefore one must watch for red flags that showcase the clear abuse of trust and manipulation.
  • Safe network habits
    • Using a VPN – Criminals find a way to intercept traffic on the main network (wired, wireless, or cellular), but VPN –a virtual private network can keep them out. VPN services provide a private encrypted "tunnel" on any internet connection. VPN does not guard your network from suspicious eyes but also anonymizes your data to prevent it from tracking back to you via cookies and other means. 
    • Do not allow unauthorized access to your primary Wi-Fi network. Instead of your primary connection, you should give access to guest Wi-Fi connections available at home or the workplace. No one could access your activity, even if someone wants to "eavesdrop" on information others would like to keep private. Due to this main encryption password remain secure and interception free.
    • Provide proper security to all the network-connected devices and services – Using the internet-connected devices and services need to be secured, including cloud services. Rather many people are aware of the internet security practices, but they should protect commonly overlooked devices like home network routers and car infotainment systems.
  • Use of safe devices habits
    • Update the software at regular intervals – The new version consists of patches to the vulnerabilities; therefore, these updates give immediate fixes to the software. Most people ignore the updates to the operating system or apps, but they don't know by doing this, they are leaving unknown security holes exposed to hackers to target them. Hackers know this behaviour of users. That's why they become a prime target for social engineered malware attacks.
    • Never leave your device unsecured in public- User must lock their device (computer and mobile) in a public place or workplace, and they must keep their device in their possession in public places like coffee shops, airports, markets etc.
    • Stay away from tempting offers – Users must not instantly react to the tempting offer, prizes and other tempting notifications via emails and messages as they are open source for hackers for social engineering.
    • Use of comprehensive internet security software – When social tactics become successful, they result in malware infections. Sometimes it becomes critical to employ a high-quality Internet security solution to eliminate Trojan and other infections and help track their source.
    • Keep yourself updated on online data breaches – Some security solutions monitor existing and new data breaches for the email addresses to stop compromising data. If an attack happens, the user receives a notification on the device and the solution for handling it.

Some other tips to remember not to be a victim

  • Slow down the urgency need
  • Beware of any download
  • Before proceeding with any requests, research the facts
  • Don't let a link control where you land
  • Email hijacking is rampant
  • Rewards, prizes and foreign offers are fake

How to keep yourself protected?

Users should follow a defence mechanism to protect themselves against social engineering as it requires the practice of self-awareness. This user must ask some questions itself  if it suspects an attack, and questions are:

  1. Are my emotions heightened to deal with this?
  2. Does a legitimate sender this received message or email?
  3. Did this message sent by my friend?
  4. Can this person prove their identity?
  5. Are the attachments and links suspicious?
  6. Does this offer is fake or true/sound good to me?
  7. Does the website I am sharing details is fake or real?

Conclusion:

Social engineering is a kind of cyber-attack depending upon human errors, and its prevention starts with education. Society safety will improve when users are aware of all the threats. This risk awareness should be created by sharing what the user has learnt with family, co-workers and friends.