Social Engineering

“A lot of companies are clueless, because they spend most or all of their security budget on high-tech security like fire walls and biometric authentication — which are important and needed — but then they don’t train their people.” — Kevin Mitnick

Social engineering (SE) is also referred as human hacking because it is a process of obtaining personal information by manipulating someone such as an employee of a company to get confidential company information. There are various ways to do this such as impersonating someone else, sending fake emails and phishing. Whereas reverse social engineering is the process where hackers damage the equipment, and then they offer to help to obtain information.

One of the famous social engineering attacks was of RSA in 2011, where employees received an email with the subject 2011 recruitment plan and the content was well planned with excel sheet to back it up. Most of the employees received it in the junk folder, due to four employees from RSA’s parent company EMC who opened it and the attackers were successful in obtaining the company SecurID two-factor authentication data.

This phishing attack could have been prevented if the company was using window’s Data Execution prevention. They should have verified the authenticity of the email’s sender from the company directly or the company should maintain firewalls and email filters. The company should advice employee’s not to open emails in junk or spam folders and employees should be tested for social engineering activities as to create more awareness and reduce risk. The company should also have an endpoint protection system that can block the latest malware's. Is there a way we can completely overcome phishing to avoid malware attacks?

The main disadvantage of Reverse Social engineering (RSE) attack is that its complex so it’s difficult to figure out. The best way to prevent this is to use companies that are trustworthy and vetted to do outsourcing as well have a thorough background check when hiring employees who will have access to sensitive information. Employee needs to be educated about SE and RSE, the only solution is not having firewalls or antivirus or filtering emails, these have a flaw. In present times where everyone is socially active at all platform and ways its necessary to be aware about SE attacks and prepared to be able to differentiate such type of activities. Companies should also instill a feeling of ownership in employees as it makes being secure a habit, as they will fell responsibility towards their workplace and will think before sharing any sensitive information.