Any company or institution may one day be faced with social engineering attacks. For example, searching for waste or for poorly protected access to a building, or – above all – manipulating people are just a few of the techniques that illustrate social engineering’s complexity and diversity. Social engineering is an art in itself… and the following lines will focus on how people can be manipulated.
An engaging and effective method of espionage
A kind of ground reconnaissance, social engineering is a method of espionage to obtain information deemed to be necessary before moving on to a real attack. This method is not compulsory or systematically used by malicious individuals, but it clearly facilitates the contact with the institution targeted by an attack.
Humans are much easier to trick than machines and it is through them that attackers intend to carry out their malicious attacks. Although effective, this technique is not the most widely used as it requires strong involvement by the attacker. By using social engineering artifices through people’s manipulation, attackers seek to establish a personal link and a feeling of trust with the person they have previously identified or who has best responded to the requests for useful information.
From trust to deception
With social engineering, attackers have only one goal: to manipulate the person they are holding in their clutches by pretending to be someone they are not. In order to succeed in their identity theft, attackers will do everything possible to make their story credible. First of all, they will find out the minimum amount of information about the institution or person they intend to attack. Once the trust has been established, they will then use subtle techniques to get their prey to spontaneously reveal more and more information that they will use either to affect another person in the institution or to subtly redirect their victim to a third person. At this point, the actual attack begins. However, it also happens that attackers directly start an attack – often a phishing one – by asking their prey to perform an action (to pay a bill via an illegitimate account, to click on a link to regenerate a password, etc.). The attackers then infect their victim obtaining a gateway to their company’s platforms.
Each attack is unique in its kind and the strategies used are multiple, although the final aim of social engineering – like the majority of cyber-attacks – is the misappropriation of money. However, misappropriation of information should not be neglected.
Vulnerability of education and research
Just like private companies and other public institutions, research centres and educational institutions are not immune. In large schools, it is quite easy for an attacker to pretend to be a student and ask questions related to the course, or to register to a student mailing lists and obtain information about the people in the group. These are all useful sources of information for launching attacks, mainly for profit, for example by blocking essential data for the institution, or by trying to divert money from grant budgets dedicated to research and development projects.
But social engineering can also be used to gain access to systems and obtain useful information. In the world of education, this technique can be used, for example, to gain access to exam questions that the malicious person can either use for its own purpose or resell to third parties.
Checking the request before transmitting any information
Vigilance and critical thinking are essential to guard against social engineering. Prevention and awareness-raising among all employees by the IT teams, or even the Computer Security Incident Response Team (CSIRT) if it exists, remain the best form of defence.
If any doubt exists, even the slightest one, about the veracity of an e-mail, a request for information, or the existence of a person, sufficient time must be devoted to validating the request through a different information channel. Discussing with colleagues, informing superiors regarding the content of the request/email or, more generally, directly asking the person to contact you by another mean to ensure that he or she really exists, are just a few small tips that can help to detect social engineering.
Essential cooperation with IT teams
If the doubt is confirmed, it is important for the IT department or the CSIRT team of each institution to be the employee’s privileged interlocutor. Even if no specific action can be taken against the malicious person who has come into contact with one of the employees, the department must at least be informed. It is then up to the department to take the necessary measures on its technical infrastructure and, above all, to inform and raise employees’ awareness.
About the authors
Jean-Paul Weber is Security Engineer at Restena Foundation and has has relevant professional experience in Computer Security Incident Response Team (CSIRT) and IT security community in Luxembourg.
Christine Glaser is Communications and Marketing Manager at Restena Foundation, she previously worked for more than 10 years in a research institute in Luxembourg as part of the communication team.
Read more on the GÉANT Cyber Security Month 2020: https://dev.connect.geant.org/csm2020