I would be willing to bet that every person who reads this blog has been the victim of social engineering. You might not have realized you were a victim or it might have been a long time ago, but seriously, who among us has not clicked on a phishing email out of curiosity or opened an attachment, thinking that it was legitimate?
Here’s an example of a fairly recent social engineered exploit. TechRepublic reported in November on a vulnerability in iOS that allows a legitimate app be replaced by a malicious one with a few social engineering moves.
Social engineering techniques are used because they work. In his predictions for 2015, Anthony DiBello, director of security with Guidance Software, warns that we should expect social engineering methods to be even more complex, and that this could be the most urgent security threat facing organizations in the coming year.
It isn’t the complexity alone that makes social engineering a looming threat, DiBello added. There's also more money funding those that commit cybercrimes, whether they are government-backed or on the payroll of organized crime gangs. He went on to tell me in an email message:
These are large groups working together to create sophisticated, targeted attacks attempting to bring down the enterprise. As such, organizations need to have a rehearsed set of processes to manage incidents. The reality is that it is highly likely that organizations will be compromised at some point and so they must have the processes in place to react as efficiently and swiftly as possible to remediate the effects of the attack.
Social engineering is all about exploiting the most vulnerable of vulnerabilities – human behavior. We want to believe that what we are reading is true and that people are honest. Cyber criminals know that and prey on that, and what they get in return, for very little effort, is access to passwords, usernames, personally identifiable information, bank account numbers and sensitive corporate data.
Using behavorial analytics is one way for businesses to put up a road block against social engineering tactics, DiBello explained. This form of security prevention gives companies the power to forward scan endpoints and identifies behavioral changes to discover anomalies. But there is another thing that companies can do to help keep employees from falling to a social engineering scam, according to DiBello:
We still need more education in place, particularly when it comes to building awareness amongst the general public on their 'cyber hygiene.' Phishing attacks and other 'low-effort' methods are still proving lucrative for the cyber criminals, so we all need to do our bit to ensure the public is well aware of the dangers on the Internet.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba