Can we beat social engineering?

August 11, 2014

The question from the title may sound simple (and somewhat rhetorical, perhaps), but after a short consideration it becomes a bit confusing because it brings forth more questions: How long has social engineering has been around? Why it hasn’t been beaten if everybody knows about it?

640-5

If we take a look at recent APT campaigns, we see that most of them have something to do with social engineering – it is one of the primary methods of getting malware to the victim’s devices and/or extracting passwords and other critical data.

And it has a long history.

Nope, we’re not going to tell it all, actually it’s a topic for a multi-volume monograph, but in a nutshell “Social Engineering” is a pretty name for trickery, deceit, and psychological manipulation.

For instance, it was Social Engineering that, among many other things, made Kevin Mitnick one of the most successful computer criminals back in 1990s. He was so feared, law enforcement officials convinced a judge that he had the ability to “start a nuclear war by whistling into a pay phone” (A semi-forgotten trick of whistling the proper tone to the modem at the other end of the phone line to establish a connection). But in his own 2002 book “The Art of Deception” Mitnick stated that he compromised computers solely by using passwords and codes that he gained by social engineering, not using software programs or hacking tools for cracking passwords or otherwise exploiting computer or phone security. In other words, he “hacked” people, not machines.

Well, as we know, Mitnick is now a white-hat security consultant, running his own company.

Phishing is the most popular and problematic method of penetrating the security using various kinds of trickery. Little investments required and high efficiency make it very attractive for the criminals, so this is already a sort of commercial service. As reported in Kaspersky Lab’s study of phishing attack in 2011-2013, “the nature of phishing attacks is such that the simplest types can be launched without any major infrastructure investments or in-depth technological research. This situation has led to its own form of “commercialization” of these types of attacks, and phishing is now being almost industrialized, both by cybercriminals with professional technological skills and IT dilettantes.

Overall, the effectiveness of phishing, combined with its profitability for criminals and the simplicity of the process, has led to a steadily rising number of these types of incidents.

 

wide

Incidents should be called “successful attacks”. The most dangerous type is spearphishing, a narrowly-targeted attack that is preceded by gathering personal and working data on the potential victims (employees of a target company, etc.). These data are used to add credibility to phishing messages (sent via e-mail or social networking sites), so that the people don’t suspect it’s a trap. Using some personal data an attacker can lure a victim to a fake and/or infected website and make him type his or her login-password combination. The consequences are apparent.

So can we beat social engineering, win over the phishers, and make the fraudsters run away screaming never to return?

The short answer: most likely, no.

At least, not fundamentally. Social engineering is an attack against a human being, not machine. You can squish the bug in a software package, you can update the firmware of a device to fix a problem there. But it’s the problems in “human hardware” that phishers and other social engineers use. Is there a way to fix them?

Apparently, IT education is the only way via training. First, company employees require framework of trust when working with sensitive information, so that they always know who, where, when, why and how critically important data should be handled.

There should be clear and explicit information security policies and protocols set, and employees should be regularly trained how to prevent any abuse attempts from the outside.

Then there are technical means to ward off social engineering attacks. First, antiphishing and antifraud tools (such as those present in Kaspersky Lab’s solutions).

This would help to decrease the risks and mitigate the possible consequences of a social engineering attacks.

However, until the basics of IT security, human psychology and, most importantly, His Majesty Logic are taught since primary school, there is no way to beat social engineering completely.