{"id":14992,"date":"2014-08-11T16:26:28","date_gmt":"2014-08-11T16:26:28","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2363"},"modified":"2020-02-26T10:54:31","modified_gmt":"2020-02-26T15:54:31","slug":"can-we-beat-social-engineering","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/can-we-beat-social-engineering\/14992\/","title":{"rendered":"Can we beat social engineering?"},"content":{"rendered":"

The question from the title may sound simple (and somewhat rhetorical, perhaps), but after a short consideration it becomes a bit confusing because it brings forth more questions: How long has social engineering has been around? Why it hasn\u2019t been beaten if everybody knows about it?<\/p>\n

\n<\/p>

If we take a look at recent APT campaigns, we see that most of them have something to do with social engineering \u2013 it is one of the primary methods of getting malware to the victim\u2019s devices and\/or extracting passwords and other critical data.<\/p>\n

And it has a long history.<\/p>\n

Nope, we\u2019re not going to tell it all, actually it\u2019s a topic for a multi-volume monograph, but in a nutshell \u201cSocial Engineering\u201d is a pretty name for trickery, deceit, and psychological manipulation.<\/p>\n

For instance, it was Social Engineering that, among many other things, made Kevin Mitnick one of the most successful computer criminals back in 1990s. He was so feared, law enforcement officials convinced a judge that he had the ability to \u201cstart a nuclear war by whistling into a pay phone\u201d (A semi-forgotten trick of whistling the proper tone to the modem at the other end of the phone line to establish a connection). But in his own 2002 book \u201cThe Art of Deception\u201d Mitnick stated that he compromised computers solely by using passwords and codes that he gained by social engineering, not using software programs or hacking tools for cracking passwords or otherwise exploiting computer or phone security. In other words, he \u201chacked\u201d people, not machines.<\/p>\n

Well, as we know, Mitnick is now a white-hat security consultant, running his own company. <\/p>

Social Engineering is sort of hacking humans.<\/p>Tweet<\/a><\/blockquote>\n

Phishing is the most popular and problematic method of penetrating the security using various kinds of trickery. Little investments required and high efficiency make it very attractive for the criminals, so this is already a sort of\u00a0commercial service<\/a>. As reported<\/a> in Kaspersky Lab\u2019s study of phishing attack in 2011-2013, \u201cthe nature of phishing attacks is such that the simplest types can be launched without any major infrastructure investments or in-depth technological research. This situation has led to its own form of \u201ccommercialization\u201d of these types of attacks, and phishing is now being almost industrialized, both by cybercriminals with professional technological skills and IT dilettantes.<\/em><\/p>\n

Overall, the effectiveness of phishing, combined with its profitability for criminals and the simplicity of the process, has led to a steadily rising number of these types of incidents.<\/em>\u201d<\/p>\n

\u00a0<\/p>\n

\"wide\"<\/a><\/p>\n

Incidents should be called \u201csuccessful attacks\u201d. The most dangerous type is spearphishing, a narrowly-targeted attack that is preceded by gathering personal and working data on the potential victims (employees of a target company, etc.). These data are used to add credibility to phishing messages (sent via e-mail or social networking sites), so that the people don\u2019t suspect it\u2019s a trap. Using some personal data an attacker can lure a victim to a fake and\/or infected website and make him type his or her login-password combination. The consequences are apparent.<\/p>\n

So can we beat social engineering, win over the phishers, and make the fraudsters run away screaming never to return?<\/p>\n

The short answer: most likely, no. <\/p>

There\u2019s just no quick way to update \u201chuman firmware\u201d.<\/p>Tweet<\/a><\/blockquote>\n

At least, not fundamentally. Social engineering is an attack against a human being, not machine. You can squish the bug in a software package, you can update the firmware of a device to fix a problem there. But it\u2019s the problems in \u201chuman hardware\u201d that phishers and other social engineers use. Is there a way to fix them?<\/p>\n

Apparently, IT education is the only way via training. First, company employees require framework of trust when working with sensitive information, so that they always know who, where, when, why and how critically important data should be handled.<\/p>\n

There should be clear and explicit information security policies and protocols set, and employees should be regularly trained how to prevent any abuse attempts from the outside.<\/p>\n

Then there are technical means to ward off social engineering attacks. First, antiphishing and antifraud<\/a> tools (such as those present in Kaspersky Lab\u2019s solutions).<\/p>\n

This would help to decrease the risks and mitigate the possible consequences of a social engineering attacks.<\/p>\n

However, until the basics of IT security, human psychology and, most importantly, His Majesty Logic are taught since primary school, there is no way to beat social engineering completely.<\/p>\n","protected":false},"excerpt":{"rendered":"

Is social engineering beatable? Just as much as you can beat any other kind of deceit. Actually, social engineering is about “exploiting flaws in a human hardware”.<\/p>\n","protected":false},"author":209,"featured_media":15814,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2149,2150,76,513],"class_list":{"0":"post-14992","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-it-education","10":"tag-malware-attacks","11":"tag-phishing","12":"tag-social-engineering"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/can-we-beat-social-engineering\/14992\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/can-we-beat-social-engineering\/14992\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/can-we-beat-social-engineering\/14992\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/it-education\/","name":"IT education"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14992","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=14992"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14992\/revisions"}],"predecessor-version":[{"id":33279,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14992\/revisions\/33279"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15814"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=14992"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=14992"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=14992"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}