Social engineering: the art of intrusion

October 2012 Security Services & Risk Management

Doros Hadjizenonos
Doros Hadjizenonos

Social engineering is about hacking the human mind, something that in many ways is significantly easier than finding a new software vulnerability and using it as a gateway into your enterprise. These vulnerabilities, called zero-day vulnerabilities, can cost tens of thousands of dollars in the hacker underground – money that can be saved if someone can be conned into installing a computer virus on their own machine. After all, there is no need to go through the effort of picking a lock when you can talk someone into letting you into their home.

But just what makes for a good social engineering attack? The key is the lure, which can vary from an attention-grabbing post on Facebook about a celebrity, to e-mails with subject lines about your company’s business. One of the most publicised attacks of the past year was the attack on RSA, which started with an employee opening up an e-mail entitled: 2011 Recruitment Plan.

When the employee opened the accompanying attachment, the person set off a change of events that led to data being compromised. While hacking a system requires knowledge of programming vulnerabilities, hacking the human mind requires a different kind of knowledge – specifically, what types of e-mails or links is the victim most likely to click on.

One way to get a hold of that information is to target people according to their jobs and interests, and there is perhaps no greater source of data on those subjects than social networks. A cruise through a LinkedIn profile can reveal a person’s work history and position; a gander at Facebook accounts can uncover their friends and hobbies.

While social networks have done a lot in the past few years to bolster their privacy controls, many users may not use them or may inadvertently render them ineffective by friending someone they do not really know. Research has shown the average fake profile on Facebook has an average of 726 friends – more than five times as many as a typical user of the site.

Hacking the human mind

Hacking the human mind also takes other forms as well. For example, search engine optimisation (SEO) is a favourite technique of hackers. The idea behind SEO is to increase the ranking of your website on search engines such as Google. In the right hands, this is perfectly legitimate; in the wrong ones, it increases the likelihood people will land on a malicious site. There are also techniques that are far less technical, such as an old-fashioned telephone conversation that gets someone to let their guard down.

Recently, Check Point sponsored a study by Dimensional Research that revealed that 43% of the 853 IT professionals around the globe surveyed said they had been targeted by social engineering schemes. The survey also found that new employees are the most susceptible to attacks, with 60% citing recent hires as being at 'high risk' for social engineering. Unfortunately, training does not seem to be keeping up with the threats, as just 26% of respondents do ongoing training and 34% said they make no attempts to educate employees at all. The good news is the tides are changing and more businesses are raising awareness about security threats – and what social engineering techniques employees may be susceptible to.

Education is key

Education is a key element of defending against attacks, but the process begins with having sound policies for protecting data. This includes controlling who has access to what information, and setting policies that are enforceable and conducive to business operations. From there, employees should be educated on what the policies are and then tested on them. Key to this is sharing information about the attacks that are detected so employees can better understand how they are being targeted. Often, a good dose of caution can go a long way – if an unexpected e-mail arrives asking for private information, follow up with the purported sender to make sure it is legitimate.

Buttressing all this should be networks and endpoints protected by best practices and the latest security fixes, but at its heart, fighting hacks against the human mind requires attitudinal changes more than technological weapons. If there is antivirus for the human mind, it has to be updated with knowledge of corporate policies and an understanding of how attackers are targeting their victims. Incorporating that information into a training program can be the difference between a data breach and a quiet night at the office.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

SA’s private security industry receives multi-million USD investment
News & Events Security Services & Risk Management
South Africa's private security sector has attracted significant international attention, with the world’s largest tactical flashlight manufacturer, Nextorch, announcing a major investment in its local operations, Nextorch Africa.

Read more...
Vetting people in security estates
iFacts Security Services & Risk Management Residential Estate (Industry)
In today’s security-conscious South Africa, estate management’s responsibility extends beyond gates and patrols; it involves ensuring that every resident, staff member, and service provider upholds the community’s safety standards.

Read more...
View from the trenches
Technews Publishing SMART Security Solutions Editor's Choice Integrated Solutions Security Services & Risk Management Residential Estate (Industry)
There are many great options available to estates for effectively managing their security and operations, but those in the trenches are often limited by body corporate/HOA budget restrictions and misunderstandings.

Read more...
IVA AI Pro Visual Gun Detection
Products & Solutions Surveillance Security Services & Risk Management Residential Estate (Industry)
Bosch has announced the launch of the IVA AI Pro Visual Gun Detection analytics based on deep learning. It is designed for automatic detection and classification of people and brandished firearms.

Read more...
IP-based horn loudspeakers
Products & Solutions Surveillance Security Services & Risk Management Residential Estate (Industry)
Bosch has announced the launch of its new IP-based horn loudspeakers and amplifier module: the high-output LHN-UC15L-SIP horn (for long-throw applications), the compact LHN-UC15W-SIP horn (for wide-angle coverage) and the AMN-P15-SIP amplifier module.

Read more...
SMART Estate Security Conference KZN 2025
Arteco Global Africa OneSpace Technologies SMART Security Solutions Technews Publishing Editor's Choice Integrated Solutions Security Services & Risk Management Residential Estate (Industry)
May 2025 saw the SMART Security Solutions team heading off to Durban for our annual Estate Security Conference, once again hosted at the Mount Edgecombe Country Club.

Read more...
ProtecLink 2025 spotlights industry tensions and transformation
Magtouch Electronics t/a Ithegi Electronics Security Services & Risk Management News & Events
ProtecLink 2025, created and hosted by Ithegi Electronics, brought together key stakeholders from the security, finance, and innovation sectors under the theme "Connecting Security, Finance, and Innovation: Inspiring Transformation in the Industry."

Read more...
SSG Holdings acquired by Fidelity Services Group
News & Events Security Services & Risk Management
Fidelity Services Group has successfully acquired a majority shareholding in SSG Holdings. The acquisition builds on Fidelity’s track record of strategic expansion, including previous high-profile acquisitions.

Read more...
The role of drones in farm protection
Agriculture (Industry) Security Services & Risk Management
Laurence Palmer reminds us of the role drones play in agricultural security and offers a free security risk assessment template for downloading (link at the end of the article).

Read more...
SMART Surveillance Conference in Johannesburg
Arteco Global Africa Technews Publishing SMART Security Solutions Axis Communications SA neaMetrics Editor's Choice Surveillance Security Services & Risk Management Logistics (Industry) AI & Data Analytics
SMART Security Solutions hosted its annual SMART Surveillance Conference in Johannesburg in July, welcoming several guests, sponsors, and speakers for an informative and enjoyable day examining the evolution of the surveillance market.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.