Hardware and software security level that could be achieved is extemely high, and everyday this security is reinforced and new protections are created. Furthermore, none of this is effective against a social engineering attack, that is why is so dangerous.
Social engineering is nothing buth the manipulation to obtain confidencial information. This manipulations is addressed towards people, employees of any level with their own access credentials, with more or less permits. Regardles of the level of access or premision, when obtaining such data opens the door to the company network and exposes the corporate equipment and services.
Such cyber attacks can become undetectable. Furthermore, they are extremely efficiente and take advantage of the lack of information, formation and also human naivety. People can trust their colleagues openly, even if they are newcomers.
Attackers start by gaining the trust of the target, starting the conversation, a call, a SMS or with a technological gift. This is, in fact, like the story of the Trojan horse, which was no other thing than a gift with an air of goodwill that carried a danger inside. The Trojans brought it into the city walls, and the Achaean soldiers went out at night to eliminate the sentinels ans open the city gates to their armies.
By analogy, protecting our systems with firewalls, antivirus and other tools will not be enought if users do not comply with all security guidelines, os commit unforgivable lapses.
Is social engineering profitable for cybercriminals?
It does not matter if the objective of a cybercriminal is to iject malware, steal credentials, gain access… The fact is that is cheaper, so to speak, than any other method. Let’s think of a simple analogy, for example, trying to break into a home. What is harder? To use tools to open the door and bypass the alarm, or get the tenant to open the door?
Social engineering attacks typically go through four phases:
1.- Collect information about the victim. This information could be of any tipe, but the target is to know everything about that person in order to establish contact without arousing suspicion, as natural as possible.
2.- Develop a relationship of trust with the victim through the collected information. Thus, an attack plan based on the interests of the victim is drown. The only intention at this point is to gain the trust of that person, so that any subsequent message or contact appears legitimate.
3.- Breach of trust. Once the contact is done and already the trust is gained, taking advantage of the false identity created beforehand, the attacker is going to ask the victim for something: to send access credentials under any pretext or to install software for any reason. Thats the way the base for the attack is established.
4.- Execution of the cyber-attack. With the doors open, the attacker can enter the systema and do what he intended from the beginning. Once the information has been obtainded or the objective has been achieved, the attacker will retreat, trying to eliminate any traces.
So, how do I protect my business from social engineering attacks?
The key is in the employee training and awareness-rising. A team with adequate training is the best protection measure against social engineering. No matter how effective is the tecnhnique employed by cybercriminals, the more informed the team is, the longer it resit attacks and the more suspicious it will be of any requests that bypass protocols.
That is why is essential, besides acquiring the tools of advanced security, the staff are aware of the most common techniques so they can anticipate and detect them in time, saving the company costs (and aggravation). Keeping up to date with cyber threats is vital.