Sunday, 9 February 2020

Is Social Engineering a science or an art?

We are often accused for fishing for sensitive information.But are we able to withstand the advances of "information overload" to politely say no?

Social Engineering is about building trust through careful exchange of information so that the person at the other end of the information channel or transaction is eventually convinced to share personal details or to perform some task without fear, many times unknowingly.

It can be said, it is the practice of getting confidential information through manipulative techniques. These techniques,methods of persuasion may exploit human psychology to gain access to data,systems,and information which are not in the public domain,or can be readily available?                                   


What makes Social Engineers use a number of techniques to fool users into revealing sensitive information about themselves or others?

Does it mean in today's world you cannot trust anyone? 

Social Engineering is a lucrative and sought after profession. It is both an art and a science.Social engineering tactics are not really a secret,but they are effective because they are predisposed to trust one another, in most normal situations of life.

It is the art of exploiting human weakness to gain access to unauthorised resources. Among others,in today's world,it is the art of manipulating users of a computing system into revealing confidential information that can be used to gain unauthorised access to a computer system, by exploiting human kindness or weakness,greed, curiosity to restricted access to data,documents,buildings,etc. or getting the users to install compromising malware,viruses and backdoor software,unwittingly. 

It is a science in that these techniques are tried and tested over time,space and people, to verify their performance and effectiveness. Some if not many of the tasks that they have tested to perform, such as the use of flattery, anger,voice distortion,caller ID spoofing,phishing,tailgating,and other compromising security situations, are in everyday use and many times go unchecked, unnoticed.

Social Engineers use this acquired knowledge or information which they gather such as "nicknames",birth dates,medical and prior medical conditions,bank balances,biases,fears among others which are then used in projection of how people work,who they associate with, how people are vulnerable,or are used easily at password guessing, and/or other covert operations for ulterior benefit either for themselves or others.

Social engineering is also often used to lure information for blackmail, for character assassination and/or for fraudulent exploitation. In a sense or in essence, it is a form of interrogation to obtain information either for personal gain without the other party, person, firm or object, aware or knowing, that they are passing information about themselves and others. 

Social engineering in the context of information security is the psychological manipulation of people into performing actions or divulging confidential information for gain or sometimes even for fun.

What are some of the protection mechanisms to avoid the causes of social engineering attacks?

1. To counter the familiarity exploit aspect in today's world, users must be trained to not substitute familiarity with security measures. There is a boundary between familiarity and security of information. Even the people that one is familiar must prove that they have authorisation to access certain areas and information.
2. To counter intimidating circumstance attacks,people must be trained to identify social engineering techniques such as follows:
(a) FOCA which stands for Finger Printing Organisation with Collected Archives. This was created by Brazilian hackers in 2010 to access,find meta data and hidden information in documents.
(b) Elicitation. This means constructing the conversation in such a way that makes unique information available, without a person asking for it. This technique is commonly used by spies and undercover agents all over the world. In layman's language, it is appealing to one's ego.
(c) Criticism. This technique is used to criticise someone's company in the hope that the person will give information during the defence, or something said during the communication is wilfully inappropriate to elicit the true information.
(d) Oblique Reference. Any topic which is under discussion is by inference related to a main topic,is another subtle technique.
(e) Alcohol. This is often used to seek,target,and obtain information or source of information.
 (f) Pretence. This is a use to persuade targets to do certain actions to gain access and exploit its structural flaws,
(g) Building a persona.Using pieces of real life knowledge to gather further information.
(h) Pressure. Applying undue pressure to target the form of negative,emotional state,then present a clear solution to elicit the real emotion.

How many of us are able to take the precautions?

The short answer, is not many. But we can of course avoid some or many pitfalls, depending on our abilities and by training and awareness, adopting a zero tolerance mindset, installing a reliable anti-virus, anti-malware,and in a worse case scenario,zero tolerance.

Whilst we are alert to coronavirus and quarantine, we may also try to equate our sensitivity to social engineering techniques and set up a protocol, to know as many of the techniques of sensitive information or rather the access to such information should be kept tight and secure.

Is access to sensitive information possible or practical?

We need not be paranoid about our safety and security, but there is no excuse for not checking our mail,our phone conversation and the company we keep in our daily life and work? Like installing decentralised peer to peer verification into our security systems,we can stop hacks using social engineering for fun, for a cause,or for profit or ransom. 

Manipulations,loss of trust, and lowering down our boundaries for short term satisfaction is not really an option.

Victor Cherubim

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home