My time as a “hackerish” Professional taught me that Social Engineering is one of the most difficult tasks to defend against. You see with the advent of social media its very easy to find your “likes”, close friend associates, patterns even on when you are most active give clues that can be exploited in so many ways. I learned under direction leadership of some very talented “Hackers” one being Adrian Lamo Most known for The outing of Wikileaks and Transgender Traitor Bradley Manning ..How that relates to Social Engineering and the point of this post , Well I see so much emphasis on everything on how to secure your networks , cloud , devices IOT , even on higher levels including Aircraft and Energy Grids , The thing is though the “Major” Hacks with detrimental consequences that would include Edward Snowden the Sony Hack all involved Insiders who Socially Engineered the outcomes .
And even the taking down of Manning had to do with Social Engineering ( it was a personal interaction, not a computer program in how Manning was brought to Justice ) of which there are many ways to prevent and take measures to compartmentalize risk. It seems overlooked in “Cyber Security ” I think for a few reasons one it deals with People and not exclusively something at this point that can be defended against with current methods ranging from
AI to Antivirus Software or specialized Contractors who provide IT Security. When I perceive most people reading in the media say “Sony was hacked today ” for example I think its imagined some grand scene with a guy wearing a hoodie running a ” Brute Force Script,
which is one of many tools yes at times employed but can leave digital forensics that can be traced back, so in that case you would wear a hoodie, gloves, and glasses if you were a Black Hat hacker perpetrating nefarious deeds. And from experience these a lot of times run in circles like Anonymous and generally it’s a very young person being pawned by a much larger controlling organization who exploit these ” Script Kiddies Ego ” and pad their pockets a bit with some Bitcoins. How ever all the like “top 10 hackers ”
The hacks that they are known for most famously were done through “Social Engineering “.
Today in the news a major hack that was done by:
“The recent Gmail scam “These sophisticated scams are classified as business email compromise (BEC) or email account compromise (EAC) and use “social engineering techniques” to defraud businesses. ”
I’ll explain a little very briefly. A ” Social Engineer” will recon so you find out all that is possible can about the target through Social Media, public records searches and a plethora of “OSINT Techniques ”
, then find a way to pose as someone you know or something inconspicuous and routine to you. If your a corporation or organization it gets even harder to defend against a socially engineered attack. Because organizations need people, people can in sophisticated examples be “posed as ” in both Physical and Cyber/Internet realms and both can be used to infiltrate find and exploit steal and very possibly create a lot of havoc and headaches as the result of not guarding against being “Socially Engineered”.
The question is though by now if you have read through this post and the links provided your probably wondering is how to guard against this threat.
For One; be careful and cautious what you post just think of posting in this way how much of this possibly reveal about myself or my company that you wouldn’t want an adversary to know, and assume you may not think you have adversaries but just assume you do always.
Two; Penetration Test
“Red Team” Yourself creatively and as well hire a very creative Ethical Hacker
Three research and choose wisely Software that protects and limits damage a hacker can do for example if your a business you have secret project your trying to develop you have engineers share that secret data with a program like IBM mass360 and hire a very good Infosec Minded IT department
And if you are a private individual use good Anti Virus programs and keep your programs up to date . are all good but change your passwords use password managers The Antivirus Software is good and well to scan for malicious programs that a social engineer may be trying to employ that may or may not be recognized by the software at the time of the attack new codes are written all the time . So don’t rely on these products for your complete safety is what I’m getting at.
Three; Educate and inform yourself and or company or organization to what ” Social Engineering” is. Keep your self-informed on techniques that are currently being employed in these attacks ( and resist the temptation to hoard the exploits in a little black book 🙂 ) Follow resources that provide information that can keep you aware of what to be on the look out for example;
There are literally too many techniques to write about here in this post and how to counter them. However, a small diet daily like reading the newspaper gives an idea of what to be aware of that’s happening in your world or community, create some “vigilant awareness” against it by empowering yourself with knowledge that helps you not be ” easy” prey to a Hacker. Hope some find this post useful.
Regards Brian K Tarling
All Source Fusion LLC