This week in class we covered common vulnerabilities, threats, and risks in cybersecurity. One security vulnerability I find the most interesting is social engineering. It's almost like magic sometimes how the right people with the right amount of charisma can get any information they need. As we discussed in week one, people are the weakest link in a computer security system. User's make more mistakes, both socially and technologically. Social engineering plays into our humanity and our need to please other people. These social engineers target people with the least amount of technical knowledge usually. It proves that despite all our training and assimilation into the world of technology, we can still be conned and tricked into forking over our sensitive data.
Social engineering is the act of gaining trust from an employee and encouraging them to make unsafe choices such as releasing sensitive information or clicking a link. There are many different kinds of social engineering such as phishing, watering hole attacks, and physical social engineering attacks. Phishing meaning illegitimate emails requesting information or having a link that is malicious is the most common form of social engineering nowadays. Watering hole attacks are when the attacker sets a trap such as compromising a website and requesting the employee visit that website. Finally, the most interesting are the physical social engineering attacks. These attacks are done in the physical realm and don't require total cybersecurity knowledge. Mostly these attackers are just good talkers.
I've seen videos online with a sort of penetration testing, where the person calls someone's insurance claiming to be their wife who forgot the access code or some sort of mistake to then access private information like the Social Security number or address of the owner. After watching that video I realized that all the tactics of phishing can be applied to a phone call. The person in the video played a sound bite of a baby crying and created the urgency that she needed the information now. After watching that video, I realized that in the world of remote work, our information isn't safe. Luckily that wasn't a "real" hacker with malicious intent, but it shows that you don't need cybersecurity knowledge to get sensitive digital information.
Once again, computers and people are all doom and gloom, but no! This issue can be mitigated, if not completely fixed with the proper training of employees. Training can serve as a backup when they are backed against the wall of a customer's request. Of course, the final say is made by the architecture of your business' information. I hope that companies have the principle of Least Privilege down, if not Zero-Trust. But in the end, training is the best way to teach employees how to sniff out a con. Everything can be fake on the phone, or even on a video call now with AI and Youtube.
While most hackers are not as socially apt, I just thought I'd bring some awareness to the most underestimated attack method. Phishing is discussed often in length, but don't think for a moment people on the phone always have the company's best interests in mind. The computer always starts with the person behind the keyboard first.
Articles Read:
- Nicole Golden