Today, there are many ways an attacker will try and compromise a corporate network, but in the end, the individual is the highest risk factor. Attackers will take whatever means necessary to break into a network and steal information, and the most popular, and most successful, is by way of social engineering.
By Simon Campbell-Young, CEO of MyCyberCare
Social engineering is responsible for many of the recent major attacks we have seen over the past year. The surface area for social engineering attacks is as big as all the employees and users in a business, and social media is exacerbating the situation. We are all aware of the use of social engineering through phishing mails and so on, but most people don’t realise how dangerous social media can be.
Hackers are targeting individuals on all social platforms. Tinder, however, may well be the new social engineering frontier. Tinder, which encourages users to upload as much social content as possible, is becoming a treasure trove for hackers.
Social media is a necessary evil. Companies have recognised the value of these sites for business use and most don’t just outright block these sites from the network. However, because personal and company social media often intersect, hackers can easily engineer most employees in an organisation.
Social media should be a zero trust environment. Social networking is so simple to use that, often, people’s guards are lowered. A friend you know well could send you a link to an album of a recent trip for you to click on to view or download. You, of course, seeing your friend’s picture next to the link, or getting an email from their email address, click on it because you assume that it’s safe, not knowing that they have been hacked and now the pictures you think you are downloading are actually downloading malware onto your computer.
Social media is not just one-to-one communication, but one-to-many, which greatly expands the attack surface. With social media engineering, there is no reason for a hacker to think small, particularly since most of the attacks exploiting social media data are effective because leverage the concept of “trust” on which social networks are built.
Employees, their social media profiles and the devices they use to access a company’s network and resources provide a plethora of gateways into the infrastructure for cyber criminals. Organisations should take care to not focus purely on traditional defences – attackers have already changed their strategy from trying to bypass a strong perimeter defence to attacking the human element.
They use social media to discover details about projects, names, dependencies between departments and individuals, and friendships between colleagues. Once they have the baseline information, it’s simple to approach an employee, appear legitimate, and obtain corporate information or access to corporate networks. Security awareness is the key to preventing such incidents, and developing policies and training employees will mitigate the risk of social engineering attacks.