Social engineering consists in finding and exploiting human flaws during a cyber-attack. This method is complementary to technical hacking and it shows that the human factor is essential to attack or protect a digital company.
According to a Ponemon study, malicious insiders are among the 3 types of cyber-attacks that create the most financial damages to companies. According to Christopher Hadnagy, an american cyber-security specialist, disgruntled employees are a real threat although often underestimated until they take action. However well intentioned employees can also put their companies at risk when they are not aware of cyber threats. While IT solutions are becoming more secure, many hackers actually start using social engineering attacks in order to obtain information from employees and then breach systems or applications.
Social engineering is an intrusion technique used by hackers, but can also be used when performing a security audit. It is complementary with pentests as it will lead to identify human risks and to recommend organizational and/or educational solutions.
Christopher Hadnagy’s team’s work has resulted in a theory of social engineering principles, a social engineering framework and a social engineering attacks’ lifecycle description.
Here are the main features of this framework:
- information gathering: the key step to conduct a successful attack is to gather the maximum information available about the “target”
- elicitation: the art of obtaining targeted information through asking questions
- pretexting: playing a role and pretending to be someone else in order to access protected information and/or spaces
- mind tricking: building instant rapport and using tools such as NLP for hacking people’s mind
- persuasion: mastering the best techniques for influencing people
The social engineering attacks’ lifecycle is the following:
- Information gathering
- Establishing relationship and rapport
- Exploitation and infiltration of the target
- Execution of the attack
Social engineering is not only for hackers. It is a very old practice, at the crossroads between art and science, used by spies and all professionals whose job includes some degree of manipulation. It can be used for positive or negative goals.
In a social engineering audit, it is used for challenging employees’ level of awareness about cyber security risks through concrete risky situations:
- reaction to phishing emails
- asking for confidential information through phone calls and/or emails
- accessing internal network or applications in open areas in the office
- trying to access private unauthorized areas
For preventing these risks it is necessary to foster collaboration between executives, HR professionals and team managers. This can help to reduce human risks, which remain a major threat for the cyber security of companies.