The use of social engineering techniques has become a significant and wide spread means of deploying malicious attacks on the Internet to obtain sensitive or classified information from competitors, rivals, and governments, among others.
Our hour-long chat with Intel Security’s @Raj_Samani and fellow EUROPOL security advisor @BrianHonan covered a variety of areas in question around the use of social engineering, and methods of protection. Highlights from the #SecChatUK below:
So kicked off by asking if we are unable to distinguish malicious communications? Or are cybercriminals getting more advanced?
@BrianHonan says that it’s actually a combination of the two, as cybercriminals are getting smarter and more sophisticated in their techniques. Raj points out that this is because social engineering is designed to tap into the subconscious, so it’s intended to bypass our natural human defences. @helpnetsecurity made a valid point in saying that almost no one is able to identify all phishing emails (as we recently saw in the results of our global phishing quiz), and asked what organisations can do?
What is cybercriminals desired outcome once they have successfully hooked someone?
Both experts revealed that whether directly or indirectly via the extraction of information to sell on, the desired outcome is to gain a financial benefit from hooking their victims.
@helpnetsecurity joined in and asked how we get the general population interested in the IT sec issues that undeniably affect their lives…
People only tend to pay attention when it affects them personally, and Brian points out that it’s key to make individuals understand why they are targets.
@CiaranmaK says it’s about encouraging people to be conscious of keeping software updated and not to rely on antivirus as the sole solution. @Raj_Samani opened the topic up further by asking if the issue is more related to the lack of recognition as to the value of data that criminals are targeting:
Discussion then ventured into the role that the media plays in communicating security issues to the public, however the discussion highlighted concerns that mainstream media may be skewed towards “spreading fear, uncertainty and disorder (FUD) than illustrating issues in a balanced way”, @helpnetsecurity.
How do these cybercriminals ‘hook’ victims or communications channels to be able to influence them?
“They build trust based on information they’ve gathered to nurture a relationship they can then abuse. This can be via phone, email, and social media or even face to face, but their confidence is often their key weapon” @BrianHonan. Further into #SecChatUK, @helpnetsecurity made a statement that ‘ Social engineering in underrated – it should be THE buzzword, yet it’s still on the side-lines. However, this is a term that Brian dislikes, explaining that:
@helpnetsecurity later added an interesting consideration of the ‘Internet of Things’ asking what type of issues can be expected once IoT gets big in terms of global adoption numbers…
@Teddybreath believes that we will see the same issues, just wider in exposure, while @helpnetsecurity thinks it depends on what the industry decides to connect online, and how the criminals will innovate.
To conclude this #SecChatUK we our security experts left us with their top tips to protect against social engineering:
Our #SecChatUK covered a lot of ground on the topic of social engineering in cybercrime, from discussing the techniques used and phases targets go through, to the issues in current awareness campaigns and the future impact of IoT. Thanks to all who joined the conversation! To view the full chat on Twitter, check out the #SecChatUK hashtag, and be sure to follow @IntelSec_UK to keep up to date with upcoming chats.