Fostering Cybersecurity Governance In Organization On Social Engineering Awareness

Abstract

The world of information technology and the Internet is becoming more and more common. There is a potential danger that is hiding in the Internet which is social engineering. It is a threat that can manipulate users and cause serious affect. In this study, it will describe about different type of social engineering that cybercriminal commonly used. Besides, there are some guideline and recommendation that are suggested to the users to against social engineering attacks. Other than that, some of the trainings and policies to towards social engineering awareness would mention in this study. The objective of this paper is to introduce social engineering with related example and providing guideline and recommendation into these attacks.

Introduction

Over the last 10 years, the status of Internet and information technology are getting higher and higher. People continue to innovate the area of information technology to bring more convenience to their future life such as communication, data sharing, training, business and others. The advancement of the information technology can magnify their advantage, especially internet, has bring many benefits for people so they can do many stuffs with the Internet or the opportunities for organizations which can develop a new market through the channel. Besides, Internet has become the largest communication and information exchange medium in the world. In our daily life, the social networking sites like Facebook, Twitter, Instagram, LinkedIn, YouTube and others are become our daily routine in private and business communication. However, with the ease of Internet would come numbers of cybercriminal to offence the users through the Internet. They will use social engineering to make crime and weaken the cybersecurity chain. The social engineering has been exposed to numerous privacies and valuable data from individuals and enterprises.

Social Engineering is a type of cyber-attack that often used by cybercriminals. It is an attack that relies heavily on human interactions and often manipulating individuals and enterprises into breaking the security procedure in order to gain access to system, networks or physical locations. The cybercriminals use social engineering techniques hide their true identities and disguise as trusted individuals or information source to approach the victims. Social engineering is a popular trick among cybercriminal because it is easier to exploit users’ weaknesses than find a network or software vulnerability. The aim of this attack is to trick, allure or influence the victims to giving up those sensitive data or access within organization. According to Positive Technologies, there are 43% of incidents of social engineering in 2018. Cybercriminal will use social engineering to convince people to open the email attachment in order to get infected with malware or persuade those victims to expose their sensitive information. If the users are not considered social engineering is a serious issue, it might be bringing serious consequences towards Internet and users.

Type of Social Engineering Attacks

Phishing

Phishing is one of the most popular social engineering attack type that cybercriminal used. It is when cybercriminal and hackers send a fraudulent email and disguised as a legitimate email. The fraudulent email is often purporting to users that the email is from trusted sources to defraud the user’s trust. The message inside the email will manipulate the recipient and steal their personal and valuable information such as usernames, password and credit cards. When the victim open and read the email or text, the message will request the victim go to a website and act immediately or risk some sort of consequence. If the victim clicks the link inside the message or text, they will forward to a fake legitimate website and ask them to log in their username and password or install malware inside the system of victim’s devices. In case they follow the instruction that the message said, the information will be sent to attacker, who going to steal identities, steal bank accounts, and sell personal information on the black market.

In year 2018, one of the biggest phishing scams that occurred is related to World Cup and vacation rentals. This is the phishing attack that follows current news and trends that hackers continue to rely on a trustworthy method to steal personal data and rip people off. For the World Cup in Russia, the best and famous soccer players will gather from the world to play the tournament. The fans of soccer will dream about to finding affordable tickets to watch the tournament. According to the Federal Trade Commission, those cybercriminals plan to trick fans with phishing email that reliable, but it was fake for free trips to Moscow. For the vacation rental scams, attackers will target the landlords who are advertising, they will take away the email from landlord. After that, they will replace email address on rental property ads like Airbnb with their own address to bait the users. Cybercriminal or attackers that use phishing attack also known as Phishers may use social engineering and other sources of information like LinkedIn, Facebook and Twitter to gather background information about the victim’s personal and work history, their status, and daily routine. Basically, most of the phishing emails are easy to recognize and clearly fake, the phishers are start use the techniques that professional marketers use to identify the most effective types of messages to lure the users. This can be said that phishing is the simplest kind of cyberattack but at the same time, it was the most dangerous and effective attack to users.

Pretexting

Pretexting is a type of social engineering which can get confidential data from victims. It often involved a fraud that the cybercriminal gets information to confirm the identity of the person that they interacted. When vigilance of target is low, the attacker will ask several questions to get individual personal identifiers like target’s name, date of birth, account number or address after they build trust with each other. This attack builds a persuasive story to convince user is necessary. Pretexting is normally used to gain sensitive and non-sensitive information from targets. They will keep do research and gather good information from targets in order make a good pretext that able to spoof the target. Other than that, pretexting doesn’t need user click the link to install malware or sent them to illegitimate website. The attacker will be disguised as trusted organisation or unit to bait victim hand over their sensitive information with no doubt.

The example of pretexting work is the Finance Assistant in an organisation receive a call from someone is pretend to be a cooperation partner. After several times of discussion, the caller tries to explain and verify financial information as a part of new process. The finance assistant puts down the guard and provides the information as the caller request. From this example, the caller uses convincing story to build up the trust from financial assistant and lure the target hand over the information. The other examples of pretexting can be fake emails you receive from your close friend who needs money urgently that probably is a fake account. The advance form of pretexting attack is manipulating the victims into perform an action that let attacker to discover and exploit the weaknesses and vulnerabilities inside an organization. The attacker tries to verify some account information in online scams as a part of attack. The information leaked from victims is generally of a sensitive data, and this can be easy for attack to gain access using victims account. The success of the pretexting attack is heavily related on the ability of attacker in building trust with victims. However, security experts and law enforcement are able to conduct investigations to track down the cybercriminal who deploy this attack toward victims.

Baiting

Baiting is a technique similar to phishing attack that uses something that can pick up target’s attention and curiosity to deploy attack. It also involves offering targets with free stuffs like free music and movies. They bait users and steal their personal information or invade their system using malware. Cybercriminal can use physical devices to perform baiting such as USB thumb drive, cell phone, memory card or CD-ROMS that can catch attention of victims. When victims pick up the bait and insert it into computer or other devices, it will cause the malware install into the system automatically. After that, the hackers also able to work in order to get the valuable information that they want. Baiting is not necessarily in physical form to perform the infection. It can be online baiting form like online ads that can attract users to click it and forward to malicious sites or convince users to download harmful application. The example of baiting is an infected USB or CD-ROMS is drop and able to find in public area. People with curiosity would plug the item that they pick up into their computer. At the end, the USB or CD-ROMS can install malware and infect their system and network.

Watering Hole

Watering hole is another type of social engineering which the attacker tends to compromise a specific group of individuals by infecting websites that they often visit. The objective of this attack is to infect a target’s computer and gain access to the network. The cybercriminal initially analyses their target to understand the sites they visit frequently and identify the weaknesses and vulnerabilities that can exploit from the websites. They modify code of the site to become malicious site to let target connect it. If vulnerabilities are found inside the target’s device, the malicious site will install the malware automatically. Once the target’s device is infected, it may scramble the user’s data or capture username, passwords, credit card data that entered by user before.

In year 2017, there was a serious incident which occurred in Ccleaner. Ccleaner is a popular tool that used to clean potentially junk files. However, it was suffered by a massive supply-chain malware attack of all times, where the hackers compromised the company’s server and replace the original version of the software with the malicious one. This attack has been infected over 2.3 million users who downloaded or updated their application between August and September from the website with the malicious version of the software. The malicious version of Ccleaner had a malware payload was designed to steal data from infected computers. This incident was caused a great negative impact towards the users.

Watering hole attacks are uncommon to users, but they will become a significant threat because they are difficult to detect. The infected websites with malicious code are normally trusted entities and individual that may not fully examine them. Most users were inadvertently providing the tracking information to attacker while browsing. It also provides the attackers with information about browsing, cloud services access and security policies of the organization which is dangerous to the people.

Scareware

Scareware also known as fraudware is a form of malicious computer programs which uses social engineering that trick computer users into visiting malware-infected websites. The goal of this attack is to frighten people using fake version of virus alerts to force them purchase quickly and install it. In the case of scareware, it will appear as a legitimate warning from antivirus software to inform users. The hackers will suggest victims to download their malicious version antivirus software to fix it. Hackers also use other ways like send spam mail to distribute scareware to victims. When they opened the email, victims are going to buy worthless services in this scam. Scareware always come with a common pattern which is pop-ups windows. It going to warn you that dangerous file has been found inside your computer. After that, it will continue pop up until you click the button to remove all threat or persuade you to register for antivirus software.

In March 2019, Office Depot and tech support vendor, Support.com, agreed to pay the Federal Trade Commission 35 million USD settlement after reportedly duping customer to download a free PC Health Check Program that used to sell diagnostic and repair services customer often did not need. From this example, we can know that scareware is being used to drive sales and not to install malicious software. Once the scareware was inside the victim’s computer, it will be accessing their credit card to paying money for fake antivirus software. Besides, scareware will invade their computer and try to record the keystrokes and personal information of victims. Other than that, scareware also will freeze your computer. This can be explained by it will attempt to take remote control of your computer to serve as a zombie robot.

Guideline and Recommendations on Providing Security Awareness

Guidelines and recommendations on improve employees’ security awareness is necessary to practice in an organisation. Security awareness should be always in employees’ mind to avoid any social engineering occurred in organisation. Other than that, it should be increase the level of security awareness through these guideline and recommendations in organisation.

Secure Your Device

Employees always need to install antivirus software, firewalls, and set email filter to high inside the devices to prevent any social engineering attack. These software can perform their task like scan of virus and other threat to find out the potential threat inside the computer system and remove it. Besides, they also need to keep their software up to date in case the attacker cannot find any weaknesses and vulnerabilities in the software to exploit. For the part of software, employees can set their operating system to automatically so the system won’t outdate or use manual update when the system have a notification to remind them. If the software is unpatched or outdated, the attacker might use these weaknesses to exploit and damage the system. Hence, employees should keep their software updated to mitigate a lot of risk from attackers.

Beware of Any Download

The second recommendation on providing security awareness is beware of any download. This can be explained by employees should double check the source of the attachment before they want to download it. The attacker would use the curiosity of people to spread something with malicious code to break down the system. If the victims download the attachment without attention or check the source whether trusted or not, attacker may get what they want like personal information, top secret file of organisation and others. In this case, employees need to be attention before they download any attachment from unknown senders. If it is necessary open the attachment, make sure they use protected view which is enabled by default in many operating systems to prevent the attacker have the chance to deploy social engineering attacks.

Reject Requests From Strangers

Employees should always reject the requests for help or offers of help from strangers. This is because a legitimate organization will not request you to help them. If the employees are unsure the request from organization is legitimate, they can contact and try to verify the organisation directly to avoid any mistakes. Besides, employees must not use contact information to provide the websites that are connected to the request. It might have the risk that the attacker can get personal information or the information about the organisation, including its structure or networks that can sell it to the black markets, unless the person has approved to get the information from employees. From this recommendation, it can help them to increase their awareness to avoid falling for a scam or other type of social engineering from the attackers.

Never Use the Same Password and Change Once Per Month

Most of the people would use the same password for everything such as social network accounts, online banking account, computers, emails and so on. However, people will face a potential danger when they use same password to all their account. This is because once the hacker gets the password, they will use it to log in other account to try whether it work or not. If they realise the victim is use the same password for everything, the hacker can steal the financial information, personal data, or even use victim’s account to scam others. Therefore, people never use the same password to avoid anything bad to happen unknowingly. The guideline for this is change their password frequently, recommended to change it once per month. Besides, use the combination of different character to ensure the hacker will not crack the password.

Never Click on Embedded Link From Strangers

Employees must not click on embedded link when they receive email from unknown senders. This can be explained by the embedded link that provided by unknown senders may contain malicious code. Once they click the link in email, it will forward to the malicious website and force you to download and install malware to damage the computer system. After the process is done, the attacker can use keylogger to observe the information that employees enter and steal it. If employees do not know the sender, they do not need to answer the email and just ignore it. They also can use the search engine to search for link to ensure whether safety for the website. Hence, employees always need to remember that the attacker can use fake email address to trick people, even the address is from trusted source.

Training and Policies

Campaign to Educate Them About Social Engineering

The organizations should organize a campaign that related to social engineering to educate and train the employees. This is because information is a strong weapon in preventing social engineering. Employees can learn how the social engineering work in different type and defend against it. Besides, they can research the facts on how to identify the type of attack and ward off online criminals. If people are not educated of the types of social engineering attack that used by attacker, they cannot possibly defend against them and causing losses of the organization. This type of campaign can raise the knowledge that are sustainable about social engineering and train their resilience when the attacks was occurred on them.

Make Training Become Part of Company Culture

The companies can implement a continuous training approach to train their employee increase security awareness toward social engineering. Most of the employee would forget what they learn from training class due to lacks practice after trainings. It would be dangerous for them because they will forget how to identify the attack and the ways to against it. After that, the attacker has the chance to use social engineering exploit the system. It is necessary to make social engineering training to become a part of routine of employees. The management of companies can send regular emails or employee newsletter to warn and remind employee about social engineering. If employees set social engineering training in their mind, they will know what information that allowed to provide and know what to do when attack occurs.

Create Policies to Against Social Engineering

Organization is necessary to create some policies to against social engineering. This is because the employees do not know how to solve the problem when social engineering attack is occurred. The creation of policies would help them to know the protocol for security to protect and secure their computer system to avoid the leaked of information. The policies also help them to spot suspicious activity and take action immediately. One of the policies they can do is report to IT manager when they face the social engineering situation. Therefore, it is good to protect the personal or organization property.

Conclusion

In conclusion, social engineering is widely use for cybercriminals because it relies heavily on human interaction and easier to exploit the weaknesses to hack their computer system. The cybercriminal will keep innovate new idea of social engineering to trick users and manipulating them. If organization does not take this as a serious problem, it might become worst to worse for the users that using information technology. However, employee can learn the knowledge about social engineering and take action with recommendation and guideline to against them. Thus, employee should more focus on social engineering to deploy countermeasure to secure computer system to ensure the safety of their personal and organization information.

14 May 2021
close
Your Email

By clicking “Send”, you agree to our Terms of service and  Privacy statement. We will occasionally send you account related emails.

close thanks-icon
Thanks!

Your essay sample has been sent.

Order now
exit-popup-close
exit-popup-image
Still can’t find what you need?

Order custom paper and save your time
for priority classes!

Order paper now