CS406: Information Security

Social engineers employ a variety of tactics to trap their targets into performing actions of their choice. It could be something as simple as gaining the trust of someone over the phone to get confidential information to the setup of bait for someone to access a compromised website via phishing methods. Social engineers are the modern equivalent of con artists, with the only difference that the latter uses non-technical methods to cheat people out of their hard-earned money.

Out of the many taxonomies and models available, Kevin Mitnick's social engineering attack cycle, as described in his book The art of deception: controlling the human element of security  is the most commonly recognised social engineering attack model. As illustrated in Fig. 1, the model depicts the four phases which occur before and during a social engineering attack.

Kevin Mitnick's social engineering attack cycle

During the Research stage, information is gathered about the target, its weaknesses and information that can aid the attacker during the later phases of the attack. Develop Rapport and Trust is the second stage of the attack during which the attacker aims to acquire trust of the target, which is later exploited during the third stage Exploit Trust to elicit information from the target, manipulation of the target or merely instructing the target to carry out actions in order to gain the desired knowledge or action. The fourth and last stage in the model Utilise Information is the final act of attack, during which information and resources acquired during the first three stages is put into action to get the desired result.

The next subsections will further examine which particular human traits are generally exploited by social engineers to force compliance from the subjects.

Psychological manipulation

In many cases, the usual target of a social engineering attack is someone who is in a position of authority, or at minimum be in possession of privileged information, which is useful for social engineers. For an employee to reach that level, they naturally have to go through certain steps within their company to prove their competence. Therefore, the majority of the people being exploited by the social engineers do have the expertise or reasonable proficiency, in their line of work. Yet, we see how easily social engineers fool people into handing over sensitive information.

Social engineers use various psychological manipulation techniques to acquire the confidence of their attack subjects. The methods they use vary from the usage of emotions, play on words, charm and impersonation to get the target to feel at ease with them.

Obedience to authority

Humans are wired to respect authority. From a young age, we are taught by the elders to give respect and listen to people in authority. This implies obeying parents, teachers, law, and when one enters a professional life, this extends to managers, bosses and superiors who demand that level of adherence. This is precisely another psychological vulnerability in humans, which social engineers so eagerly exploit.

Being respectful and courteous is important, but becoming exceptionally compliant when orders are issued from superiors is an unhealthy attitude with detrimental consequences and is indeed a psychological flaw in some people, which is actively exploited by social engineers.

Exploiting naivety

Social engineers thrive on people's naivety. Once we take into account the fact that some people can be non-analytic, technology-ignorant, lack Internet usage experience and couple this with natural gullibility, we realise that those members of our society are publicly holding an "open to exploitation" placard in their hands.

Once a window of opportunity presents itself, social engineers act without any undue delay. Natural disasters, celebrity gossip news and trending topics is a popular way scammer attempt to grab the attention of their potential victims and tempt them to click on click-bait links. These links are then shared and spread across the Internet through compromised accounts. The idea usually is to get people to click on the links, which leads them to a malicious website that infects their computers with malware which obtains their login credentials, while at the same time using the profile of newly acquired victim to spread the scam further.

The trend in the enterprise to invest more in the technology, but not the people, usually turns in to regret once a breach occurs. A company can install ten different types of firewalls and intrusion detection systems to protect data, but these measures are ineffective in stopping someone from handing over their credentials to an attacker in a well-organised social engineering attack. However, training and awareness can play a crucial part in assisting people to realise how to react when they are being attacked.

The next section explains the proposed social engineering defence framework, which can be adopted by enterprises and businesses to reshape the workforce into competent guardians against social engineering threat.