Welcome to day one of our first Expert Week. We like to be in a constant state of learning here at UKFast, and there’s no better way to educate ourselves than spending time in the company of experts. With cybersecurity at the top of the agenda for every online business, it seems the perfect time to get up to speed with all the ways that an attack can strike.
Our first of five of experts over five days is Michele Fincher. Michele is the Chief Operating Officer at social engineering consultancy Social Engineer and has over 20 years experience as a behavioural scientist, researcher, and information security professional. She is also the co-author of the book Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails.
Here’s our chat with Michele:
Would you consider social engineering a form of hacking?
Yes, but not in the traditional sense. Many hackers like to describe their activities as finding ways to make technology behave in ways other than intended. But social engineering takes advantage of humans’ natural responses (such as being helpful) but uses them, often for malicious purposes. It’s not all bad, though; we also use positive influence to help friends, family, and colleagues, helping to “nudge” them in different directions.
Is social engineering always needed in order to hack? How do hackers use social engineering in their attacks?
Social engineering is not always needed, especially in a technical hack. But social engineering is easy, and the bar is low for entry. Instead of needing a certain level of technical acumen, a social engineer can pick up a phone and elicit a password instead of banging on a network for hours. Social engineers rely on human tendencies to be helpful, polite, and in many cases, to respond in unwise ways when placed in stressful situations.
What are some common social engineering tactics?
Phishing (emails), vishing (telephone elicitation), impersonation (onsite/in person attacks) and SMiShing (text messaging).
Where are social engineering tactics devised? Does it require a specialist or a team?
Absolutely not, and that’s why it’s continued to be a huge factor in recent breaches. I will caveat that, though; social engineering is a simple concept and works at our most basic human levels, but effective implementation isn’t always easy. The people who are most successful at it have a good working understanding of human motivation and decision making, non-verbal communication, and high emotional intelligence.
What social engineering tactics should people be most wary of?
Right now phishing is the number one largest concern at the corporate level. It’s a cost-effective way of reaching large numbers of people, and honestly, you only need one person to click on a malicious link to breach a corporate network. The second vector is vishing, but you can imagine that this activity requires much greater effort in terms of man-hours and at least some interpersonal/elicitation skill.
What can my employees or users do to mitigate the risk of a socially engineered security breach?
I wish I had a magic bullet, but it all comes down to education and testing. Learning to recognize and respond to suspicious requests is a lot like learning to do anything that takes skill. You don’t just learn to play chess once and assume you understand the game. In this case, we’re also training AGAINST natural human response. So you can imagine the amount of repetition and testing and reminders that are necessary to teach any population to be safe.