By Mateo Gutiérrez Gómez | June 04, 2019
Companies invest millions of dollars on
IT infrastructure and cybersecurity
to keep their information protected.
But when it comes to training their employees the investment is minimal.
Employees that daily manipulate, organize, create or update a company’s main
data are the main link between
IT infrastructure and
the data that resides in it.
Reality dictates that absolute security is impossible,
but let me ask you this:
What would you think if I told you there’s a way to get your
that does not need any Internet connection, server or computer?
There are many types of social engineering attacks
but we will mainly focus on the one that does not need any machine
nor Internet connection to be successful.
If my systems are secure my data is also secure.
This phrase is usually true, but we have to remember that humans are also an important part of a company’s security. If we don’t consider the human factor the state of security discussed becomes partial and a hacker with malicious intentions could use this weak link to compromise a system or steal sensitive information.
Usually, an intrusion begins by scanning the exposed perimeter that you want to strike. This will display all the exposed, badly protected or open ports and services that are vulnerable to attack. They become the entry points for everyone intending to breach a system. But what happens when no service is exposed or highly secured? Attackers must make a decision, force their way in and put themself at risk, or search for a weaker link. This is where social engineering becomes important.
Within the hacker jargon, there’s an attack called the "secretary attack".
This assault can affect anyone, "secretary attack" is simply the given name.
The assault is executed by leaving a
USB near or at the victim’s workplace.
The attacker then needs to wait for the victim to plug the device
in their computer, giving an entry point and allowing the attacker
to breach the network.
Another way this vulnerability is exploited is to ask someone
to print out a document from an infected
It’s common for the attacker to cut ties with the victim
once the attack has taken place, making this type of assault difficult to trace.
The attack mentioned above is widely used whether the target is a big or a small company. It is executed when there is no possibility of establishing direct access to the company’s network devices by using a common vulnerability. If this intrusion is successful, it will leave no trace and will allow the attacker to obtain any wanted information. The information they have taken will eventually be used to penetrate a company’s system, and will potentiallyput at risk critical infrastructure. The consequences are not only economical but can also negatively impact productivity how an organization’s stakeholders view the company’s credibility and damage the company’s overall reputation.
A cybercriminal can also use this kind of attack to steal information from individuals. The purpose can be to expand a contact’s network and get more information which will allow the thief to become someone else. This situation is known as identity theft, which brings us to a new vulnerability called phishing. Phishing allows the attacker to move from person-to-person within a victim’s social circle collecting more information for later use.
In phishing, an attacker can supplant a company or person using emails, Facebook or other social media. In 2017, there was an outbreak of phishing attacks that appeared to be coming from Apple. The scammer asked people to login to a fake Apple support page that asked for sensitive data such as full name, credit card information, email, and address. The information provided by the victims was used to shop online. Another common example is the “Nigerian Prince”, who will give the victim a considerable amount of money in exchange of a small amount of money. Usually, $20-50 USD will be asked for, and in return, the fake prince says will transfer to the victim’s designated account millions of dollars.
How can a company prevent social engineering attacks? By giving a worker only the information they need to fulfill their duties. However, this must be complemented with good employee training and clear regulations on information disclosure, manipulation and secrecy. By the end of the training, an employee must know what information can be public and therefore shared, or what information is private and should have restricted access. This must apply all the time, regardless of whether an employee is working from within the company’s physical building or from a remote location.
The same rule applies to individuals. They should know what information can be public and what information should be private. In every email received, it is always good to check the sender’s information to prevent phishing mail targeted to you. Avoid answering unknown emails that ask you for sensitive or private information such as date of birth, passwords, addresses, phone number, credit card or account numbers, and other related data. If we "install" a "mental antivirus" that distrusts people and organizations asking for details that should not be widely known we could prevent information leaks, money losses, wasted time, and headaches that usually accompany these kinds of attacks.
Corporate member of The OWASP Foundation