Fostering Cybersecurity Governance in Organization on Social Engineering Awareness

Abstract

The world of information technology and the Internet is becoming more and more common. There is a potential danger that are hiding in the Internet which is social engineering. It is a threat that can manipulating users and cause serious affect. There are many security leaks or expose of information out of organization is due to the human factor not false technological solution. Many policy makers are not aware that the people inside the organization could be the issue that give the information to potential hackers intentionally or unintentionally.

In this study, it will describe about different type of social engineering that cybercriminal commonly used. Besides, there are some guideline and recommendation that are suggested to the users to against social engineering attacks. Other than that, some of the trainings and policies to towards social engineering awareness would mention in this study. The objective of this paper is to introduce social engineering with related example and providing guideline and recommendation into these attacks.

Keywords— Social Engineering, Phishing, Pretexting, Baiting, Watering Hole, Scareware, Guideline, Recommendation, Policy, Training

Introduction

Over the last 10 years, the status of Internet and information technology are getting higher and higher. People continue to innovate the area of information technology to bring more convenience to their future life such as communication, data sharing, training, business and others. The advancement of the information technology can magnify their advantage, especially internet, has bring many benefits for people so they can do many stuffs with the Internet or the opportunities for organizations which can develop a new market through the channel.

Besides, Internet has become the largest communication and information exchange medium in the world. In our daily life, the social networking sites like Facebook, Twitter, Instagram, LinkedIn, YouTube and others are become our daily routine in private and business communication. However, with the ease of Internet would come numbers of cybercriminal to offence the users through the Internet. They will use social engineering to make crime and weaken the cybersecurity chain. The social engineering has been exposed to numerous privacies and valuable data from individuals and enterprises.

Social Engineering is a type of cyber-attack that often used by cybercriminals. It is an attack that relies heavily on human interactions and often manipulating individuals and enterprises into breaking the security procedure in order to gain access to system, networks or physical locations. [1] stat that the cybercriminals use social engineering techniques hide their true identities and disguise as trusted individuals or information source to approach the victims. Social engineering is a popular trick among cybercriminal because it is easier to exploit users’ weaknesses than find a network or software vulnerability.

The aim of this attack is to trick, allure or influence the victims to giving up those sensitive data or access within organization. According to [2], there are 43% of incidents of social engineering in 2018. Cybercriminal will use social engineering to convince people to open the email attachment in order to get infected with malware or persuade those victims to expose their sensitive information. If the users are not considered social engineering is a serious issue, it might be bringing serious consequences towards Internet and users.

Problem Statement

Cybercriminals become more and more that using social engineering to deploy attacks to organizations and individuals. The connection between social engineering and growth of social networks is obvious, this is why the number of cybercriminals using social engineering is increasing. There are two problem that can let the cybercriminals to break into the computer system. The first problem is cybercriminals could exploit the weaknesses and vulnerabilities of outdated software. This can be explained by them can use the vulnerability of the software to gain access into the system to get confidential information which is make the system is not well protected. The second problem is cybercriminal could use social engineering technique to trick the employees and manipulating them to provide sensitive data of organization.

This will be causing them to send the information that useful for attacker unintentionally. Other than that, Employee also may provide sensitive information to the parties that is legitimate and accept the request for help from attacker. Most of the organization was lack of educate their employees about social engineering and the procedure to defend against it. In fact, the employees lack of security awareness towards social engineering technique for the company and this weakness may put themselves and their organization in danger.

Type of Social Engineering Attacks

Phishing

Phishing is one of the most popular social engineering attack type that cybercriminal used. It is when cybercriminal and hackers send a fraudulent email and disguised as a legitimate email. The fraudulent email is often purporting to users that the email is from trusted sources to defraud the user’s trust. The message inside the email will manipulating the recipient and steal their personal and valuable information such as usernames, password and credit cards.

When the victim open and read the email or text, the message will request the victim go to a website and act immediately or risk some sort of consequence. If the victim clicks the link inside the message or text, they will forward to a fake legitimate website and ask them to log in their username and password or install malware inside the system of victim’s devices. In case they follow the instruction that the message said, the information will be sent to attacker, who going to steal identities, steal bank accounts, and sell personal information on the black market.

In year 2018, one of the biggest phishing scams that occurred is related to World Cup and vacation rentals. This is the phishing attack that follow current news and trends that hackers continue to rely on a trustworthy method to steal personal data and rip people off. According to [3], the World Cup in Russia gathers the best and famous soccer players from the world to play the tournament. The fans of soccer will dream about to finding affordable tickets to watch the tournament. According to the Federal Trade Commission, those cybercriminal plan to trick fans with phishing email that reliable, but it was fake for free trips to Moscow. For the vacation rental scams, attackers will target the landlords who are advertising, they will take away the email from landlord. After that, they will replace email address on rental property ads like Airbnb with their own address to bait the users.

Cybercriminal or attackers that use phishing attack also known as Phishers may use social engineering and other sources of information like LinkedIn, Facebook and Twitter to gather background information about the victim’s personal and work history, their status, and daily routine. Basically, most of the phishing emails are easy to recognize and clearly fake, the phishers are start use the techniques that professional marketers use to identify the most effective types of messages to lure the users. This can be said that phishing is the simplest kind of cyberattack but at the same time, it was the most dangerous and effective attack to users.

Pretexting

Pretexting is a type of social engineering which can get confidential data from victims. It often involved a fraud that the cybercriminal gets information to confirm the identity of the person that they interacted. When vigilance of target is low, the attacker will ask several questions to get individual personal identifiers like target’s name, date of birth, account number or address after they build trust with each other. This attack builds a persuasive story to convince user is necessary. Pretexting are normally used to gain sensitive and non-sensitive information from targets. They will keep do research and gather good information from targets in order make a good pretext that able to spoof the target. Other than that, pretexting doesn’t need user click the link to install malware or sent them to illegitimate website. The attacker will be disguised as trusted organization or unit to bait victim hand over their sensitive information with no doubt.

The example of pretexting work is the Finance Assistant in an organization receive a call from someone is pretend to be a cooperation partner. After several times of discussion, the caller tries to explain and verify financial information as a part of new process. The finance assistant put down the guard and provide the information as the caller request. From this example, the caller uses convincing story to build up the trust from financial assistant and lure the target hand over the information. The other examples of pretexting can be fake emails you receive from your close friend need money urgently that probably is a fake account.

The advance form of pretexting attack is manipulating the victims into perform an action that let attacker to discover and exploit the weaknesses and vulnerabilities inside an organization. The attacker tries to verify some account information in online scams as a part of attack. The information leaked from victims is generally of a sensitive data, and this can be easy for attack to gain access using victims account. The success of the pretexting attack is heavily related on the ability of attacker in building trust with victims. However, security experts and law enforcement able to conduct investigations to track down the cybercriminal who deploy this attack toward victims.

Baiting

Baiting is a technique similar to phishing attack that uses something that can pick up target’s attention and curiosity to deploy attack. [4] mention that it involves offering targets with free stuffs like free music and movies. They bait users and steals their personal information or invade their system using malware. Cybercriminal can use physical devices to perform baiting such as USB thumb drive, cell phone, memory card or CD-ROMS that can catch attention of victims. When victims pick up the bait and insert it into computer or other devices, it will cause the malware install into the system automatically. After that, the hackers also able to work in order to get the valuable information that they want. Baiting is not necessarily in physical form to perform the infection. It can be online baiting form like online ads that can attract users to click it and forward to malicious sites or convince users to download harmful application.

The example of baiting is an infected USB or CD-ROMS is drop and able to find in public area. People with curiosity would plug the item that they pick up into their computer. At the end, the USB or CD-ROMS can install malware and infect their system and network.

Watering hole

Watering hole is another type of social engineering which the attacker tends to compromise a specific group of individuals by infecting websites that they often visit. The objective of this attack is to infect a target’s computer and gain access to the network. From [5] we know that the cybercriminal initially analyses their target to understand the sites they visit frequently and identify the weaknesses and vulnerabilities that can exploit from the websites. They modify code of the site to become malicious site to let target connect it. If vulnerabilities are found inside the target’s device, the malicious site will install the malware automatically. Once the target’s device is infected, it may scramble the user’s data or capture username, passwords, credit card data that entered by user before.

In year 2017, there was a serious incident which occurred in Ccleaner. Ccleaner is a popular tool that used to clean potentially junk files. However, [6] was suffered by a massive supply-chain malware attack of all times, where the hackers exploit the company’s server and replace the original version of the software with the malicious version. This attack has been infected over 2.3 million users who downloaded or updated their application between August and September from the website with the malicious version of the software. The malicious version of Ccleaner had a malware payload was designed to steal data from infected computers. This incident was caused a great negative impact towards the users.

Watering hole attack are uncommon to users, but they will become a significant threat because they are difficult to detect. The infected websites with malicious code are normally trusted entities and individual that may not fully examine them. Most users were inadvertently providing the tracking information to attacker while browsing. It also provides the attackers with information about browsing, cloud services access and security policies of the organization which is dangerous to the people.

Scareware

Scareware also known as fraudware is a form of malicious computer programs which uses social engineering that trick computer users into visiting malware-infected websites. The goal of this attack is to frighten people using fake version of virus alerts to force them purchase quickly and install it. In the case of scareware, it will appear as a legitimate warning from antivirus software to inform users. The hackers will suggest victims to download their malicious version antivirus software to fix it. Hackers also use other ways like send spam mail to distribute scareware to victims. When they opened the email, victims are going to buy worthless services in this scam. Scareware always come with a common pattern which is pop-ups windows. It going to warn you that dangerous file has been found inside your computer. After that, it will continue pop up until you click the button to remove all threat or persuade you to register for antivirus software.

In March 2019, Office Depot and tech support vendor, Support.com, agreed to pay the Federal Trade Commission 35 million USD settlement after reportedly duping customer to download a free PC Health Check Program that used to sell diagnostic and repair services customer often did not need. According to [7], many customers are convinced to purchase products and services that they do need or not affordable. From this example, we can know that scareware is being used to drive sales and not to install malicious software.

Once the scareware was inside the victim’s computer, it will be accessing their credit card to paying money for fake antivirus software. Besides, scareware will invade their computer and try to record the keystrokes and personal information of victims. Other than that, scareware also will freeze your computer. This can be explained by it will attempt to take remote control of your computer to serve as a zombie robot.

Guideline And Recommendation on Providing Security Awareness

Guidelines and recommendations on improve employees’ security awareness is necessary to practice in an organization. Security awareness should be always in employees’ mind to avoid any social engineering occurred in organization. Other than that, it should be increase the level of security awareness through these guideline and recommendations in organization.

Secure your device

Employees always need to install antivirus software, firewalls, and set email filter to high inside the devices to prevent any social engineering attack. This software can perform their task like scan of virus and other threat to find out the potential threat inside the computer system and remove it. Besides, they also need to keep their software up to date in case the attacker cannot find any weaknesses and vulnerabilities in the software to exploit. For the part of software, employees can set their operating system to automatically so the system won’t outdate or use manual update when the system have a notification to remind them. If the software is unpatched or outdated, the attacker might use these weaknesses to exploit and damage the system. Hence, employees should keep their software updated to mitigate a lot of risk from attackers.

Beware of any download

The second recommendations on providing security awareness is beware of any download. This can be explained by employees should double check the source of the attachment before they want to download it. The attacker would use the curiosity of people to spread something with malicious code to break down the system. If the victims download the attachment without attention or check the source whether trusted or not, attacker may get what they want like personal information, top secret file of organization and others. In this case, employees need to be attention before they download any attachment from unknown senders. If it is necessary open the attachment, make sure they use protected view which is enabled by default in many operating systems to prevent the attacker have the chance to deploy social engineering attacks.

Reject requests from strangers

Employees should always reject the requests for help or offers of help from strangers. This is because a legitimate organization will not request you to help them voluntarily. If the employees are unsure the request from organization is legitimate, they can call and verify the organization directly to avoid any mistakes. Besides, employees must not use personal contact information to provide the websites that are connected to the request. It might have the risk that the attacker can get personal information or the information about the organization, including its structure or networks that can sell it to the black markets, unless the person has the approval to get the information from employees. From this recommendation, it can help them to increase their awareness to avoid falling for a scam or other type of social engineering from the attackers.Never use the same password and change once per month

Most of the people would use the same password for everything such as social network accounts, online banking account, computers, emails and so on. However, people will face a potential danger when the they use same password to all their account. This is because once the hacker gets the password, they will use it to log in other account to try whether it work or not. If they realize the victim is use the same password for everything, the hacker can steal the financial information, personal data, or even use victim’s account to scam others. Therefore, people never use the same password to avoid anything bad to happen unknowingly. The guideline for this is change their password frequently, recommended to change it once per month. Besides, use the combination of different character to ensure the hacker will not crack the password.

Never click on embedded link from strangers

Employees must not click on embedded link when they receive email from unknown senders. This can be explained by the embedded link that provided by unknown senders may contain malicious code. Once they click the link in email, it will forward to the malicious website and force you to download and install malware to damage the computer system. After the process is done, the attacker can use keylogger to observe the information that employees enter and steal it. If employees do not know the sender, they do not need to answer the email and just ignore it. They also can use the search engine to search for link to ensure whether safety for the website. Hence, employees always need to remember that the attacker can use fake email address to trick people, even the address is from trusted source.

Training And Policies Towards Social Engineering Awareness

Trainings can make employees to aware that fraudulent engineering attacks occur, and there are some policies that employee can use to detect attacks to protect their confidential information.

Campaign to educate them about social engineering

The organizations should organize a campaign that related to social engineering to educate and train the employees. This is because information is a strong weapon in preventing social engineering. Employees can learn how the social engineering work in different type and defend against it. Besides, they can research the facts on how to identify the type of attack and ward off online criminals. If people are not educated of the types of social engineering attack that used by attacker, they cannot possibly defend against them and causing losses of the organization. This type of campaign can raise the knowledge that are sustainable about social engineering and train their resilience when the attacks was occurred on them.

Make training become part of company culture

The companies can implement a continuous training approach to train their employee increase security awareness toward social engineering. Most of the employee would forget what they learn from training class due to lacks practice after trainings. It would be dangerous for them because they will forget how to identify the attack and the ways to against it. After that, the attacker has the chance to use social engineering exploit the system. It is necessary to make social engineering training to become a part of routine of employees. The management of companies can send regular emails or employee newsletter to warn and remind employee about social engineering. If employees set social engineering training in their mind, they will know what information that allowed to provide and know what to do when attack occurs.

Create policies to against social engineering

Organization is necessary to create some policies to against social engineering. This is because the employees do not know how to solve the problem when social engineering attack is occurred. The creation of policies would help them to know the protocol for security to protect and secure their computer system to avoid the leaked of information. The policies also help them to spot suspicious activity and take action immediately. One of the policies they can use is report to IT manager when they face the social engineering situation. From the help of policy, employees can recognize that they are an important part of organization security. Moreover, they will know that the integrity of an employee is the best defense for protecting sensitive information that relate to organization. Therefore, it is good to protect the personal or organization property.

Conclusion

In conclusion, we can conclude that social engineering is widely used for cybercriminals because it relies heavily on human interaction and easier to exploit the weaknesses to hack their computer system. Besides, the cybercriminal will keep innovate new idea of social engineering to trick users and manipulating them. If organization do not take this as a serious problem, it might become worst to worse for the users that using information technology. However, employee can learn the knowledge about social engineering and take action with recommendation and guideline to against them. Thus, employee should more focus on social engineering to deploy countermeasure to secure computer system to ensure the safety of their personal and organization information.