Technical Security Measures For Protection From Social Engineering
Table of contents
Introduction
Computer softwares and applications are being more and more used in various realms. Today, we almost use a computer system each day, consciously or not. Whether while making a phone call, validating our Navigo card, buying an article on the Internet, computer systems intervene to make those processes possible. In our cars, in aeroplanes and on the medical field, just to name these, computer systems are helping automating processes and easing the life of men on earth. Nonetheless, beside the profits that we draw from these systems, we need to be aware of the risks behind them. Though these computer systems are basically made for positive purposes, there are some individuals who try to deviate these systems from their original purposes to make them behave in a wrong way. To achieve this, these individuals (hackers) basically use some weaknesses (vulnerabilities) that remain in those computer systems due to conception errors or implementation errors. In this document, we will present some countermeasures to hacking and focus on the weakest link in security measures which is humans and the specific hacking method targeting them directly: the social engineering.
1. Common countermeasures to hacking
Hacking is the art of exploiting a system’s vulnerability to gain illegitimate access to a system or to take it down (denial of service). Since the weaknesses that hackers rely on are the vulnerabilities residing in computer systems, companies are now hardening their softwares by patching vulnerabilities, including sophisticated security mechanisms from the very conception of their softwares, and also deploying security softwares and devices which are able to detect and block hackers’ activities.
2. Human: the weakest link in security measures
Think of a geographical site where a company stores its belongings. The site has a very high fence, with no mean to enter except to come in through the gate where there are three guards. No doubt, this site is secured against thieves. But what if a group a thieves, all dressed in fake policemen uniforms, come with a fake police car and claiming that they have to do a perquisition? Will these three guards let them enter? Probably they will. And so, just by deceiving the guards, those thieves would have succeeded to enter into that supposed secured site.
The same thing applies to computer systems. A company where many technical protections are in place with security devices using very strong passwords, is considered to be a well protected company. But the users have to be trained enough so that they will not give out those password to any person who ask for it in a deceitful manner. Otherwise, all the technical security measures that are in place would have become vain due to a human weakness.
3. Social engineering: hacking by exploiting humans
Social engineering is the fact of exploiting humans (emotion, ignorance, fear, etc.) to gain access to computer systems. According to the antivirus software editor Kasperky’s website, “Social engineering is a form of techniques employed by cybercriminals designed to lure unsuspecting users into sending them their confidential data, infecting their computers with malware or opening links to infected sites.”
Security devices are computers and behave exactly as they were programmed to do. Unless there is a vulnerability in it, a technical security device will always ensure the task of protection it has been deployed for. However, in the case of humans, they can be deceived or manipulated. In consequence, if it is hard to break into the computer system directly, hackers will rather try to psychologically manipulate users in order to gain access to the system they wanted to hack. Depending on their level of ingenuity, and some other facts like users’ ignorance or circumstances, social engineering can be effective. A classical example is when you receive an email claiming to be originated from your bank and asking you to update your password. Another example which is more palpable is what happened in 2015 in the UK, when a fraudster used a forged email address (looking like the court’s official address) to send an email to the prison with instructions for his liberation.
4. Different types of social engineering
Social engineering can take many forms. One of these is “phishing email”. It’s a fake email asking the users to update their credentials. By doing so, they just handover their passwords to the attacker.
Another type of social engineering is the fact of tricking the user to click on a link which will lead him to a malicious website that will automatically install a malware on his (her) computer.
There are many other types of social engineering, the attackers are able to imagine new scenarios, but with training and awareness, users should be able to recognize and avert many of them.
5. Recommended attitudes to lower the risks
There are somes cases where the hackers are ingenious enough to lure even the most vigilant users, but generally the following recommendations should help :
- Never share your password (neither during a phone call, or by filling a form).
- Never share information with unknown persons. Verify their identity first and be sure they are really who they claim to be.
- Never click on links in emails from unknown persons. In case of doubt, call the sender and verify he (she) is the one who sent the mail
- Education (train the users and raise their awareness).
Conclusion
It’s good and even mandatory that companies should set up technical security measures to protect their infrastructures, but they shouldn’t forget to address the problem of social engineering by continuously training their users in order to give them the essential means to detect and avoid falling into social engineering traps. Security is not just a matter of technical measures but it also involve organizational policies and users’ awareness.
Cite this Essay
To export a reference to this article please select a referencing style below