Securing enterprise information is a difficult job – protecting systems, networks & endpoints from ever-evolving external and internal threats is a constantly moving target. Social engineering makes it a next-to-impossible feat as it sneaks under the radar and slowly spreads its tentacles.
What Is Social Engineering?
It can be broadly classified as any attempt where the criminals don’t try to breach a network through system vulnerabilities, but by playing on human psychology and manipulating people into breaking normal security procedures and best practices. The attack makes people share sensitive information that is used to gain access to physical locations, systems or networks. An organization could have the best firewalls in place, the best cybersecurity systems and procedures implemented, and yet realize one fine morning that it has lost sensitive information to cybercriminals.
The Construct of a Social Engineering Attack
Unlike a general phishing attack with blind emails or calls to a few thousand, a social engineering attack is a very customized and targeted mode of gaining access that requires a lot of preparation but also has a much higher chance of success. The preparation involves finding very specific information on the target firms’ organization chart, employees, and systems. It may be targeted at employees in the finance or accounts division, or in general, employees with low-level access to the systems that can act as an entry point. The idea is to find a vulnerable person rather than a system vulnerability, and then to create fear, greed & curiosity to entice them into breaking a security protocol.
It normally starts with the attacker finding company information from online and offline sources to determine the people that would be the target. Internet
