Social Engineering

Social engineering is a term referring to manipulating or “tricking” a person into weakening the security of an organization. Social engineering comes in many forms. One form is simply having a hacker befriend an employee. The more intimate the relationship, the more likely the employee will reveal knowledge that can be used to compromise security. Another successful method is pretending to be from the information technology (IT) department. This is sometimes called “pretexting.” The hacker calls an employee and tries to convince the employee to reveal information, such as the employee’s ID and password. The hacker might ask the employee to check a website, claiming to be having trouble accessing the site. No information is being asked for. Simply checking if the employee is having the same problem. Unknown to the employee, accessing the website loads malware to take over the employee’s machine.

Many different techniques fall under social engineering, but they all rely on tricking the employee into a noncompliant action. A hacker uses social engineering because it is much easier than breaking through automated controls, which can take weeks, months, or years. The results can be uncertain. You may never be able to bypass the automated controls. If you do bypass the controls, you still may not be able to access the information you want. Randomly calling employees and posing as an IT department employee, or customer service needing urgent help, can be accomplished within a few hours. It only takes one individual letting down their guard to be successful.

Human Mistakes

The one characteristic we all share is that we make mistakes. Sometimes in our life, we make an error due to carelessness, a lack of knowledge, or simply an oversight. We may perceive a threat that does not exist. Or miss a real threat that is right in front of us. Several studies indicate that human error and mistakes account for the vast majority of cybersecurity breaches. For example, Kaspersky’s IT security economics in 2019 report tells us that “inappropriate IT resource use by employees” is the most common cause of a data breach. The UK Information Commissioner’s Office (ICO) study of 2019 security data breaches concluded that 90% were caused by human error.

Carelessness can be as simple as leaving your password on the keyboard with a sticky note or failure to read warning messages that pop-up and still click “Okay.” Carelessness can occur because an employee is untrained or does not perceive information security as important. These careless employees are prime targets of hackers who develop malicious code.

Technology often outpaces an employees’ skills. It’s not uncommon to find an employee feels that just as they acquired a solid understanding of a system or application, it’s upgraded or replaced. Too much change in an organization is unsettling at best, and at worst, it can lead to portions of your workforce being inadequately trained. An untrained worker can unknowingly create a security weakness through omission. Failing to log off can leave the system exposed.

Another weakness is that people can be intimidated into weakening security controls. This can happen when a supervisor or an executive asks an employee to take shortcuts or bypass normal control procedures. The employee feels compelled to follow the instructions of individuals in power. The lack of leadership support for security policies is one reason security implementations fail.

Insiders

One significant threat to information security comes from the insider. The term “insider” refers to an employee, consultant, contractor, or vendor. The insider may even be the IT technical people who designed the system, application, or security that is being hacked. The insider knows the organization and may know the countermeasures and the applications. If insiders are from the IT department, they may know what is logged, what is checked and not checked, and may even have access to local accounts shared between administrators. As a result of this knowledge, they have a greater likelihood of bypassing the security controls and hiding their tracks. Hackers can hide their tracks by deleting or altering logs and time stamps.

Employees with a long history with the organization may pose a greater risk. These employees may be in a position of trust. These individuals have a sense of how the organization will respond to incidents and can tailor their attacks accordingly.

The motivation of an insider is not always greed. An individual may feel disgruntled for a variety of reasons, from feeling mistreated to being passed over for some reward or promotion. They may have some disappointment in their life outside work. The insider may simply have a sense of entitlement, “taking” the rewards they feel they have earned.

A Verizon 2021 Data Breach Investigations report suggests that insiders are responsible for around 22% of security incidents.