What is Social Engineering & How to Prevent it.

The concept of “social engineering” refers to a variety of malicious activities that are carried out through human interactions.It manipulates users’ minds to make them make security mistakes or giving away sensitive information. So in simply Social Engineering is manipulating people to give up their sensitive information. The theory behind social engineering is that humans have a natural tendency to trust others, which makes it easier to trick someone into divulging personal information than it is to hack an account.

Social engineering attacks are carried out in a series of steps.So first the attacker studies the target victim to collect appropriate background information, such as possible points of entry and weak security protocols.The attacker then works to obtain the victim’s trust and provide stimuli for future acts that violate security protocols, such as exposing sensitive information or granting access to critical resources.

Social Engineering Attack Lifecycle

Common types of Social Engineering

  1. Phishing attacks
  2. Piggybacking attacks
  3. Baiting
  4. Quid pro Quo
  5. Pretexting attacks

Phishing attacks

Phishing is a popular type of social engineering attack that occur in the form of an email, chat, web ad, or website that pretends to be a real system, user, or organization. Phishing messages are designed to create a sense of urgency or anxiety, with the intention of obtaining confidential information from the recipient. A phishing message may come from a bank, the government, or another organization. The call to actions vary. Some ask the end user to “verify” their login information of an account and include a mocked-up login page complete with logos and branding to look legitimate. Some claim the end user is the “winner” of a grand prize or lottery and request access to a bank account in which to deliver the winnings. Some ask for charitable donations (and provide wiring instructions) after a natural disaster or tragedy.

Piggybacking attacks

When an unauthorized person physically follows an authorized person through a restricted organizational environment or structure, this is known as piggybacking or tailgating.When a hacker calls out to an employee to keep a door open for them because they’ve lost their ID card, that’s a tried-and-true way of piggybacking. Another strategy is to ask a coworker to “borrow” his or her laptop for a few minutes.during which the criminal is able to quickly install malicious software.

Baiting

Baiting entices the victim into the social engineering trap by placing something appealing or interesting in front of them.In order to trick the user into trying to offer credentials, a baiting scheme might provide a free music download or a gift card.At a conference, a social engineer could give out free USB drives to participants.The user may think they are receiving a free storage device, but the attacker may have installed remote access malware that infects the machine when it is plugged in.

Quaid Pro Quo

Quid pro quo is similar to baiting in that it entails a hacker requesting sensitive data or login credentials in return for a service. For example, a hacker posed as a technology specialist might call a user and give free IT help or technology upgrades in return for login credentials. Another typical scenario is where a hacker poses as a researcher and requests access to the company’s network in exchange for $100 as part of an experiment.If a deal seems to be too good to be valid, it is most likely quid pro quo.

Pretexting attack

Pretexting, the human version to phishing, occurs when a hacker establishes a false sense of confidence with an end user by impersonating a coworker or a source of authority well-known to the end user in order to gain access to login information. An email from what seems to be the head of IT support or a chat message from an investigator who claims to be performing a corporate audit are examples of this kind of fraud. Pretexting is very successful because it weakens people’s defenses against phishing by instilling the belief that everything is real and secure to communicate with. Pretexting emails are especially effective at obtaining passwords and business data because impersonators may appear authentic, so it’s important to have a third-party backup provider .

How to Stay Protected Against Social Engineering

A few best practices you can follow to ensure you’re protecting yourself from social engineering attacks include:

  1. Never provide financial information or passwords in response to a message or an email because legitimate businesses would never ask for sensitive details in an email or a message so keep in mind.
  2. Adjust the spam filters if necessary.Spam filters are built into every email program so make sure yours is set too high to block out future attacks.
  3. Secure your computer devices and accessories.This includes using anti-virus apps, firewalls, and email filters to secure your digital space.
    It also entails safeguarding disk drives, portable hard drives, and other potentially vulnerable devices.
  4. Use multi-factor authentication because user credentials are one of the most useful pieces of information for attackers in modern days. In the case of a device compromise, multi-factor authentication will further secure your account.
  5. In any organization it is important for all employees to be aware of the different types of social engineering in order to ensure organizational protection.It is much more likely for consumers to stop falling for these attacks once they are aware of the key features of these attacks.
  6. Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help if you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it.

what is encryption?

Encryption is the method/process of encoding which is information is converted into secure code that hide the information actual meaning so that only the authorized parties can read or access the data. So once they received they can be decrypted . In computing, unencrypted data is also known as plain text, and encrypted data is called ciphertext.

Encryption is a two way function. when you encrypt something, you are doing so with the intention of decrypting it later. In computing the science of encryption and decryption is called cryptography. I will hope to publish a separate article regarding cryptography.

Hashing

Hashing is a one way process that uses an algorithm to take data and convert it to a fixed length known as hash value.Hashing is commonly used to verify the integrity of data, commonly referred to as a checksum. If two pieces of identical data are hashed using the same hash function, the resulting hash will be identical. If the two pieces of data are different, the resulting hashes will be different and unique.

Salting

Salting make passwords more secure in the process of Hashing. It’s a unique value that may be a text numerals,symbols or combinations of them, which are added to the password before it generate a hashed value.

So I hope that you will get an idea about the social engineering, types of social engineering and how to prevent from it. Also I gave an overview of encryption, hashing and salting. So let’s meet in another article.

Associate Software Engineer at Virtusa