Social engineering: malware for the mind
Organisations strengthen their security to stop criminals getting in, but often don’t think enough about who they let in. When we think of malware, we usually think about programmes that infiltrate IT systems for the purpose of cyber crime. However, the human brain is often far easier to fool than security software. Humans have conventions, social status, assumptions, and conditioning that IT doesn’t have. Relatively simple tricks can catch out just about anyone, which means people are often the most vulnerable element in a security system. That’s why social engineering is malware for the mind.
You’ve probably heard of phishing, and possibly even encountered it. A cyber criminal pretends to be someone unknown but legitimate-looking (like a prospect, or a regulator), or someone specific (like a boss or client), and sends a message to encourage the recipient to download or click something.
Phishing is the most common method of entry for ransomware — 54% of ransomware attacks come through a phishing attack.
There’s a more recent innovation to phishing known as ‘sock puppeting’. That’s when an attacker emails the target, but CCs other email addresses which they also control. They’re then able to conduct an ongoing email thread, playing several characters in the conversation. It then looks even more like a legitimate exchange.
Phishing exploits our diligence and busyness. When there’s a lot going on, but you want to be helpful to a client or a colleague, it’s very easy to do what they ask and click on something they send.
Physical social engineering
Many organisations invest heavily in keeping their computer systems safe from other computer systems. However, there’s often not enough thought about how people can get on to your premises and compromise your security.
It seems that we’re all easily put at ease by a ladder or a hi-vis jacket — both together are even more powerful. If someone looks the part and acts like they’re meant to be there, it’s likely that nobody will question them, and quite possibly someone will help them get in.
Once someone is in your office, they can steal hardware or data. They can also leave things in your office. One of those things might be something like a USB stick, which allows them to use the next piece of social engineering…
The use of USB sticks is declining, but half of people who find one will plug it in to their device. It might be convenience or curiosity that makes us do it, but once it’s plugged in, a USB can infect the computer and the whole system with malware.
Even if fewer people use USB sticks, the psychology is the bigger concern than the method. USB sticks might go the way of the floppy disk, but whatever drives people to plug in an unknown device, could make them do the same with other hardware.
If 50% of your team would plug in something just because they found it, then the odds of success for a USB baiting attack (or similar) are huge. You might have felt it’s patronising to educate your staff not to use an unknown device. Knowing that half of them might, you know it’s not too condescending.
Protecting your organisation against social engineering attacks
Social engineering exploits patterns of human thought and quirks of our behaviour. The best prevention measure is a mindset shift within your organisation. There’s no need for paranoia, but healthy scepticism will go a long way.
That is an imperfect barrier, so it’s likely that something will get through eventually. In that case, you need another line of defence. Security providers like Sophos offer Managed Detection and Response (MDR), which spots threats as they infiltrate a system, notify the owner, and neutralise the attack before it takes hold.
It gives a tremendous boost to your peace of mind to know that if all else fails, you have a system in place to ensure that an attack doesn’t go by undetected. Any damage is kept to an absolute minimum. You can then assess how to strengthen your system against future attacks.
You don’t need to wait until you’re attacked to find out where your weaknesses are. Get in touch for your FREE SECURITY REVIEW and find out what you need to do to stay safe.
Sophos Endpoint Protection is the latest in anti-virus, ransomware and endpoint security solutions. With the Intercept-X range of products we are now able to protect your devices from the latest cyber threats. This includes key anti-ransomware protection to stop the attacks at source and protect your business systems and data. Along with the base features the Sophos suite is also able to provide services for Mobile Device Management, Device Encryption and Web Filtering to add additional layers of security and meet GDPR and Cyber Essentials standards.