There are millions of examples of these encounters – from the famous Trojan horse, left at the gates of Troy by the Greeks, to the modern day exploits of Kevin Mitnick, or the e-mail hacking of former White House Chief-of-staff, John Podesta, in 2016. What do these three examples have in common is the use of social engineering in the digital world. Kaspersky Lab describes social engineering as “a manipulation technique that exploits human error to gain private information, access, or valuables.” While this definition may seem vague at first, it really does encompass the whole point behind utilizing social engineering attacks.
Never have hackers had it easier – one only needs publicly available information, usually gathered through social media, or a 5-euro t-shirt, a couple of USBs and some charm – many institutions and companies will happily oblige and open their server rooms for the “IT-tech guy” from their ISP. In fact, the power of social engineering lies in its simplicity and how easy it is to use: a skilled hacker will resort to attacking the least-defended point in a given network, institution, or company – them being, to put it bluntly – not the systems, but the people working there. It is much harder to hack a secured PC or laptop (at the very least, it’s much more time consuming), then to simply gain access to the receptionist’s PC for a few minutes, using some bravado, and a bit of luck.
Unfortunately, people in North Macedonia have had their fair share of social engineering incidents – they tend to be plastered all over the front pages of the most-read websites in the country, on an almost daily basis. All you need to do is a quick web browser search with the keyword “scam” and “Macedonia”, and hundreds of examples will be provided – and unsurprisingly, in 9/10 cases, social engineering will be involved.
So, what is it that we can do, in order to better protect ourselves against these kinds of attacks? Here are three general rules that apply to most situations, in which a social engineering attack is carried out. Follow these guidelines to better protect not just your personal data, but your companies’ and organizations’, too.
Take. Your. Time.
Whether it’s an e-mail urgently asking you to reset your password because of possible data breach, or an suspiciously charismatic visitor in your offices – remember to take your time, and hold your ground. Most successful hacks involve some sort of manipulation of a person’s feelings, or coercion to act quickly, without second-guessing.
Sometimes, a phishing e-mail can be so sophisticated it makes it extremely hard to tell if it’s real or not. However, there are steps one can take, to check for certain details in the contents of the message. Having the critical approach and mindset, especially when it comes to time-sensitive requests, will help you remain cool under “pressure”, and in effect, might prevent you from infecting your computer with some dangerous malware.
And, when it comes to those over-confident office visitors, that “just need to use your printer really quickly” – never ever allow them to insert their own USB sticks in any office equipment, or let them out of your sight. It might cost the company a small fortune, trying to recover your data from a successful ransomware attack, which can be launched via infected USB drives.
Verify, verify, verify.
While sounding innocent enough, verifying information is oftentimes your savior when it comes to successfully mitigating a social engineering cyber-attack. This is not to say that verification on its own, is a fool-proof method for defense: it has been shown that even the verification process itself, could become a target of an attack, thus rendering it useless! Nevertheless, the process of verification is one of, if not the most, powerful tools in your arsenal: having the patience and level-headedness to perform the necessary, often legally required verifications checks, can prove hugely valuable to your data.
Hackers posing as a legal authority, your ISP, or just another “technician-on-call” for the HVAC system in your office, will have an extremely hard task on their hands – proving the identity they wish to claim. Oftentimes, just one call to their officially listed office number would suffice, and this will probably negate the threat – usually resulting in their storming out of your offices citing “unprofessional behavior” on your end, or worse.
Be warned, though: it’s not unusual for hackers to work in pairs, or even in groups: so, when you’re offered to verify the identify via their supervisor or boss, for whom THEY will provide the number, always be vigilant and skeptical – you might just be talking to their friend who is exactly playing the role they expected you to believe in.
Practice cyber hygiene
Cyber hygiene, much like traditional, personal hygiene, employs simple, everyday routines that, when correctly applied, minimize risks of “infection” from the cyber-realm. At the same time, strong cyber hygiene could help build the “immunity” versus certain cyber threats.
The connotation with personal hygiene is no mistake – they both rest on almost identical grounds – one of which is, that every one of us is responsible for our own personal hygiene, and when everyone practices strong (cyber)hygiene, it makes the company, organization, or even the nation, much more secure and resilient against various threats.
So, what would be the “hand-washing” small-scale practice translated into cyber hygiene, and what can every one of us do, using our own time and resources, to become more resilient from (online) viruses?
While there are common practices that just about everyone can employ, we have to note that every company, institution, organization is different: their data management and transfer, the hardware they employ, the human aspects, like administrator privileges and levels of access, just to name a few – all define what a strong cyber-hygiene approach would dictate.
In general, using a recommended, privacy-oriented browser (like Mozilla Firefox), properly configured, with the necessary extensions could be your “hand-washing” everyday moment. Another thing that just about everyone could do is, always to make sure every single one of your devices is up-to-date with their respective software, and turned off when not in use for a prolonged time period.
Not visiting suspicious websites (for which, often even your browser will warn you), using VPN, never leaving your laptop out in the open (like, in a café environment) are just some of the steps you can start using today. It’s also worth noting that, while strong cyber-hygiene will help you prevent some threats, it’s far from enough when it comes to sophisticated, targeted cyber-attacks against your company or organization. For those instances, having security policies and an incident plan in place, as well as cyber-security professionals, can make all the difference.
Bonus tip: always follow your company’s (or organizations’) security policies – and make sure everyone follows suit!
As previously mentioned, having internal policies and practices in place could mean the colossal difference between being totally overwhelmed by a cyber-incident, and deflecting one with minimal disruption in the work process. Strong cyber-security policies should include physical security e.g., “USB-policy”, the so-called “clean desk” policy, incident reporting forms and much more.
The real issue, however, is that while having those policies and procedures in place, is definitely a valiant effort, its actual implementation can be ten times harder. Convincing your colleagues, associates, and sometimes, even the management, of the very basic need of putting these policies into practice can be an uphill battle. Some have a hard time seeing the value of an “anti-incident” procedure, and many will resort to the common “this has never happened to us in the past”, or “we are not that important to be a target, and be hacked”.
If you’re in an environment where data is not valued (not really, anyway), it is up to you to convince your peers that everyone’s data is valuable. Cyber-criminals rarely target well-defended points of access: be sure that if a simple USB-print-job in your accounting office can do, the access has already been served “on a silver platter”, and your data and privacy is being compromised.