Social engineering is a technique for psychological manipulation of people that relies on exploiting weaknesses in human nature. GENAPORT / STUDIO services related to that include several categories that will assess the susceptibility to manipulation of a company's employees:
- Spear Phishing
Spear phishing is a technique that targets a certain set of individuals by forging highly customized emails
Vishing or "voice phishing" is a subset of phishing where the attacker relies only on voice communication as means of exploitation
An example scenario for a phishing attack can be seen below:
Latest researches in the industry show that more than 30% of all breaches that lead to substantial data loss or information leakage are due to successful social engineering attacks. It is widely believed that the weakest link in a cybersecurity defense is the employees. Therefore, social engineering tests are highly recommended especially for large-scale companies with a high number of employees that operate with sensitive information.
Kevin Mitnick, one of the most famous hackers in the 90s, who now works as an IT security consultant, says that the social engeneering is based on four main principles:
1) “We all want to help.”
2) “Our primary reaction is to rely on the other person.”
3) “We don't like to say no.”
4) “Everyone loves to brag.”
These principles are proven by Chris Nickerson, the founder of a Lares, US cyber-security consultancy company, which uses social engeneering techniques to test security levels for businesses. Armed only with information which is accessible by any internet user and a technician's shirt from a famous telephone operator, Nickerson tries (and almost always successfully) to gain access to a company's offices and to manipulate computer systems, not even secretly but in front of all the employees.
A short classification of the techniques:
- Passive - based on observations and behavioral analysis, in order to reconstruct the daily life of the "victim" to create an approximate psychological profile, etc.
- Indirect - based on requests for information by e-mail or telephone.
- Direct, but not agressive - it includes actions such as spying someone's house or searching for discarded personal information in the trash bin.
- Direct and agressive - psychological pressure on the victim and identity theft.