TTS 2023 calendar is NOW LIVE. Download: Calendar List

Social Engineering Security Attacks: What You Need To Know

Social Engineering Security Attacks: What You Need To Know!

 

According to IBM’s 2022 “Cost of a Data Breach Report”, aside from legal fees the average cost of a breach is approximately $4.5 million dollars globally and nearly $10 million dollars in the United States.

The IBM report states that 90% of all breaches occur due to human error. Out of that, most are associated with social engineering security attacks, including the following preventable attacks:

  • Phishing, Spear Fishing, & Whaling- Email Attacks, Targeted Email Attacks, and High Value Email Attacks Centered on Sr. Executives & Board Members
  • Vishing & Smishing- Attacks Launched by Intrusive Apps, Leaky Operating Systems, Smartphones, SMS, Text Messages, & Mobile Devices
  • Pretexting- Fraudulent Outsider/Insider Attacks by Impersonating Board Members, Executives, Management, & Employees
  • Baiting- Attackers Use Pride, Ego, Honey Pots, Greed, Money, & Gifts to Entice Victims into Acquiring Passwords, IDs, Online Access to Confidential Data, or to Launch Online or Onsite Attacks on Networks, Including Critical Infrastructure
  • Tailgating & Piggybacking- Physical Onsite Attack by Way of Following Authorized Personnel into Restricted Areas
  • Quid Pro Quo- Insider & Supply Chain Security Breaches/Attacks by Way of Trade for Money, Services, or other Valuable Assets
  • Shoulder Surfing- Attackers Simply Glean Information by Viewing Manually Entered Passwords, Computer Displays, Open Laptops, or Unattended PC 
  • Favors & Good Deeds- Attackers Ask Employees to Print Documents or Open Documents/Files from Unauthorized External Thumb Drives that Contain Malware

Although these types of attacks are nearly 100% preventable, most companies do not have the right incident response policies in place to prevent these attacks in the first place.

This is because most companies do not employ an Incident Response Team (IRT) to address security attacks, both online and physical onsite attacks.

As a result of not having good policies managed by a capable IRT, most companies remain vulnerable to many attack vectors, including those associated with nation-state attackers/hackers from adversarial countries or even bad actors from business competitors or criminal organizations.

Social engineering attacks are nearly 100% launched for monetary purposes. However, some attacks centered on critical infrastructure are centered on causing chaos, destruction, and physical harm, including death.

Whatever the reason for an attack, all organizations, businesses, major corporations, and government entities need to adopt strong social engineering security attack policies managed by a competent IRT who is familiar with the network from the enterprise to the edge.

An incident response team does not have to be made up of new personnel adding cost to your bottom line. In fact, most IRTs include existing employees and contractors such as:

  • Senior Executives- CISO, CIO, CSO, and IT Management
  • Internal IT/Help Desk Personnel/Management
  • IT Employees/Management and Security IT Vendors/Contractors (Key Supply Chain Security Personnel)
  • Application Developers, Engineers, and Database Admin
  • Legal/Corporate Counsel

A good IRT includes any key personnel that touches the network, including critical infrastructure, at the local to enterprise levels, as well as end points/at the edge.

There are some costs associated with organizing and maintaining a good IRT, but it could be worse. The price of a single network and/or security breach can cost more than $10 million dollars when physical damage is done to a network, including critical infrastructure, or if financial or physical harm occurs as a result of the breach.

In part 2 of this article series, we will look at attack vectors and best practices, which consists of polices centered on proactive and reactive measures in dealing with localized to enterprise security events and/or attacks.

Bio

Rex M. Lee is a Privacy and Cybersecurity Advisor, Tech Journalist and a Senior Tech/Telecom Industry Analyst for BlackOps Partners, Washington, DC. Find more information at CyberTalkTV.com