TTS 2023 calendar is NOW LIVE. Download: Calendar List

Social Engineering Security Attacks: What You Need To Know Part 2

Social Engineering Security Attacks:

What You Need To Know Part 2

By Rex M. Lee

 

Graphical user interface, application

Description automatically generated

 

In my previous article, Social Engineering Security Attacks Part 1, we learned that a single security breach can cost an organization between $4.5 - $10+ million dollars, and that’s just to research the breach, according to IBM’s 2022 Cost of a Data Breach Report.

Part 1 highlighted some of the most common social engineering attacks. However, there are other attack vectors associated with social engineering attacks that we will examine here.

Social engineering attacks are simply defined as attacks centered on taking advantage of human psychology through deception in order to acquire confidential and protected information. This information includes:

  • Business, personal, legal, medical, and family information
    • Information used for blackmail and/or to gain leverage over the individual
  • Employment, board member, senior executive, management, and employee information
  • Network and critical infrastructure information
  • Intellectual property (IP), patents in development, and trade secrets
  • Sensitive insider stock information
  • Onsite/on-primus security information
  • Classified information, military information, and weapons systems information
  • Vulnerabilities within networks and critical infrastructures
  • Confidential personal information
  • IDs, credentials, and passwords

Social engineering attacks date back to a time before the internet, computers, smartphones, mobile devices, and connected products. In fact, they date back to the beginning of time regarding spying, espionage, and sabotage. Social engineering attacks are simply “human hacking attacks”, aside from high-tech attacks, and are the most preventable of all attacks because they are insider related, with over 20% coming from the supply chain in today’s connected world.

The movie Wall Street (1987) featured many examples of low-tech social engineering hacks used to gain inside information on publicly traded corporations that could be exploited for financial gain through insider stock trading. One scene highlighted how a sophisticated social engineering attack occurs via a low-tech attack on a corporate law firm’s supply chain through their janitorial vendor.

Stock broker, Bud Fox (Charlie Sheen), notices a janitorial contractor gaining access to a corporate attorney’s office with sensitive client information. The janitorial company was hired to clean the firm’s offices and they held a treasure trove of insider corporate information that could be exploited through illegal insider trading activities on the stock market.

Rather than break the law to impersonate a janitor or hack the law firm’s network to gain access to highly confidential client files, he simply invested in the janitorial business by becoming a partner, which gave him keys to access highly secure areas within the businesses and law firms that had hired the janitorial company. This is a perfect example of a social engineering security hack through the target’s supply chain.

Another scene from the movie highlighted a “piggy-back” attack where Bud Fox had simply followed a high-level hedge-fund investor to a lunch he had with the CEO of a steel firm. The meeting between the investor and the CEO indicated a potential acquisition or merger, so Fox and his accomplice, Gordon Gecko (Michael Douglas) spread the rumor -- valuable insider trading information that was exploited to manipulate the stock price. 

These two examples of low-tech social engineering attacks highlight the fact that not all hacks, attacks on networks, and physical attacks on critical infrastructure are associated with the internet or a sophisticated high-tech attack, but rather by way of preventable low-tech attack vectors.

We are seeing these types of insider attacks today regarding computer software, apps, and operating systems that are being used to hack information, conduct surveillance on end users of connected technology, plus launch a wide array of attacks on networks, including critical infrastructure.

All high-tech and low-tech social engineering attack vectors need to be addressed by a comprehensive security strategy that incorporates the following:

  • Adopting a top-down enterprise security strategy
    • Board members, sr. execs, management, frontline employees, and supply chain
  • Network and endpoint cybersecurity- tactical level
    • Network security, operating systems, apps, software, smartphones, tablet PCs, connected products, PCs, wearable tech, connected vehicles, and IoT/IIoT devices
    • Includes all supply chain vendors associated with all threat vectors concerned
  • Adopting an Incident Response Team (IRT)
    • IT/security personnel, key supply chain security personnel, admin, sr. execs, board Members, and frontline employees
    • Collectively, all IRT members should create polices and implement best practices
  • Wargaming and corporate counterintelligence
    • All IRT members, including contractors, should implement wargaming to include proactive and reactive measures including corporate counterintelligence
    • Consider business opportunities in adversarial countries as threat vectors that need to be addressed
  • Hire professional security, risk aversion, and corporate intelligence firms
    • Mobile device, security, and expense management firms
      • Includes vendors such as My Smart Privacy
    • Risk aversion, cybersecurity, and global corporate intelligence firms
      • Includes vendors such as BlackOps Partners, Washington, DC

Today, most breaches, attacks on networks and on critical infrastructure, are associated with threats posed by nation-state actors from Russia and China, plus their proxies which Include N. Korea, Iran, Cuba, and even criminal organizations such as global cartels. Best practices should be centered on securing all attack vectors with proactive rather than reactive strategy.

Your global competition, including competition from adversarial countries, have adopted a top-down enterprise security strategy, plus they’re wargaming to put you out of business by any means possible (legal and illegal), according to FBI Director, Christopher Wray.

If your organization is in reactive mode only, it is a target that will not last long in today’s hyper geo-competitive world.

 

Rex M. Lee is a privacy and Cybersecurity advisor, tech journalist and a senior tech/telecom industry analyst for BlackOps Partners, Washington, DC. Find more information at CyberTalkTV.com