By Rex M. Lee
In my previous article, Social Engineering Security Attacks Part 1, we learned that a single security breach can cost an organization between $4.5 - $10+ million dollars, and that’s just to research the breach, according to IBM’s 2022 Cost of a Data Breach Report.
Part 1 highlighted some of the most common social engineering attacks. However, there are other attack vectors associated with social engineering attacks that we will examine here.
Social engineering attacks are simply defined as attacks centered on taking advantage of human psychology through deception in order to acquire confidential and protected information. This information includes:
Social engineering attacks date back to a time before the internet, computers, smartphones, mobile devices, and connected products. In fact, they date back to the beginning of time regarding spying, espionage, and sabotage. Social engineering attacks are simply “human hacking attacks”, aside from high-tech attacks, and are the most preventable of all attacks because they are insider related, with over 20% coming from the supply chain in today’s connected world.
The movie Wall Street (1987) featured many examples of low-tech social engineering hacks used to gain inside information on publicly traded corporations that could be exploited for financial gain through insider stock trading. One scene highlighted how a sophisticated social engineering attack occurs via a low-tech attack on a corporate law firm’s supply chain through their janitorial vendor.
Stock broker, Bud Fox (Charlie Sheen), notices a janitorial contractor gaining access to a corporate attorney’s office with sensitive client information. The janitorial company was hired to clean the firm’s offices and they held a treasure trove of insider corporate information that could be exploited through illegal insider trading activities on the stock market.
Rather than break the law to impersonate a janitor or hack the law firm’s network to gain access to highly confidential client files, he simply invested in the janitorial business by becoming a partner, which gave him keys to access highly secure areas within the businesses and law firms that had hired the janitorial company. This is a perfect example of a social engineering security hack through the target’s supply chain.
Another scene from the movie highlighted a “piggy-back” attack where Bud Fox had simply followed a high-level hedge-fund investor to a lunch he had with the CEO of a steel firm. The meeting between the investor and the CEO indicated a potential acquisition or merger, so Fox and his accomplice, Gordon Gecko (Michael Douglas) spread the rumor -- valuable insider trading information that was exploited to manipulate the stock price.
These two examples of low-tech social engineering attacks highlight the fact that not all hacks, attacks on networks, and physical attacks on critical infrastructure are associated with the internet or a sophisticated high-tech attack, but rather by way of preventable low-tech attack vectors.
We are seeing these types of insider attacks today regarding computer software, apps, and operating systems that are being used to hack information, conduct surveillance on end users of connected technology, plus launch a wide array of attacks on networks, including critical infrastructure.
All high-tech and low-tech social engineering attack vectors need to be addressed by a comprehensive security strategy that incorporates the following:
Today, most breaches, attacks on networks and on critical infrastructure, are associated with threats posed by nation-state actors from Russia and China, plus their proxies which Include N. Korea, Iran, Cuba, and even criminal organizations such as global cartels. Best practices should be centered on securing all attack vectors with proactive rather than reactive strategy.
Your global competition, including competition from adversarial countries, have adopted a top-down enterprise security strategy, plus they’re wargaming to put you out of business by any means possible (legal and illegal), according to FBI Director, Christopher Wray.
If your organization is in reactive mode only, it is a target that will not last long in today’s hyper geo-competitive world.
Rex M. Lee is a privacy and Cybersecurity advisor, tech journalist and a senior tech/telecom industry analyst for BlackOps Partners, Washington, DC. Find more information at CyberTalkTV.com