Social Engineering
The human factor comes at first as one of the most important factors that seriously threaten cyber security and make it easier to overcome security measures. In social engineering, the weaknesses of people, instead of technical infrastructures and systems, are abused.
“The chain is as strong as its weakest ring. And here, the weakest ring is the human.”
What is Social Engineering?
Social engineering is a type of psychological attack that allows you to act in a manner that attackers want. It's the art of getting people to do the things, they normally wouldn't do, for anyone they don't know. It is the acquisition of information by deceiving people rather than using technology.
People think it is a hundred to one that they are deceived. The attackers, being aware of this common belief, present their wishes very cleverly, and exploit the trust of the victims by arousing any suspicion.
Such concepts as deceiving, tricking and defrauding are those concepts that have existed for thousands of years. However, the attackers have discovered that using this technique in a digital environment is also extremely effective. In order to understand how this technique is used, it is useful to look at the common examples of today.
Although Social Engineering is similar to fraud in its simple definition, it is a method that can be used to leak information or leak into an information system. In this method, the attackers do not generally face the victims. And the factor, abused, is not system weaknesses, but the human weaknesses.
It is necessary to make an exemplification by moving from the weaknesses, it can be mentioned that important information about institutions and individuals can be reached through the information, which has not lost its validity, and found on the non-destructed documents that can be found in the garbage of the institutions or individuals.
- Your information could be obtained by others.
- The dignity and image, in society, of the institution or organization, you are affiliated with, may be damaged.
- Hardware, software, data and corporate employees may be damaged.
- Access to important data may be blocked, monetary and time losses can be experienced.
Social Engineering Techniques
- Shoulder Surfing
- Garbage Mixing
- Trojans
- Role play
- Phishing
- Reverse Social Engineering
Social Engineering Leaking Targets
- Capturing the System
- Access to Critical Information
- Providing Access to Target Systems
- Acquiring Administrative Rights
- Being Permanent in the System
- Privacy
Social Engineering Leaking Kinds
- Physical Social Engineering
- Social Engineering by Phones
- Social Engineering by Mails
How Should We Protect Ourselves?
In order to protect yourself, the first thing you need to do is learn how to detect, prevent, and stop social engineering attacks.
If you suspect that someone or some people are trying to target you, never contact that person again. If those are trying to contact you over a phone line, turn off the phone. If you are in online chat, terminate your connection. If it's an email coming from a place that you don't trust, do not download attachments and delete the email in question. If you think there is an attack on your organization or workplace, immediately notify the workplace help desk or the relevant security experts. The screenshots, which you will record in all these stages, will be of great importance in the next process.
What Kind of Precautions Should Be Taken So As To Prevent Possible Attacks?
Do Not Share Your Personal / Private Information: The more information the attackers have about you, the easier it is possible for them to reach you and mislead you in order to make you do what they want. Not all information should be shared on the internet. Your simple posts about yourself can be brought together over time by ill-intentioned people so as to learn about your whole life. The less information you share (forum websites, e-mail addresses or social media websites) the less risk of your being attacked is.
Do Not Share Your Passwords: No institution or organization contacts you to ask for your password. If someone asks you for your password, it's a social engineering attack.
Question Those People, Who Try to Contact You: You can be called by enterprises such as your banks or service provider. If you have any doubts about the calling people, you may ask the name the people calling you and phone numbers belonging to them and can find the phone number of the related organization from a reliable source. (For example, from the numbers written on your bank statement or the numbers on your phone bills). Therefore, you can be sure that you are really talking to the authorized personnel when you call the institution or organization in question.
Check URL / Address: One of the most important factors of not getting caught in phishing attacks is to check the address in the browser. A character change in the address bar that can be missed can lead to undesired consequences.
Be Careful About Unreliable Sources: When you want to download a file, you should download it from reliable sources and, if it is possible, from the verified producers, and regularly scan your computer for viruses.
Perform Periodically Information Security Tests in the Organization: Employees of the institution should periodically receive information security training and be subjected to leaking tests. Antivirus software should be installed on all computers, and documents that need to be thrown away must be passed through paper shredder machines. People who come to the institution as visitors must present their identity cards and they must be accompanied by the employees of the institution.
“The safest computer is the one that has no internet connection and that is shut down. However, there is a possibility that the attackers can go to the office and persuade anyone to turn on the computer.”
Follow “Siberay”
© 2020 Department of Combating Cyber Crimes