Organizations that are the target of social attacks can suffer significant data loss and reputational damage. Sometimes, the impact severity can lead to permanent damages. An organization needs to be aware of the risks posed by social attacks and take steps to protect itself. This includes educating employees about the dangers of social engineering and implementing policies and procedures to prevent data loss.
According to Verizon 2022 Data Breach Investigations Report (DBIR), the human element continues to be a key driver of 82% of breaches and this pattern captures a substantial percentage of those breaches. Malware and stolen credentials provide a great second step after a social attack gets the actor in the door, which emphasizes the importance of having a strong security posture.
Malware and stolen credentials provide a great second step after a social attack gets the actor in the door, which emphasizes the importance of having a strong security posture.
Whether it is stolen-credentials, phishing attacks, misuse of information, or an error, people continue to play a significant role in incidents and breaches alike. This trend is likely to continue, and steps need to be taken to mitigate the risk posed by the human element.
One example of a data breach that occurred because of human error is the 2017 Equifax breach. A software engineer at Equifax inadvertently left sensitive information exposed on an unsecured server. This allowed attackers to gain access to the personal information of over 145 million people.
Another example is the 2015 Anthem data breach, where employees fell for phishing attacks. Enabling attackers to gain access to their accounts and steal sensitive information belongs to over eighty million people.
The Top Drivers of Social Attacks
The top drivers of social attacks include phishing, spear-phishing, and social engineering.
While phishing, spear-phishing, and social engineering are the most common types of social attacks, other methods, such as water-holing and baiting, that are used to exploit vulnerabilities in human nature.
Phishing is the most common type of social attack, accounting for over 90% of all social attacks. The Anti-Phishing Working Group (APWG), which was formed in 2003, defines phishing as “a criminal method that uses both social engineering and technological tricks to gain credentials from victims.” This method involves sending emails that appear to be from a trusted source, such as a financial institution or online retailer, to trick the recipient into clicking on a link or open an attachment that will install malware or direct them to a fraudulent website.
Spear-phishing is a more targeted form of phishing that targets a specific individual or organization. The attacker will research their target and craft an email that appears to come from a trusted source and contains information relevant to the victim, making it more likely they will click on the link or attachment and download malware.
3. Social engineering
Social engineering is another common type of social attack that relies on human interaction to trick people into revealing sensitive information or performing actions, such as self-infecting own’s system with a malware. Attackers may use various techniques, such as pre-texting (posing as someone else), tailgating (following someone into a secure area), and dumpster diving (looking through trash for sensitive information), to gain unauthorized access to a system.
Water-holing is a less common social attack that involves infecting websites or other online resources likely to attract targets of interest. When the target visits the infected site, they may unknowingly download malware or end up opening a fraudulent website.
Baiting is another form of social engineering where an attacker leaves a physical device, such as a USB drive, in a public place, hoping someone will find it and plug it into their computer. The USB drive may contain malware intended to infect a system and provide easy stealthy access to the attacker.
Strategies to Prevent Cyber Attacks
There is no one-size-fits-all approach to security, and each organization must decide what type of security model is best for them. However, it is now critical more than ever before to
1- Implement a strict authentication and authorization of all users and devices through a dynamic policy before granting access to any resources.
2- Secure all communication regardless of network type/location by enforcing end-to-end encryption; and
3- Classify and encrypt data where possible
4- Use analytics to monitor and measure the integrity and security posture of all owned and associated assets.
Training and Awareness
Having policies and procedures in place for users to handle sensitive information helps in improving security. However, users might not follow them properly. This might include an employee accidentally emailing the wrong person, losing a laptop that contains sensitive information, or printing confidential documents in an unsecure location.
While the technical aspects of cybersecurity are important, the human element plays a significant role in most data breaches. Organizations need to be aware of the risks posed by social attacks and effectively train their users on how to spot and properly report any suspicious activity.
1- Federal Trade Commission Consumer Information - "How to Recognize and Avoid Phishing Scams"
2- UC Berkeley Information Security Office -" Education & Awareness (Phishing)"
3- National Cyber Security Centre - "Phishing Attacks: Defending Your Organisation"