Social engineering attacks become more complex, advanced
Despite heavy investments in technology to combat cyber crime, organisations across the globe lost an estimated $2 trillion (R31 trillion) through social engineering-related attacks in 2019.
This is according to Tapiwa Zvandasara, IT governance, risk and compliance specialist at the Trans-Caledon Tunnel Authority,an agency of the National Department of Water and Sanitation, speaking this week at the ITWeb Governance, Risk & Compliance 2020 event in Bryanston, Johannesburg.
Discussing the social engineering attack landscape, often referred to as ‘hacking without code’, Zvandasara noted social engineering is increasingly becoming more complex, as techniques become more advanced, weakening the cyber security chain across industries.
Social engineering attacks typically involve some form of psychological manipulation, fooling unsuspecting users or employees into handing over confidential or sensitive data, he explained.
“Despite investments in technology to ensure adequate security measures are in place, governments, companies and individuals lose millions of dollars each year through social engineering attacks.
“Some of these organisations have the best skills to manage and ensure technology is properly configured and patched, and may even religiously follow the best security practices and standards; however, these efforts do not eliminate the risk of social engineering attacks.”
Despite being one of the oldest hacking methods, social engineering techniques have been used successfully for many years without any “lessons learnt by the victims”, he pointed out.
Quoting a Juniper Research report, Zvandasara said the amount of losses due to social engineering cyber crimes is expected to increase in 2020.
“Advancement in technical security controls in hardware and software has not helped that much and the risk of security bypass is growing every day. The main reason behind this is that criminals exploit human error or weakness in the security chain, to gain access to any system despite the layers of defensive security controls that have been implemented via software or hardware, because humans are more likely to trust other humans compared to computers or technologies.”
He provided examples of social engineering cyber crimes, such as phishing (stealing private information from victims using e-mail systems); smishing (SMS text messaging on a mobile phone to persuade the victim to perform a specific action); impersonation (pretending to be another person with the objective of gaining physical access to a building or a critical system); water holing (capitalises on the trust the victims have in the Web sites they frequently visit); and baiting (capitalises on the weakness of human beings who are naturally curious).
“Social engineering attacks are executed in multiple phases or steps, and each phase is carefully planned and undertaken in a way that progresses towards the final goal. By understanding the phases that an attacker goes through during an attack, organisations can develop adequate defence mechanisms to counter the attacks.”
According to a survey conducted by European security technology firm Balabit, social engineering attacks top the list of the 10 most popular hacking methods worldwide.This is because it is easier and faster to trick employees into revealing their passwords than cracking passwords, or creating and deploying zero-day malware to steal staff credentials, notes the report.
Zvandasara noted that local statistics around cyber crimes and data breaches are difficult to obtain. However, an IBM research report revealed that in 2018, the average total cost of a South African company data breach was R43.3 million, which represents an increase of 12.16% from the previous year.
“To mitigate against social engineering attacks, organisations should create a culture of cyber security. This includes putting access management policies in place, detailing procedures and standards to be followed by employees. In addition, security awareness training and education is necessary for employees. From a technical perspective, technical controls, vulnerability assessments and security audits have to be consistently conducted by companies,” he advised.