Whether we are talking about the Internet of Things, the Smart Factory or Big (Smart) Data - all these topics are about increased connectivity, maximum efficiency and the acquisition of (sometimes) important data. However, this also results in new requirements for security. Like every social development, the digital transformation also brings with it risks and threats with regard to security. These can be quite diverse. Various methods of social engineering are frequently used, which sometimes lead to massive damage. With the appropriate protection against social engineering, however, you minimise this risk on the way to a secure system landscape.
What is Social Engineering?
The term social engineering describes the targeted manipulation of people. The aim is to gain access to system landscapes, internal processes and confidential information. Information about the employee is collected in order to subsequently use his or her human nature against him or her. The technique used can certainly be described as trickery - just à la state of the art. Such attempts are not new; tricksters existed long before digitalisation and Industry 4.0 - even long before computers and laptops. However, as the method is still effective, it is still widely used. Interesting information on this has been compiled by NIST.
The Art of Manipulation
You too probably know stories of e-mails with harmless attachments or inconspicuous links that then brought a rude awakening. The user was careless and opened the attachment or clicked on the link. However, the methods of social engineering go one step further: in order to gain access to a computer network, social engineers pretend to be employees, customers or IT technicians, for example. He or she tries to gain the trust of an authorised user and obtain confidential information. It is not uncommon for the fraudsters to try to build up a relationship of trust over a long period of time. Little by little, insider information about the software landscape and network security is elicited without arousing suspicion. For example, the attackers contact an employee, mention an allegedly urgent problem and demand access to the network in order to solve it. The intended target of social engineering is therefore clearly the human being. Of course, firewalls and other security mechanisms can be outwitted, but the vanity, sense of authority or shame of human employees can be overcome with comparatively little effort. Especially employees with a lot of customer contact or new employees who do not yet know all their colleagues and usually need help setting up the IT systems are popular targets. The big advantage for the attackers: Often the attack is not even registered. The intrusion remains unnoticed and the employee can be exploited again for their own machinations at the next opportunity.
Protection against Social Engineering
In contrast to the measures against other forms of attack on the data sets and systems of a company (sometimes also those of private individuals), protection against social engineering cannot be realised through comprehensive IT measures. People are the potential gateway and the potential vulnerability. Companies are therefore advised to remind employees of the value of information, to make them aware of the threat and to train them accordingly. What can you do concretely?
- The attackers rely on human impulse actions in their social engineering methods. Driven by deadlines and stress, many employees often react without thinking. Take a moment and think! Be suspicious and wary of suspicious or unexpected calls - even if they come from a (potentially) trusted person.
- Do not share confidential information through anonymous channels such as email, chats or telephone. Despite all the possibilities of digitalisation, information can be exchanged more securely face to face. The positive side effect is that you form better relationships with your counterpart this way.
- If you are not sure about a request and your interlocutor(s) tries to put you under pressure, forward the request to your supervisor. Attempts to intimidate the victim are part of social engineering.
Attackers always find a way to elicit information from human employees using social engineering methods. Even the best security systems can be circumvented and valuable data can be stolen through naivety or ill-considered actions. But with a little common sense and logical thinking, it is not difficult to protect yourself. You can find more information in the paper "Avoiding Social Engineering and Phishing Attacks".