Why Social Engineering shouldn’t be underestimated?
It’s been a few days that we all heard that twitter accounts of some famous personalities like Elon Musk, Barack Obama, Bill Gates, and some other people were hacked, and apparently a tweet was made from their accounts in order to propagate a bitcoin scam. The attack was detected shortly and believed to be a coordinated social engineering attack that was done in order to gain access to some internal systems and tools.
Further, it was made public that in total 130 Twitter accounts were targeted and attackers were able to initiate a password reset, login to the account and send Tweets for 45 of those targeted accounts.
Then the news came that for some of the accounts, the attackers leveraged the “Your Twitter Data” tool. This tool is used to download all of the information available and associated with your account, a similar tool is available on Facebook also. There were 8 such accounts and all of them are not verified.
Following this notorious attack, certain countermeasures were taken by Twitter in order to mitigate the associated risk.
As a result,
· Initially, the affected accounts were locked immediately and the Tweets were removed that were believed to be made by attackers.
· Downloading your account information through the “Your Twitter Data” tool was disabled.
· Accounts that had attempted to change the account’s password during the past 30 days were locked.
· And some other relevant actions.
The investigation is still going on, Twitter and law enforcement agencies are working on the same. If you want to keep yourself updated on this, you can follow @TwitterSupport. And if you want to know what happened in detail than you can refer to Twitter Blog on blog.twitter.com
So, coming back to the topic, why social engineering shouldn’t be ignored. What do you think about why I chose this topic? You may think that in this Twitter scenario, attackers performed social engineering on some Twitter employees in order to escalate further that’s why I decided the topic to be like that only, yeah that’s somewhat true. But what do you think about it? Why shouldn’t we underestimate the risks associated with social engineering? I’d be glad if I got the chance to discuss it with like-minded people, hence I’m leveraging this virtual platform to reach out to you all.
What is it really, social engineering?
To the students like me, social engineering sounds like a theoretical topic and I believe we all must have gone through this when we were trying to grasp the basics of Cyber Security. The CIA triad keeps coming back, thus most of us are familiar with that but the social engineering falls in another basket and I think now we need a revision. Although being cybersecurity enthusiasts we shouldn’t rely on Wikipedia to get clarity on our concepts, but this one seemed pretty right to me i.e. the definition of Social Engineering.
“In the context of information security, Social engineering is the psychological manipulation of people into performing actions or divulging confidential information.”[1]
I hope you all got the basic idea about what it is. Trust me, we all have done social engineering in our childhood to get our desirables from our parents. From toys to bicycles and computers most of us have done something like that. Some people get confused and start misinterpreting social engineering with the ability that Sherlock Holmes possesses in his series and movies. That’s different, that’s entirely something else. That’s his ability of perception, observation, and critical thinking that make him Sherlock Holmes. But here we are talking about situations delved with the act of manipulation in order to get something or get something done. Of course, the art of manipulation is the ability that one should possess in order to perform social engineering.
Here’s an example.
Think about a situation in which your colleague is asking you to borrow your laptop because his laptop isn’t working properly and he has to do something very urgently.
Would you give him/her your laptop? Now the answer to this question depends upon the sense of urgency the person creates and the relationship among you both. It might be possible that he or she takes advantage of the situation to perform some malign activities from your laptop under your identity or steal your private files, documents, etc. And it might be possible too that he or she does nothing! And if she/he does something, how would you get to know about that? How to save ourselves from social engineering attacks? How would you know if someone’s lying or not? After all these questions, it’s clear now that risks associated with social engineering shouldn’t be ignored and shouldn’t be underestimated.
You can secure a system or network up to a great extent by applying a variety of controls, there are standards available for that giving detailed guidelines on securing different types of systems or platforms. Strong access control can be implemented, non-repudiation can be enforced and a lot of other things can be done but still, assurance can’t be made that social engineering won’t happen. Yes, it’s true! It’s not something that you’d define some parameters to predict its chance of occurrence. Instead, the occurrence of social engineering depends on a very flexible term i.e. TRUST. We all know the sarcasm behind it, there’s nothing to explain. There’s no standard that would help you out in situations like “Should I trust him/her or not?”. And not always we think about it.
You can never know the motivations of someone unless you are a highly functioning sociopath or a psychologist. And I guess that’s why sometimes we hear, “Humans are the weakest link in cybersecurity” because we are unpredictable! I’ve seen people debating over this on Twitter but it’s not about the blame game. Cybersecurity is a combined effort of humans and machines; we can’t and shouldn’t rely on or blame either of them if something happens or not.
So, what can be done? To be honest, nothing can be done except for being aware. All you have to do is to be aware. Be aware of yourself, of your surroundings, of the people around you, etc. Think before you act, think about the consequences of your actions. Stay secure and don’t let anyone manipulate you!
References
[1] https://en.wikipedia.org/wiki/Social_engineering_(security), accessed on 18th July 2020
Images — Tweets by @TwitterSupport
Thanks for giving it a read, I hope you liked my article. Please comment down your reviews, what you think about it, or anything that you’d like to share.
Stay safe, stay home, and stay secure!