The human being! It is one of the most important and mostly underestimated IT and cybersecurity risks for business security. Employees are often poorly trained and prepared in data protection issues. Out of carelessness or a good-will mentality, they create security gaps and thus become the gateway for the dangers and manipulative methods of so-called social engineering.
Social
engineering means “social manipulation” - it takes advantage
of human weaknesses, for example, to elicit important passwords, malware, and Trojans or attacks via blackmail trojans prepare and launch. The
company servers and computers can also be integrated into so-called botnets by
manipulation and used for attacks from DDoS and botnets.
Social Manipulation Through Social Obligation, Sympathy, Authority
Attackers operate worldwide and exist in large numbers, they are
always more clever and well-equipped. Large organizations, competitors, or
even hostile states are behind some attacks. Experienced cybercriminals and social engineers are very smart when it comes to gaining
unauthorized access to company information, databases, or IT systems. They
manipulate employees and understand how to exploit deeply human characteristics
such as trust, helpfulness, or respect for authorities. These are the most
important psychological instruments and methods that are used in the cyber
manipulation of humans:
·
An alleged temporal or factual emergency or one that requires
quick action
·
a reference to an alleged obligation on the part of the victim
·
a very sympathetic, serious, or obliging demeanor
·
the invention of a relationship of authority over the victim
·
the reference to general validity and legality of the action
Social Engineering Methods - Four Typical Examples and Peasant
Tricks
Example 1. A caller or a man in work clothes pretends to be a Telekom
network technician. He pretends to be under terrible time pressure and to
need technical details about devices or settings as quickly as possible due to
a significant malfunction - otherwise, nothing would be possible soon. Psychological
consequence: the victim, for example, a receptionist, is put under emotional
pressure. Under no circumstances does it want to be jointly responsible
for the resulting chaos or failures of technical services. Most of them
have nothing to oppose the professional, self-confident and knowledgeable
demeanor of the security professional and provide the information required.
Example 2. A supposed assistant to a higher-ranking manager comes by in
person and asks her boss to give her boss the forgotten password for server or
network access. This is where the "hierarchy card" is played. For
fear of reprisals, intimidated employees pass on the data “hierarchically
conscious” and believe that they are providing the best possible support.
Example 3. A call comes in in
which a caller wants to speak "Mr. Smith" who is currently
unavailable. The information that Mr. Schmidt will be away for two weeks
reveals that his workstation and account will not be monitored during this time
- a good basis for collecting data and passwords on site.
Example 4.Oops, a colleague left a
stick on the desk. The victim carelessly sticks it into the computer to
see who it belongs to. The USB stick may automatically start applications
that could harm companies. Or the stick contains curious filenames that
the victim clicks on.
Classic manipulation methods via mail and fax are still used. Not to be
neglected is the danger of social manipulation by “internal perpetrators”:
existing or former employees.
Comments
Post a Comment