Social engineering attacks, what used to be known as a confidence, or con, tricks, can only be defeated by potential victims taking a sceptical attitude to unsolicited approaches and requests for privileged information and resources. That is the message that arrives from European researchers.
Most of us have received probably dozens of phishing messages and emails from scammers on the African continent seeking to relieve us of our hard-earned cash. Apparently, these confidence tricksters are so persuasive that they succeed repeatedly in hustling funds even from those among us with a normally cynical outlook and awareness of the ways of the world.
On the increase too are cowboy construction outfits and hoax double-glazing sales staff who wrest the life savings from senior citizens and so-called boiler room fraudsters who present get-rich-quick schemes so persuasively that thousands of unwitting individuals lose money totalling millions of dollars each year.
Con artists and hustlers have always preyed on greed and ignorance. As the saying, goes a fool and their money are easily parted. However, the new generation of social engineers, are not necessarily plundering bank accounts with promises of riches untold, but are finding ways to infiltrate sensitive databases, accounts, and other resources, using time-honoured tricks and a few new sleights of hand.
Now, Jose Sarriegi of the Tecnun (University of Navarra), in San Sebastian, Spain, and Jose Gonzalez, currently in the department of Security and Quality and Organizations, at the University of Agder, Norway, have taken a look at the concept of social engineering, and stripped it down to the most abstract level (International Journal of System of Systems Engineering (2008, 1, 111-127)). Their research could lead to a shift in attitude that will arm even the least sceptical person with the necessary social tools to spot an attempt at social engineering and stave off the attack with diligence.
Fundamentally, the researchers explain, social engineering is an attempt to exploit a victim, whether an individual or organization, in order to steal an asset, money, data, or another resource or else to make some resource unavailable to legitimate users in a denial of service attack or in the extreme instigate some terrorist, or equally destructive, activity.
Of course, a social engineering attack may not amount to a single intrusion, it could involve layer upon layer of deceptions at different places and on different people and resources. The creation of a sophisticated back-story, access to less sensitive resources, and targeting of the ultimate goal is more likely to be a dynamic process. This, the researchers suggest, means that looking for “heaps of symptoms”, as might occur in attempting to detect someone breaking into a computer system, is no longer appropriate and a dynamic response to a dynamic attack is more necessary now than ever before.
Recognising the shifting patterns of an ongoing and ever-changing social engineering attack means better detection of problems low in the metaphorical radar, the team suggests. Better detection means improved efficacy of security controls. The best defence is then to build, layer-by-layer, feedback loops that can catch an intruder at any of many different stages rather than relying on a single front-line defence that might be defeated with a single blow.