• Latest
  • Trending
The Human Cost of Social Engineering

The Human Cost of Social Engineering

March 3, 2021
Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
Instagram fined €405m over children’s data privacy

Instagram fined €405m over children’s data privacy

September 6, 2022
8 Most Common Causes of a Data Breach

5.7bn data entries found exposed on Chinese VPN

August 18, 2022
Fibre optic interconnection linking Cameroon and Congo now operational

Fibre optic interconnection linking Cameroon and Congo now operational

July 15, 2022
Ericsson and MTN Rwandacell Discuss their Long-Term Partnership

Ericsson and MTN Rwandacell Discuss their Long-Term Partnership

July 15, 2022
Airtel Africa Purchases $42M Worth of Additional Spectrum

Airtel Africa Purchases $42M Worth of Additional Spectrum

July 15, 2022
Huawei steps up drive for Kenyan talent

Huawei steps up drive for Kenyan talent

July 15, 2022
TSMC predicts Q3 revenue boost thanks to increased iPhone 13 demand

TSMC predicts Q3 revenue boost thanks to increased iPhone 13 demand

July 15, 2022
Facebook to allow up to five profiles tied to one account

Facebook to allow up to five profiles tied to one account

July 15, 2022
Top 10 apps built and managed in Ghana

Top 10 apps built and managed in Ghana

July 15, 2022
MTN Group to Host the 2nd Edition of the MoMo API Hackathon

MTN Group to Host the 2nd Edition of the MoMo API Hackathon

July 15, 2022
KIOXIA Introduce JEDEC XFM Removable Storage with PCIe/NVMe Spec

KIOXIA Introduce JEDEC XFM Removable Storage with PCIe/NVMe Spec

July 15, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Monday, 30 January, 2023
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

The Human Cost of Social Engineering

by itech-Manager
March 3, 2021
in Leading Stories, Opinion
0 0
0
The Human Cost of Social Engineering

Social engineering describes a range of malicious cybersecurity activities accomplished through psychological manipulation to trick users into making security mistakes or giving away sensitive information.

Simulated attacks are technical exercises that emulate the tactics, techniques and procedures of a real attacker, which help to understand how well your incident response plans hold out. Simulating the whole attack chain for most adversaries means we are not just targeting the technology, but also the people involved.

YOU MAY ALSO LIKE

Inaugural AfCFTA Conference on Women and Youth in Trade

Instagram fined €405m over children’s data privacy

People are often talked about as the weak link and while it is important to understand human fallibility and the ways people will fail, be fooled, or tricked, we also have a moral and ethical obligation to look after those targeted and avoid causing undue distress.

Would I Lie to You?

Social engineering is a sterile term that covers many different bases and sounds more professional than alternatives such as ‘lying to people’, ‘abusing trust’, or ‘betraying relationships’. But if we are to accurately simulate the attack chain and their activities, we also need to adopt these. It’s easy to overlook those on the receiving end, with lives outside work and powerful feelings and emotions. So, when we are simulating advanced adversaries, we should not lose sight of the impact on our human targets.

Under Pressure

Anybody involved in an urgent response to a cybersecurity incident will be familiar with the heightened emotions. People work long hours, adrenaline flows and the response team is under pressure. When making incident response plans, companies often consider the wellbeing of responders – ensuring they take breaks, eat, rest and have support – but possible ‘collateral damage’ is easy to overlook.

Imagine someone caught up in a simulated incident – in email and telephone contact with someone thought to be a customer, building a relationship over several days – only to be targeted with malware as part of the simulation by opening a received document that compromises her workstation. This was a real case.

For the internal IT team, it was their ‘Patient Zero’. They asked what happened, what had been said and what had been done in the sophisticated attack involving a closely-registered domain and telephone conversations with a non-existent person that had led to exposing the company to attack.

No cybersecurity professional would expect individual employees to defend against that level of sophisticated social engineering. What mattered was how the employee reacted, devastated to have been the cause and questioning whether she should have known better and questioning whether she could trust her judgement elsewhere. She was substantially upset, blaming herself.

Reality Versus Simulation

When the incident was revealed as part of an exercise, although relieved her error hadn’t caused any real damage, there was resentment and anger owing to anxiety and upset because of what her employer had put her through.

Was it wrong to conduct the adversary simulation and target the employee?

It’s a grey area that cybersecurity practitioners must navigate and find a balance between realistic simulations, without ethical constraints and protecting those targeted from unnecessary distress.

When employing social engineering methods, cyber-criminals use tactics to bring the best chance of success. Most rely on a ‘hook’ – something causing a victim to engage that lures people into clicking on a link or downloading a document containing malware.

Those with the greatest chance of success often have the most emotional impact. At the start of COVID-19, we saw huge changes in hooks used by adversaries: mass phishing campaigns using virus information. Fear and anxiety are powerful emotions making a person less likely to think clearly.

Ethical decisions need to be made about the hooks. Consider an employee posting on social media about their difficulty conceiving. This is information adversaries could use, on which this person is very likely to bite: a new fertility treatment, a change in employment benefits allowing fertility treatment costs to be covered. The level of emotional distress could be devastating. Even if a criminal might have no qualms doing this, cybersecurity professionals doing the same would be unconscionable. But most of the time, possible impacts of a hook might be less obvious. 

Trust Equals Security

Every time a social engineering hook is chosen, there are obligations to consider the emotional impacts. Trust between employer and employee is critical to a positive and successful security culture. The most successful security programmes instil positivity and supportive cultures of reporting, valuable for resilience. People are the strongest asset here.

Breaching trust with employees by neglecting the care of victims can damage relationships you rely on for the protection of assets and data. Whilst social engineering must be done to support attack chain simulation, we must be mindful of human cost and take steps ensuring victims’ damage is minimized. This is a shades of grey landscape, but we forget the humanity of our targets at our peril.

Credit: Gemma Moore Director, Cyberis, Cyberis

ShareTweetShare
Plugin Install : Subscribe Push Notification need OneSignal plugin to be installed.

Search

No Result
View All Result

Recent News

Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
Instagram fined €405m over children’s data privacy

Instagram fined €405m over children’s data privacy

September 6, 2022
8 Most Common Causes of a Data Breach

5.7bn data entries found exposed on Chinese VPN

August 18, 2022

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
Instagram fined €405m over children’s data privacy

Instagram fined €405m over children’s data privacy

September 6, 2022

Recent News

  • Inaugural AfCFTA Conference on Women and Youth in Trade September 6, 2022
  • Instagram fined €405m over children’s data privacy September 6, 2022
  • 5.7bn data entries found exposed on Chinese VPN August 18, 2022
  • Fibre optic interconnection linking Cameroon and Congo now operational July 15, 2022
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© 2021-2022 iTechNewsOnline.Com - Powered by BackUPDataSystems

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© 2021-2022 iTechNewsOnline.Com - Powered by BackUPDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Go to mobile version