While the current version of social-engineering scams entails phishing emails, online impersonations and other digital elicitations by malicious sources, we human beings have been falling for social-engineering scams for generations. Think back to Victor Lustig who (using social-engineering skills) “sold” the Brooklyn Bridge and other landmarks numerous times.
Fast forward a few decades and take a look at UGNazi's attack on WHMCS, an online billing-management software tool that was hacked using nothing more than a few phone calls and the d0x of one of the key players.
Man has been tricking man for illicit gain for thousands of years, but only recently has a peculiar concept taken hold. The concept is this: the solution to a non-secure environment is more technology.
Heard that one before?
No matter how advanced technological security measures become, the resources companies use to hold data will always be controlled by the decisions of humans. A conversation can be much more dangerous than malware that has breached your network. Malware can be isolated and eliminated. But an information breach or a bad decision by a key employee…that can be truly devastating.
We host a course on social engineering for pentesters, in which attendees learn to secure themselves and their enterprises by analyzing, dissecting and understanding the mind and methods of the malicious social engineer. In short, our goal is to raise awareness of human vulnerabilities.
And if you’re human, you’ve got vulnerabilities.
In teaching for more than 14 years, I’ve seen how threats evolve. Social-engineering scams morph as the potential targets become savvier. We give our students homework exercises to practice rapport-building, elicitation and nonverbal communication techniques that can thwart scammers and protect businesses.
Malware can be isolated and eliminated, but an information breach or a mistake by a key employee can undo any investment in technical solutions. By taking a consistent and well-balanced approach across all aspects of information security, an organisation can gain more benefits out of a fixed security budget.
Chief Human Hacker, Social-Engineer
Continue the conversation in the Computer Crime topic within ISACA’s Knowledge Center.