Sample Technology Coursework Paper on Social Engineering

Introduction

Over the last decade, it has become evident that social engineering attacks on corporate continue to grow in sophistication and frequency. According to a study by Das, Kant, and Zhang (2016), a comparison of social engineering attacks between decade as within 1995-20016 and 2005-2016 have a differentiation of about 46% with the current decade highlighting an augmented trend in threats on corporate company computer networks. Traditionally, social engineering is a non-technical approach cyber attackers employ that is significantly dependent on human interaction. The static often comprises tricking individuals into going against regular security practices. Nevertheless, according to the U.S. Secret Service, and the Dutch National High Tech Crime Unit investigation indicated in 2010 the outsider element has been highly dependent on the use of malware and hacks. Currently, out 86% of all reported social engineering attacks have been linked to hacking and malware (Das, Kant, & Zhang, 2016). From such data, it can be argued that social engineering attacks can no longer be identified as non-technical. However, according to Pahlavan and Krishnamurthy (2013), all hacking and malware attacks on corporate entities have remained dependent on the human interface. A factor that indicated the evolution of the social engineering threat a factor that should be given significant attention.

Discussion

Social engineering is defined as the process of manipulation where individuals unknowingly give up confidential information about themselves of an organization. The type of information cybercriminals seek vary; nevertheless, when a person is targeted they are usually tricked into providing passwords, bank details, or access to restricted computer networks where they install malicious software. Over the last decade, the use of malicious software has become the preferred means for cybercriminals in finding the targeted information as Malware give them access to passwords of restricted information as well as control over computer or computer network with limited identification.

Examples of Social Engineering outside the corporate environment.

Source: Author

Key   flow of information

          Social engineering attacks

          Unrestricted Access

The figure 1 above represents the common social engineering attack modes that may affect a corporate entity. From the image is clear that the unknowing user is exposed to a number of threats a factor that exposes company secrets to increased susceptibility.  

Baiting. Most organizations have always had the premise of improving their cybersecurity from outsiders by keeping an ‘airtight’ network. This is to say a network system that is not connected to the internet. Nevertheless, attackers have devised a means of bridging the air gap be introducing malware-infected device; for instance, USB flash sticks or CD in areas where the targeted individual is likely to use them without knowing (TechTarget, 2016). According to Das, Kant and Zhang (2016) over the last half-decade baiting has been identified as the preferred means of social engineering attacks considering it is untraceable and undetected in most instances. The success of a bating attack is based on the premise that the person who finds the infected device will load it into a computer network allowing the criminal to take control of the said network in the process getting restricted access without anyone’s knowledge.  

Phishing. Though baiting is the most preferred means of social engineering attacks, it suffers a major flaw in terms of timing. The criminal may not have access if the device is not uploaded in time; therefore, most attackers resort to making fraudulent communications with their targets that are concealed legitimate conversations from a trusted source. According to Webroot (2016), in phishing attacks, the target is compelled into installing malware instead of waiting for a device to be installed at the user’s digression. Most chat applications, social media, phone calls, or spoofed websites designed to look legitimate. It should be taken into account that in some cases the phishing is highly specific. Spear phishing is a highly targeted type of phishing attack that focuses on a specific individual or organization. Spear phishing attacks use particular information that is unambiguous to the receiver in order gain trust or appear more legitimate.

Pretexting. Other than compelling the user into installing a malware cybercriminals are known to fabricate untrue information that directly produces sensitive information. This strategy is known as pretexting (Webroot, 2016). Most instances the victim is scammed into providing information that may include identity verification used to log in to their computers or other personal accounts.    

Tailgating. In some cases, the criminals physical follow the individuals into a secure location where they retrieve information not intended for them.

From data provided in chart 1, there is a considerable sight that social engineering attacks are conducted by outsiders; however, over the last half a decade there has been a change in this view as internal corporate environments highlight threats.

Examples of Social Engineering within the corporate environment.

Over the years, IT experts such as Pahlavan and Krishnamurthy (2013), have indicated the fact that currently there exists malware that can infect virtually all computer devises added to the fact that they can be found anywhere. Therefore, when an individual accesses personal emails it is possible that they expose their workstations to Social Engineer attack. According to Das, Kant, and Zhang (2016), the biggest internal threat by corporate entities are held by users social media accounts.

Recommendations

The best way to protect a corporate entity form Social Engineer attacks is by creating internal or departmental air gaps between the organizations networking meaning the attack is localized and cannot get to its intended destination swiftly or undetected. 

References

Das, S. K., Kant, K., & Zhang, N. (2016). Handbook on securing cyber-physical critical infrastructure. Waltham, MA: Morgan Kaufmann. https://books.google.co.ke/books?id=MftTeQivgA0C&pg=PA699&dq=the+threats+of+Social+Engineering+to+the+Corporate+Entity&hl=en&sa=X&ved=0ahUKEwjiqPftpMDYAhUEuRQKHb6KAx4Q6AEIJzAA#v=onepage&q=the%20threats%20of%20Social%20Engineering%20to%20the%20Corporate%20Entity&f=false

Pahlavan, K., & Krishnamurthy, P. (2013). Principles of wireless access and localization. Chichester, West Sussex, United Kingdom : Wiley. https://books.google.co.ke/books?id=ZXewAAAAQBAJ&pg=PT382&dq=the+threats+of+Social+Engineering+to+the+Corporate+Entity&hl=en&sa=X&ved=0ahUKEwjiqPftpMDYAhUEuRQKHb6KAx4Q6AEIQDAE#v=onepage&q=the%20threats%20of%20Social%20Engineering%20to%20the%20Corporate%20Entity&f=false

TechTarget. (2016).Social Engineering. Retrieved fromhttp://searchsecurity.techtarget.com/definition/social-engineering

Webroot.(2016). What is Social Engineering? Online source. Retrieved fromhttps://www.webroot.com/us/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering