Ethical hacking is becoming a very popular tool that businesses use in order to identify and help address security vulnerabilities that exists within the IT environment. An ethical hacker is a cyber-security professional who is employed to simulate a genuine hacking attempt. During a white hat security assessment, the ethical hacker will uncover weaknesses and exploit them in the same way that a criminal would. Unlike a real hacker however, an ethical hacker will then report back to the business with details of how they were able to gain access to and compromise the system.
One of the most intriguing tactics used by ethical hackers is to breach organisations via social engineering, as it relies on both psychological manipulation and technical skill to gain access to a system. Here we take a look at how social engineering is used in ethical hacking to establish whether it could be beneficial to your business.
What is social engineering?
Used in the context of hacking, social engineering is a way of gaining access to someone’s personal details or a company’s computer system through deception. In the majority of cases, people are tricked into performing harmful actions, such as installing malware or entering credentials into fake webpages.
Effectively it is a form of hustle or con game, which relies on members of staff placing trust in people they don’t know or being taken in my messages that appear to come from reputable sources.
Common forms of social engineering
Social engineering does not refer to a specific activity, it is actually describes a number of different tactics and techniques. It is impossible to provide an exhaustive list of types, as hackers are always looking for new ways to get into systems. Nevertheless, some of the most common forms of social engineering include:
- Phishing – one of the most well-known types of social engineering, and one that you will likely have been targeted with at some point. Phishing occurs when a criminal sends an email that is designed to look like a legitimate email from a trusted source. The email may contain an attachment which, when downloaded, will install malware, or a link which takes the user to fake website where they erroneously enter personal information.
- Vishing – voice phishing, or vishing, is utilised to try to gain information over the telephone. Here a criminal may call your business pretending to be a customer and requests their account details.
- Baiting – this is a physical form of social engineering in which a device such as a USB stick is left on a desk with an ambiguous note. When the USB stick is inserted into the computer it installs malware or provides the hacker with a means of entry into the system.
- Scareware – this form of social engineering attempts to trick victims. Typically it will make a victim believe that their computer has been infected with a virus and then offer a solution, which actually downloads real malware on their computer.
How simulated assessments can improve employee awareness
So how can social engineering be used to help improve an organisation’s cyber security? As seen with this simulated attack on a global trading organisation, the object of any kind of ethical hacking or penetration testing is to expose the vulnerabilities of a business’ cyber security. This often goes beyond the remit of solely challenging IT infrastructure and technologies and into the realm of testing the vulnerability of employees. After all, staff members are an important aspect of your overall defences.
Simulated social engineering attacks are ideal for revealing gaps in security awareness amongst staff for a variety of reasons. Firstly it helps you to understand how vulnerable your staff are to criminal social engineering attacks. Importantly, however, it can also help to raise awareness amongst your employees to the risks of these sort of attacks and remove complacency which could otherwise lead to knowledgeable staff making mistakes. Additionally, simulated social engineering can make you aware of exactly how much information about your business is freely available and could be used by criminals.