Social engineering has become such an integrated part of our lives that it is accepted without question. Its over usage has made it an easy tool for attackers. It has led to the creation of botnets, which feed on controlling social behavior to spread more malware and steal sensitive information.
To get security news and tips delivered to your inbox,
From the day we are born, social engineering affects our lives in both negative and positive ways. Humans want to be liked and accepted by others. At the root of this is our emotions, which leave us open to suggestion and manipulation by others. And the bad guys have done a terrific job at adapting social engineering as a means to effectively gain access to information and systems they would otherwise be denied. These social engineering attacks come in variety of different forms but almost always relate to current events. A good example of this is email spam designed to take advantage of the economy in the form of "get rich quick" or "work from home" schemes.
It is our emotions and predictable behavior that allow it to be possible for the creators of viruses and botnets like Conficker to be so successful. Conficker took social engineering one step further by implying that a major event would take place on April 1. The media's coverage of the impending event resulted in an overreaction and played on the public's fear that somehow we were powerless to stop it. How did this benefit Conficker? As humans we are drawn into the hype of an event and then disappointed when it doesn't occur, we then tend to doubt future events. Leading up to April 1st the national media's reports ran around the clock. All reporting ceased after a major April 1 event failed to occur, even though as of June 2009, Conficker was still active and infecting an estimated 50,000 computers every day.
This social engineering move on the part of Conficker, whether by design or by accident, created an environment from which it can continue to evolve and infect new hosts. Most people will discount future warnings as unfounded hype. With social engineering so firmly established in our daily lives, it is not a surprise that most of us fail to address it as a security concern. We have become so desensitized to the concept from over usage that most people can't tell when it's happening to them.
Preventing attacks with social engineering training
If security professionals address the issue of social engineering as a key element in the control and prevention of Internet based threats and its impacts on our behavior, we can make an impact on botnet viability. But any change in human behavior takes time, and firms need to start talking about social engineering training to get users to recognize it. The best approach to getting users to understand social engineering is through constant re-enforcement of information both visual and verbal.
Firms should send weekly emails to their users describing the latest threats and how they relate to social engineering. They should also include reminders to stop and think before they open an email or click unknown links. And openly engage users and encourage them to discuss social engineering and how it relates to the phishing emails they see in their inbox with others in the office. Most importantly, firms need to have an ongoing and open dialog with their users that encourage them to ask question.
So does social engineering training work? In short, yes. Fortunately human behavior is learned and can be changed over time. Firms need to commit to the idea of changing how users think and see it through, but be patient, it will take time and not all users will except change no matter how hard you try. If firms commit and stick with it they can affect change and empower their users to make better informed decisions both at work and at home. But if we choose to not change our ways, social engineering will continue to be a threat to everyone who uses a computer.
Brian C. Sears is director of information systems at Benson & McLaughlin.