Hacking the Human OS: A Report on Social Engineering

By on Feb 18, 2015

Why are data breaches so commonplace?  Whether the attacks are against the energy sector as reported July 2014[i] with over 1,000 energy companies in North America and Europe reported to have been compromised.  To other attacks targeting other sectors (e.g. Operation Troy, Operation High Roller Nightdragon, etc.) it would appear that no sector is immune from data breaches. One common theme amongst these and other attacks is the initial infection vector, namely exploiting the subconscious of a trusted employee. The modus operandi for most of the common data breaches is to leverage some form of social engineering to coerce the user into an action facilitating malware infection.

The prevalence of social engineering in many publicly disclosed cyber-attacks demonstrates either an inherent weakness in the acumen of victims to distinguish malicious communications, or that cybercriminals are using more complex methods to bypass the ‘human firewall’.  The answer of course likely lies somewhere in between these two statements, but regardless of the root case it does demonstrate that the first line of defense is evidently failing.  The default position to blame users as the cause for breaches which is not entirely fair.  Whilst there will be examples where clearly unsafe practices are being employed, our latest whitepaper “Hacking the Human Operating System” demonstrates the techniques used by attackers are to bypass the consciousness of their targets and attempt to manipulate victims through leveraging subconscious levers of influence.

The paper reviews the concept of social engineering; the techniques used within many of the recent cyber-attacks, levers used to influence victims, communication channels used, and suggested controls to reduce the risk..   Much has been written about social engineering.  The content of these sources vary widely, from definitions, to mitigation.  The purpose of the paper is to define the concepts, and introduce mitigations that go beyond simply suggesting that awareness is a panacea.

Unless we address the first line of defense, data breaches will continue to hog our Twitter timelines, and support the ever burgeoning cost of cybercrime.

Twitter@Raj_Samani

Twitter @McAfee_Labs

[i] http://www.bbc.co.uk/news/technology-28106478

About the Author

Raj Samani

Raj Samani is Chief Scientist and McAfee Fellow for cybersecurity firm McAfee. He has assisted multiple law enforcement agencies in cybercrime cases, and is a special advisor to the European Cybercrime Centre in The Hague. Samani has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe hall ...

Read more posts from Raj Samani

Subscribe to McAfee Securing Tomorrow Blogs