'Human OS' Plays Big Role in Social Engineering Risk

Technology can only do so much to defend against risk in the "human operating system." A new report from Intel Security warns of social engineering's perils.

social engineering

Organizations around the world have deployed all manner of technology to help protect infrastructure and endpoints from security risks. Technology, however, isn't the only risk that needs to be secured. In a new report from Intel Security, titled "Hacking the Human Operating System," researchers reveal the role of social engineering within cyber-security.

The report defines social engineering as "the deliberate application of deceitful techniques designed to manipulate someone into divulging information or performing actions that may result in the release of that information."

Intel Security explains that there are two main types of social engineering attacks: hunting and farming. In hunting attacks, the culprits are looking to gain information and exploit the user with minimal interaction while, in farming attacks, the attackers build a relationship with the victim and then extract information over time.

Email is a leading culprit in attack vectors for all types of social engineering, said Raj Samani, Intel Security vice president and CTO.

Intel Security used an online quiz, launched in May 2014, to show how easy it is to get people hooked on a social engineering phishing email. The aim of the quiz is to find out test takers' skills "at detecting malicious phishing attempts amid common work-related emails."

"Of the more than 16,000 test takers, we have found that 80 percent of them have fallen for at least one in seven phishing emails," Samani told eWEEK. "Further, we see that accounting and finance, and HR—which arguably hold some of the most sensitive corporate data—perform the worst."

Whether a social engineering attack is for hunting or farming, Intel Security has identified four common phases. The first is research, which may be optional for some attacks that aren't actually targeted. The second is the hook, which is about engaging with the target and creating the story that will trigger the interaction.

The third phase is what Intel Security refers to as the "Play" where the social engineering attack aims to extract information. The fourth and final phase is the exit, where the attacker's goal is to end the interaction with the victim, without the victim realizing he or she has been exploited.

The Intel Security report said people, processes and technology are needed to help mitigate risk. Technology alone is not enough to protect users because the channels of attack go well beyond digital communication mechanisms, Samani said.

"Yes, email is the most prevalent, but consider face-to-face, telephone, etc.," Samani said. "The reality is that only a combination of controls can best combat the threat."

For the rest of 2015 and beyond, there doesn't seem to be any slowdown in sight for social engineering attacks, which might just grow as the value of personal data and market demand for stolen data increases, Samani said. "This is the modus operandi for the majority of cyber-criminal groups as well as hacktivist groups," Samani said. "The reality is that social-based attacks will continue for the foreseeable future."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.