Community News Security

The many ambiguous faces of social engineering

By Silvia Arezzini, systems engineer and project manager at INFN (Italian National Institute for Nuclear Physics)

“The problem of social engineering has always interested me because it shows the intertwining of technical and human aspects. Social engineering brings together a number of techniques aimed at inducing people to provide personal information, such as passwords or banking details, or to allow access to a computer to secretly install malicious software.”

One of the best-known social engineers, former hacker Kevin Mitnick, in his book, The Art of Deception, describes the countless ways in which people can be scammed in person, by phone or by email.

For system administrators, social engineering is a type of cyber attack that is difficult to understand; they are used to deal with the protection of specific perimeters creating very safe environments, hence, when faced with social engineering aggression, although they are more prepared than others, they might still tend to wrongly underestimate its risks.

“I don’t fall for it!” and instead….

In fact, every system administrator at least once in his/her life will comment, for example in relation to a successful phishing case: “But how could this happen, it was so obvious!”.

Unfortunately it is not at all obvious, also because the so-called “social engineers” are very skilled at collecting confidential information about the victim, information that they use to touch the right chords and involve the victim emotionally, even upset them if necessary (by creating panic, sense of guilt or stimulating the desire to help) and, in a very short time, get what they want. Because sometimes everything happens in the blink of an eye. What is visible from the outside, it is not at all clear to the potential victim who is personally experiencing the attack.

The importance of collaboration and awareness

My experience in the field of privacy, which brought me to work closely with colleagues from the legal department, made me clearly understand one thing: what is evident for us IT experts, it is not so for lawyers, and the other way around. Precisely for this reason, to work closely is always necessary. I believe that the best way to face the problem of social engineering is to follow the same logic, by creating mixed working groups, where there is a continuous cross pollination of expertise in particular between teams working in IT and those involved in behavioural science.

Training in the workplace should follow this direction. Within companies, training courses should in fact include close collaboration between IT managers and behavioral scientists, in order to help everyone achieve the awareness of opportunities and risks behind an IT tool. Awareness helps to react a little better to a sneaky attack that could cause substantial damage. In fact, with a single gesture a user can jeopardise the security of an entire organisation, albeit equipped with a secure and well-studied infrastructure. It can have various serious implications, as phishing can often end up with a spam attack with negative consequences for everyone in the weeks to follow.

Sharing is also important

I believe that, whenever cyber incidents happen in an organisation, it is very important to share the experience, especially in training courses, by anonymising the victim and explaining the case in detail. By talking about something that really happened, everyone will feel more involved  and a more widespread awareness can be generated.

Not just privacy “by default and design”. The role of the individual

Where there is no security, there is no privacy, but if there is no privacy, security is seriously endangered: these are two sides of the same coin.

As the GDPR says, it is essential that privacy is set “by default and design”, meaning that the infrastructure must incorporate the seed of security, which can significantly contain the risk of an attack. A good infrastructure that protects users adopts, for example, double authentication systems, similar to what banks use, i.e. a one-time password combined with the standard password, as well as authorisation and privilege systems based on users’ roles, so that employees work in confined environments thus reducing the possible escalation of issues. However, a good authentication and authorisation infrastructure is not enough.

Prying eyes on our digital identity

In fact, social engineers typically collect information and make the connections. The information comes from us, directly or indirectly, when at home or on social media and we don’t tend to pay attention to the protection of our digital identity. If the information is collected and correctly correlated, it acquires important meaning and can reveal key ideas and concepts for fraudulent access. Sharing information can be dangerous and cause damage to the entire ecosystem in which we operate. On the other hand, if your organisation is the victim of IT fraud, it is possible that in the event of a data breach some of people’s personal data might leak, with serious repercussions for individuals. As you can see, security and privacy are closely linked.

It’s a very complex issue with worrying repercussions on our lives. So, in view of this, I would like to conclude with a simple warning. Social engineering really has a thousand facets, some of which are very ambiguous. I believe that the most powerful weapon we have for not giving it an easy life is by starting from the awareness that this issue does not concern others, but in any moment of our life, we may find ourselves unexpectedly, without any warning, dealing with it personally.  So remember: “Stay alert, stay safe!”


About the author
Silvia Arezzini works as a systems engineer and project manager in the Calculation Centre of the INFN (Italian National Institute for Nuclear Physics), in Pisa. She collaborates in national INFN activities in the field of Authentication and Authorisation Infrastructures (INFN-AAI) and in the training sector with particular reference to e-learning methods. She deals with privacy issues and is one of the members of the INFN DPO team.


Read more on the GÉANT Cyber Security Month 2020: https://connect.geant.org/csm2020