KENNESAW, Ga. | Oct 10, 2019

With criminals becoming experts at exploiting an organization’s most vulnerable asset – it’s people – cybersecurity professionals must develop a better understanding of the human side of information technology to combat the threat.

Perpetrators are increasingly relying on social engineering in their schemes, which is the ability to manipulate people into unwittingly sending money or providing access to sensitive information.

The Michael J. Coles College of Business this week hosted the Symposium on Social Engineering. Organized by the Department of Information Systems in partnership with the EC-Council – the world’s largest cybersecurity technical certification body – the event introduced current and future cybersecurity professionals to the threat social engineering poses to businesses and individuals.

Speakers included cybersecurity experts Jenny Radcliffe and Joe Gray. Radcliffe is the founder and social engineering director of Human Factor Security, and host of the award-winning The Human Factor Podcast. Gray formerly served as a submarine navigation electronics technician for the U.S. Navy before founding an information security blog and podcast called Advanced Persistent Security.

Both presenters discussed different social engineering strategies criminals use, including (but not limited to):

• In-person attempts: directly trying to convince someone to disclose sensitive information or grant access to a restricted area,
  
  
• Baiting: distributing physical devices infected with malicious code that victims plug into their computers,
  
  
• Phishing: sending legitimate-looking emails to a user and asking for passwords or personal/financial information,
  
  
• Vishing and SMishing: like phishing, but done over the telephone or text message,
  
  
• Business email compromise: impersonating a company executive via email and asking employees to provide information or make bogus payments.

Social engineering is an expensive problem. According to the Federal Bureau of Investigation, business email compromise alone accounted for $12.5 billion in losses globally in 2018.

What makes social engineering attacks so successful is that they rely on human error, rather than technological deficiencies.

“Technology typically doesn’t fail,” Gray said, “people do. I see social engineering...as the biggest information security threat facing personal and business computer networks.”

His presentation addressed how perpetrators take advantage of publicly available information to improve their chances for success, and how security professionals can learn from phishing attempts to better protect their company’s employees from falling victim.

Radcliffe, who developed her persuasion skills working in the logistics and supply chain industries, has been helping organizations become more aware of social engineering attacks for the past 10 years.

“Social engineering targets our human characteristics,” she said. “Our fears, our desires, and our cognitive processes. We are all at risk and need to be aware of the threat and the forms it may take in order to protect ourselves.”

Information Security and Assurance lecturer Andy Green was the chief organizer of the symposium. His goal was to remind students and young professionals that cybersecurity is about more than implementing technical controls.

“Right now there is a lot of focus on building technical controls and policies,” he said. “But, if an adversary can convince the victim to do something, then every one of those controls and policies gets defeated.”

With many attendees being students in Kennesaw State’s various cybersecurity-related degree programs – including ISA, information systems, and the online degree in cybersecurity – the presenters offered advice about starting a cybersecurity career.

“Don’t discount other disciplines,” said Gray, referring to the important roles that psychology and sociology play in defense against social engineering. “Also, find a passion and follow it.”

Radcliffe echoed his sentiments, recommending that students learn about how humans think in addition to how computer networks function.

“Learn as much about the humans as the tech,” she said. “Understand that a career in cybersecurity should always be about protecting people and, to do that effectively, we must understand them. Show me a technical whiz kid who has people skills, and I’ll show you a future CEO.”

—Patrick Harbin