February 26, 2021
Social Engineering Attacks and Privilege Escalation
by Gabrielle Geruntho -- Department of Criminal Justice, DeSales University
Current ProblemOne of the most frequently used attacks conducted by cybercriminals is termed phishing. This technique is a type of Internet-based fraud that uses emails to scam individuals into providing personal information, such as login details, to banks, businesses, and other organizations (Merriam-Webster, n.d.). A similar method used by cybercriminals is called vishing. According to the Federal Bureau of Investigation (FBI) (2021), this method uses Internet-based phone calls to gain access to user credentials. These attacks are a concern worldwide because they can successfully exploit both technological and social vulnerabilities (Butler & Butler, 2018). Since the COVID-19 pandemic hit, these types of attacks have significantly increased and are specifically aimed at employees of financial institutions, webmail-based organizations, and payment providers (Anti-Phishing Working Group, 2020).
Point of VulnerabilityCustomers and employees are a point of vulnerability for all organizations; the human element can be the gateway to large-scale cyber-attacks. Through these social engineering methods or manipulations, individuals can be exploited into providing their login information without realizing they are being tricked. The reason these users may be at a disadvantage is that they may be unaware that they are interacting with a cyber-criminal, whether that be through phishing emails, fraudulent websites, or other methods. In order to decrease the number of entry points for the attacker, it is key that awareness education be provided to users to fortify the organizations' systems (Butler & Butler, 2018). Should the attacker gain entry into the system, multiple complications can arise.
Privilege EscalationsThe fear with these types of attacks (phishing and vishing) is that it increases the likelihood that bad actors can gain access to confidential information. Once the login information has been collected, these cybercriminals can upgrade accounts to cause harm to the network's security; the method used to exploit the user credentials is called privilege escalation. These actions are specifically used against employees whose account privileges are edited or increased to give them administrative rights. From there the criminals can modify, create, and delete information; change security settings; and utilize their unauthorized access on different systems and files that were previously secure. Oftentimes, the criminals will use this opportunity to create backdoors so that they can continue to reenter a company's network. It is also possible that attacks on secondary companies can cause vulnerabilities for larger parent companies (Yayla & Lei, 2018). These types of attacks can cause harm to daily functioning and bring about financial setbacks (Allen, n.d.).
Anti-Phishing ResourcesAccording to Cosic and Boan (as cited in Alotaibi et al., 2019), a security policy is a set of guidelines used to safeguard technological information from cyberattacks; this is accomplished by detailing the steps needed to protect user accounts. As a measure to fight against social engineering, it is recommended that institutions update their security policies and increase their users' online awareness and security education (Butler & Butler, 2018; Yayla & Lei, 2018; Jansen & Van Schaik, 2018). As it stands, having a security policy in place is key to the foundational structure of a company's online safety. Through a concerted effort of the company and the users, it is possible to create a more protected network environment. However, just having these policies in place is not enough to guarantee that users will abide by them. Employees and customers alike may unintentionally violate these guidelines due to a lack of knowledge that these policies exist (Alotaibi et al., 2019). All merchants and organizations should be concerned about the quality of their anti-phishing resources and security policies because there are negative consequences to the inverse.
In a research survey conducted by Butler and Butler (2018) they found that consumers most often turn to their financial institutions for information related to anti-phishing content. They found that the consumers frequently would review the financial institution's website to find educational content to aid them in their anti-phishing efforts. As mentioned previously, phishing attacks are most frequently targeting financial institutions and this occurs because of the monetary transactions (Butler & Butler, 2018). When the consumers turned to these institutions for assistance, they found that, at times, there were inadequate resources available. The researchers determined that the worst-performing anti-phishing-related content were those that were outdated and did not effectively complete the job of educating users (Butler & Butler, 2018). These consequences to inadequate resources can include financial setbacks, dissatisfaction from the victims, and a blow to the company's reputation (Butler & Butler, 2018).
Safeguarding UsersTo increase the integrity of an organization's network, it is recommended that active steps be taken to increase the awareness of phishing attacks for all users. According to Butler and Butler (2018), multiple studies have confirmed that instructional information improves the end-users' ability to detect phishing-related content. By being more aware of these threats, they can more effectively defend themselves, which in turn improves the organization's security. Other methods that can help fortify a network include: reducing the privileges to certain users and resources, implementing strong password policies, and actively scanning for unauthorized network access (Alotaibi, 2019; FBI, 2021). Another suggestion could include penetration testing of the current systems and users to determine where the liabilities lie.
It should be noted that in a study conducted by Jansen and Van Schick (2018), it was found that the effects of security policy education decrease over time. Further research is needed to determine the exact effects of security policy information after six months has elapsed. This type of research can determine the type and frequency of training needed to keep users alert against social engineering attacks.
Allen, J. (n.d.). Privilege escalation attacks: Types, examples, and prevention. Purplesec. https://purplesec.us/privilege-escalation-attacks/
Alotaibi, M. J., Furnell, S., Clarke, N. (2019). A framework for reporting and dealing with end-user security policy compliance. Information and Computer Security, 27(1), 2-25. https://doi.org/10.1108/ICS-12-2017-0097
Anti-Phishing Working Group. (2020). Phishing activity trends report, 4th quarter 2020. https://docs.apwg.org/reports/apwg_trends_report_q4_2020.pdf
Butler, R., Butler, M. (2018). Assessing the information quality of phishing-related content on financial institutions' websites. Information and Computer Security, 26(5), 514-532. https://doi.org/10.1108/ICS-09-2017-0067
Federal Bureau of Investigation. (2021, January 14). Cyber criminals exploit network access and privilege escalation. Industry Alerts 2021. https://www.ic3.gov/Media/News/2021/210115.pdf
Jansen, J., Van Schaik, P. (2018). Persuading end users to act cautiously online: A fear appeals study on phishing. Information and Computer Security, 26(2), 264-276. https://doi.org/10.1108/ICS-03-2018-0038
Merriam-Webster. (n.d.). Phishing. In Merriam-Webster.com dictionary. Retrieved February 17, 2021, from https://www.merriam-webster.com/dictionary/phishing
Yayla, A., Lei, Y. (2018). Information security policies and value conflict in multinational companies. Information and Computer Security, 26(2), 230-245. https://doi.org/10.1108/ICS-08-2017-0061