The expression “social engineering”, in the domain of information security, usually groups together all those cases of artifices and deceptions aimed at manipulating the human predisposition to trust. In fact, unlike to what might appear at first sight, the human being is inclined to have an approach of trust and openness towards what the context proposes. The illicit exploitation (threat) of this natural human attitude (vulnerability) – also known as “phishing” – aims to steal confidential information (for example, access credentials) directly from the source, i.e. from those subjects who are authorized to keep them confidential.
Social engineering represents the sixth and final type of data breach cases addressed in the EDPB 01/2021 guidelines.
We will summarize:
- the salient features of each incident
- the repercussions in terms of risks produced
- the actions required
- the mitigation and correction measures that can be envisaged.
6. Social engineering
It is said that information security, in essence, is about knowing who and what you can trust. For example, it is necessary to have a well-founded awareness that the person you are interacting with is actually the person they claim to be. This basic rule also serves to distinguish between correct information and false information (fake news) or to discriminate between reliable sources (such as websites) and dubious ones. The problem is not only relevant from a security point of view; as effectively stated by the Trust Me organization “When our fear goes up, our trust goes down. When people don’t trust each other, they don’t help each other and progress stalls.”
The social engineering has as target the human factor that, often, is the weak link of the security chain: the most adequate protection system can be put out of order by a human behavior that, induced in error, puts out of play the realized defenses, leaving free field to the attackers. That is, the technological re-proposition of the epic of the “Trojan horse”.
Social Engineering Breaches
Therefore, social engineering is an instrumental method for the commission of violations of different nature.
The incidents deriving from social engineering events always determine a confidentiality violation (because the personal data contained in the archives to which the deceived user is authorized to access, become accessible by unauthorized third parties). But these same incidents can also be a harbinger of further integrity violations, if the attacker alters the data, and/or of availability if the data, as in the case of subsequent ransomware, are no longer usable by the owner.