SOCIAL ENGINEERING UNDER CYBER LAW SONAL PRIYA BY - SONAL PRIYA

SOCIAL ENGINEERING UNDER CYBER LAW SONAL PRIYA

AUTHORED BY - SONAL PRIYA

ABSTRACT

As the digital technology matures, cyber safety evolves and software vulnerabilities diminish, people however, as individuals, are  more  exposed  today  than  ever  before. Presently, one of the  most practiced  and  powerful  penetration  attacks  are  social  as a substitute  than  technical,  so  efficient  in  reality,  that those exploits play a vital position to aid the greatest majority of cyber assaults. Social Engineering is the  art  of  exploiting  the  human  flaws  to  achieve a  malicious  objective.  Inside the context of  information security, practitioners  breach defenses  to  get admission to sensitive  statistics  preying specifically  upon the  human tendency  closer to  consider.  Cyber  criminals  induce  their  victims  to  break  security  protocol  forfeiting confidential information propitious for a more targeted attack. Disastrously, in many cases, targets are manipulated  to  involuntarily  infect  and  sabotage  the  system  themselves. In the cyber world social engineering is a technique or art to manipulate any person to give up his/her personal information such as any access to a system, bank accounts or any other valuables. This article attempts to cover social engineering, various types of social engineering attacks, how these different attacks operate, which important part is played by social engineering attacks and laws governing the prevention of social engineering attacks.            

  KEY WORDS; Cyber Safety, Digital Technology, Social Engineering, Information Security, Software Vulnerabilities.

INTRODUCTION

 As the  digital  era thrives  and the on-line  universe  becomes  progressively  indistinguishable   from  real life,  cybercrime grows to become a part of everyone's daily lives.   As  civilization  evolves to  grow  increasingly  connected  through the  inevitable  ubiquity  of  technology, securing systems,  networks  and  data  on  which  we rely  on  has become  paramount. Cybercrime  is a major threat for economics, individual safety and even the public in general, as it is a primary medium for terrorism.  Social engineering has a different terminology in the cyber world and has no relation to doctrine of Social Engineering propounded by Roscoe Pound. In the cyber world social engineering is a technique or art to manipulate any person to give up his/her personal information such as any access to a system, bank accounts or any other valuables. This article attempts to cover various types of social engineering attacks, how these different attacks operate, which important part is played by social engineering attacks and laws governing the prevention of social engineering attacks. Engebretson  defines social  engineering as one of the simplest methods to gather information about a target through  the  process  of  exploiting  human  weakness  that  is inherit  to every  organization. In essence, social engineering refers to the design and application of deceitful techniques to deliberately manipulate  human  targets.  In  a cyber  security context,  it is  primarily  used to  induce victims  towards disclosing confidential data, or to perform actions that breach security protocols, unknowingly infecting systems  or  releasing  classified  information.    The  basis  of  a  social  engineering  attack  is  to  avoid cyber  security  systems  through  deceit,  exploiting  the  weakest  link,  the  people  involved.   Throughout the  interaction, victims  are unaware of  the  destructive nature  of  their actions.  The  social engineer exploits innocent instincts, not criminal. Explicit methods such as threats or bribery do not fall within the  scope of  social  engineering.  A talented  practitioner of  this  discipline understands  and perceives social interaction patterns to manipulate the psychological aspects of the human mind. With this  resolution,  the  attacker  is  capable  of  executing  an  efficient  and  cheap  security  compromise, without the  need to  invest  in breaking technical security measures. 

TYPES OF SOCIAL ENGINEERING;

Before understanding the types of social engineering attacks and their manner of operation, there are stages which are followed by every attacker irrespective of its type, that must be understood by all. This technique of social engineering basically exploits human errors by installing software in the computer which gives them access to other personal data and data. Under this technique manipulation is based on the user’s behavior, the attacker basically tries to understand the user’s action to successfully influence him with intent to deceive. This technique requires four steps .At the stage of preparation, the attacker gathers all the information of his target. Then, he works on creation of trust with the target through interaction and other means with intent to infiltrate his personal area. After creating trust and discovering the weakness, attackers start to exploit the victim to progress in his conduct. Once the target does an act intended by the attacker, the attacker disengages himself from the whole transaction. There are various types of social engineering attacks but these types are not limited to phishing, baiting, diversion theft, pretexting, quid pro quo, scareware, tailgating, water holing and 419/Nigerian Prince/advance fee scam. These types are explained below:

1. Phishing

It is one of the most common forms of attack. Under this type, an attacker can influence the user to share his personal data and pretend as if it is a trusted person or institution. These attacks generally take place through links or attachments of e-mail. There are various types of phishing such as:

1. Spam- Under this type, attacks are on large users and non-personalized in nature.

1. Spear or whaling - Under this type, attacks are very much personalized in nature and for targeted people only.

1. Angler - Under this type, attackers use customer service accounts on social media and imitate to be a trusted company. By intercepting the conversation of the user and the company, they manipulate users to divert their conversation to personal space attackers where they proceed with being deceived.

1.  BEC-  BEC is an abbreviation of business email compromise. The email is sent to an               employee from the attacker, who purports to be a senior of such an employee.

1.  Smishing- Smishing or SMS Phishing is conducted through text messages or mobile apps by sending compromised links to the user.

1.  URL Phishing-  The attacker sends compromised links through email, social media messages or online ads and influences people to access such websites.

1.  Search-engine Phishing- The attacker tries to put compromised links in the top results of search engines. These links may appear in the form of paid ads or may use other legitimate methods for manipulation.

1. Tab nabbing/reverse Tab nabbing- The attacker alters the unwatched browser tabs with compromised content. It is pertinent to mention that types of phishing are not limited to the types mentioned above. Scammers may use different methods of phishing through communications to deceive users for filling their pockets.

 2.    Baiting

 As the name suggests, the attacker basically uses one’s natural curiosity to explore more by   manipulating that person through free or exclusive offers. Generally a malware is sent by an attacker to the target user. One of the methods of baiting is the distribution of infected devices such as leaving USBs at public places, such as libraries or parking lots.  Another method is sending emails containing details of free content.

3. Diversion Theft

The attacker intercepts the offline deliveries of products and manipulates them to send it to erroneous recipients. The attacker manipulates the user to send his personal or confidential information or data to an erroneous recipient.

4. Pretexting

The attacker creates a fake identity and impersonates a legitimate entity or person. They create a whole background story of their condition or work and with their proactive efforts influence users till they satisfy them with their legitimacy.

5. Quid Pro Quo

It is a Latin term which means one thing for another thing. Attackers offer rewards in exchange for any information which you may give to him but are deceived at the end after giving information.

6. Scareware

It is a malware which is used by an attacker to scare users through alarming messages, pop-ups that say you have a virus in your computer or your account has been compromised. Thus, they push users to buy, or download free, cyber security software which compromises the personal details of the user.

7. Tailgating

The attacker influences an authorized person to give access to him in a restricted area. This is basically a physical security breach to gain access to a secure or restricted area.

8. Water Holding

The attackers try to find vulnerabilities in the website and use them for their benefits. Generally, users of popular websites are targeted for accessing information at mass.

9. 419/Nigerian Prince/Advance Fee Scam

As this scam originated in Nigeria and Section 419 of Nigerian Criminal Code penalizes this practice and this is the reason it is known as 419 or Nigerian Prince. Scammers manipulate users to share their bank details or pay an advance fee or amount to transfer money out of their country.

 A Recurrent Social Attack Example-  In 2015, astute cyber criminals used vicious social engineering tactics to ruthlessly attack and bypass two-factor  authentication  systems.  By  exploiting  the public  trust  in a  credible  entity,  one  attack was notably successful, the Gmail scam.  A  recurrent  social  attack  example  in  six  steps.  First  step,  an  attacker  extracts  the  target's  email address and phone number through research, often with ease. Second step, the threat actor initiates the  attack  by  sending  a  message  to  the  potential  victim  via  SMS,  equivalent  to:  "Google  has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop  unauthorized  activity."  Third  step,  the  attacker, impersonating  the victim,  requests  a  legitimate password  reset  from Google.  Fourth  step, Google  sends  the  password reset  verification code  to  the actual  victim.  Fifth  step,  the  victim,  expecting  the  message  from  Google,  follows  the  previous instructions and forwards the code to the attacker. Sixth step, with the code, freely given by the victim, the  attacker  simply  resets  the  password  and  gains  complete  access  to  the  account.  After accomplishing  the  purpose of  the  attack,  simply  informs  the  victim  of  the  new  temporary  password, terminating contact without arousing any suspicions.

IMPORTANCE OF SOCIAL ENGINEERING

As evident from the various types of social engineering attacks and various other methods which are not covered above such as DNS spoofing, peer to peer network attacks etc., plays an important role for securing devices. Wherever there is a threat there is a need for security, thus, social engineering attacks indirectly promote a sense for security of devices. Precautions are also as important as security as precautions help you to spot these attacks and in order to spot these attacks at institutional and individual levels, one may follow the tips suggested below:

1. Creation of security awareness.
2. Cyber security software must be in use and updated regularly.
3. Must be able to identify social engineering attacks.
4. Use only trusted websites for software download.
5. Must not act hastily to share credentials.
6. Must check the background of websites before making any kind of transaction.
7. There should be effective training of all employees.

The above are some of the precautionary measures which must be adopted by persons to secure themselves from social engineering attacks. These attacks are a threat to the society by affecting the economic structure of its members. The only important part social engineering plays is that it creates a sense of security in the cyber world, otherwise it has only a negative part to play, as these attacks cannot be eliminated because of unpredicted innovations in the cyber world but they can surely be mitigated by being aware.

THROWING LIGHT UPON THE PROVISIONS UNDER THE INFORMATION TECHNOLOGY ACT, 2000

Social engineering is basically cheating which is defined under Section 415 of Indian Penal Code, 1860. So far as Information Technology Act, 2000 is concerned, Sections 65 to 66D are concerned with offences related to impersonation and cheating. Other sections such as Section 68, 69, 70, and 71 are concerned with non-compliance with government directions and notifications and Section 71 is concerned with misrepresentation and suppression of material facts for obtaining license, which in other terms stand for cheating and forgery because it is made with intent to deceive. Section 72 is concerned with data leaks whereas, Section 72A is concerned with all types of social engineering attacks because it penalises such person who without the consent of another person or violating lawful contract gained access to personal information with the intent of causing him wrongful loss or wrongful gain and Section 73 and 74 is concerned with forgery of electronic signature certificates. It is pertinent to mention that Section 75 of the Information Technology Act, 2000 is concerned with extra territorial operation of the Act because it says any computer, computer system or computer network source is located in India and is used for offences outside India then such person, irrespective of its nationality, shall be liable under IT Act, 2000 for contravention of its provision. This simply means if any person hacks a computer source and uses it for wrongful gains or wrongful loss to any person then such person shall be liable in India. In the same paraphernalia, Section 4 of IPC also mandates extra territorial operation of IPC and specifically covers any act of a person, who is outside India, targets any computer resource in India. This aspect also covers social engineering attacks. Provisions under IPC such as Section 417 to Section 420 for cheating and Section 465 to Section 477A for forgery and provisions under IT Act have different penalties for different offences with minimum penalty of three months and maximum penalty of life imprisonment under various sections of both the laws.

STEPS TAKEN BY CENTRAL GOVERNMENT FOR AWARENESS OF CYBER SECURITY

There are some of the steps taken by the Central Government for prevention and mitigation of cyber security incidents. They are as follows:

1. Establishment of National Critical Information Infrastructure Protection Centre (NCIIPC) for protection of critical information infrastructure in the country under Section 70A of Information Technology Act.
2. Cyber security incidents must be mandatorily reported to CERT-In by all organizations providing digital services in an expeditious manner. CERT-In is established under Information Technology (The Indian Computer Emergency Response Team and Manner of performing Functions and Duties) Rules, 2014 made under Section 87 and 70B of the Information Technology Act, 2000.
3. Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre) has been launched for providing detection of malicious programmes and free tools to remove such programmes.
4. Issue of alerts and advisories regarding cyber threats and counter-measures by CERT-In.
5. Issue of guidelines for Chief Information Security Officers (CISOs) regarding their key roles and responsibilities for securing applications / infrastructure and compliance.

CONCLUSION

As from the article we get to know that as the Information  Age  is  maturing,  complemented  by  an  extremely  increased  usage  of  the  Internet; humanity evolves rapidly as the growth of public accessible knowledge has been greatly nurtured and facilitated. Consequently, an unmistakable dependence on the World Wide Web has been established in civilization. The digital realm,  as  a  propitious  infrastructure  for a  grand  variety of  criminal offenses, has  grown  with  the  society  needs  to  become  an  increasingly  protected  environment.

Social engineering attacks have only one important part to play for society i.e. creation of a sense of security through threats and irrespective of the type of social engineering attacks penal provision under IT Act squarely covers all of them because of the inclusive nature of provision. But, most of the penal provisions of IT Act co-relate with provisions of IPC in their own area of operation. Although all these provisions under IT Act and IPC cannot be said to be preventive in nature as they only operate after attempt or commission. Thus, the government had taken various steps and initiatives to mitigate the threats to cyber security. One thing is clear from the perusal of cyber laws and initiatives taken by the government towards cyber security is that all the efforts of the government are directed to mitigate the threat and not to eliminate them because they understand the dynamic nature of the world of cyberspace and new threats may arise any moment. As  such, facts  point  to the conclusion  that in the  foreseeable  future, social engineering will be  the most  predominant attack vector  within cyber security, and thus deserve to be studied further as it evolves in order  to  advise good practices and measures for individuals and organizations.