Social Engineering 101
That firewall or antivirus won’t mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend or LinkedIn connection. Here’s what you need to know to protect your organisation and your users.
Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology and behaviour, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
Even if you’ve got all the technical bells and whistles when it comes to securing your data center, your cloud deployments, your building’s physical security, and you’ve invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around) this and still hack your organisation.
Here are answers to some frequently asked questions about social engineering, including the common tactics that social engineers use, and tips for ensuring your staff are on guard.
What is social engineering?
Social engineers take advantage of human behaviour to pull off a scam. If they want to gain entry to a building, they don’t worry about a badge system. They’ll just walk right in and confidently ask someone to help them get inside. And that firewall? It won’t mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend or LinkedIn connection.
How is my company at risk?
Social engineering has proven to be a very successful way for a criminal to “get inside” your organisation. Once a social engineer has a trusted employee’s password, he can simply log in and snoop around for sensitive data. With an access card or code in order to physically get inside a facility, the criminal can access data, steal assets or even harm people.
People inherently want to trust other people, that’s what a successful social engineering attack comes down to, offensive security architected at people. If someone sends a co-worker an e-mail and it says that it’s from another co-worker, most people are going to look at that and want to trust it, especially if it relates to something real and specific. As long as it says it’s from somebody that appears to be a trusted coworker or friend, most people will open it. And most people will actually click on whatever is in the body of the e-mail too.
That’s with e-mail, but why do these attacks work just as well over the phone, or in-person, such as when someone uses co-worker or other pretexts? People don’t want to appear skeptical of another person’s actions. Most people want to be kind and courteous and are trained to be compliant, especially in a work environment. If I call up as an angry executive and say “I want to know why this wasn’t taken care of a week ago. What the hell is wrong with you guys? This routing number and account number were supposed to be changed, and nobody’s taken care of it. I need you to take care of this right now!” Especially if you do something with a sense of urgency to it, people are all over it.
What are some examples of what social engineers say or do?
Criminals will often take weeks and months getting to know a place before even coming in the door or making a phone call. Their preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook.
On the phone:
A social engineer might call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor). The criminal tries to make the person feel comfortable with familiarity. They might learn the corporate lingo so the person on the other end thinks they are an insider. Another successful technique involves recording the “hold” music a company uses when callers are left waiting on the phone.
In the office:
“Can you hold the door for me? I don’t have my key/access card on me.” How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
Another tactic is to wait outside near the smoking area where employees often went for breaks. Assuming this person was simply a fellow-office-smoking mate, real employees let him in the back door without question. A cigarette is a social engineer’s best friend.
This kind of thing goes on all the time. The tactic is also known as tailgating. Many people just don’t ask others to prove they have permission to be there. But even in places where badges or other proof is required to roam the halls, fakery is easy.
Some use some high-end photography to print up badges to really look like that they are supposed to be in that environment. What is scary is that they often don’t even get checked.
Social networking sites have made social engineering attacks easier to conduct.
Back in the old days, before Facebook and Twitter, if you wanted to find information on companies, you weren’t going to find a lot on the internet. It was about casing out a place for a couple of weeks, seeing a bunch of stuff that’s happening, going and checking dumpsters, and all of old-school hacker tactics.
But today social engineers and attackers have such tools, and they can go to sites like LinkedIn and find all of the users that work at a company and gather plenty of detailed information that can be used to further an attack. It’s now a matter of minutes that they can put together a good social engineering exercise, versus days and weeks in the past. And when they send out a hundred spear phishing e-mails, based on gathered information, it’s almost a guarantee that they are going to get a good hit rate.
When it comes to online scams, social engineers leverage both fear and curiosity, such as sending phishing emails asking if the target has seen videos of themselves or tech support scams claiming that the target’s computer has been breached, or even free giveaway scams offering free tickets or prizes to someone. These scams are impossible for many to skip if they aren’t on-guard.
Social engineers also take advantage of breaking news events, holidays, pop culture, and other devices to lure victims. Scammers often use fake charities to further their criminal goals around holiday times.
Attackers will also customise phishing attacks to target known interests that can be leveraged to entice users to click on malware-laced attachments such as artists, actors, music, politics, philanthropic. Such tactics are also used on social networks. Maybe the attacker creates a fake Facebook app designed to harvest information. It could be designed to attract a user based on the things they already expressed an interest in, and from their you harvest their contacts and other information. You can start then building out these big social networks of exactly who they’re connected to, and whether they are connected to anyone who would be another juicy target.
How can I educate my employees to prevent social engineering?
Awareness and subsequently, behavioural change is the number one defensive measure. Employees should be aware that social engineering exists and be familiar with the most commonly used tactics and then assisted to change their behaviour. For elements of an effective security awareness program, see https://layer8security.com.au/security-awarness-program/ .
Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws. Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is who they say they are.
In my educational sessions, I tell people you always need to be slightly paranoid and anal because you never really know what a person wants out of you. The targeting of employees “starts with the receptionist, the guard at the gate who is watching a parking lot. That’s why training has to get to the staff.”
Social engineering tricks are always evolving and awareness training has to be kept fresh and up to date. For example, as social networking sites grow and evolve, so do the scams social engineers try to use there.
But it isn’t just the average employee who needs to be aware of social engineering. Senior leadership and executives are primary enterprise targets.
What are the bests ways to defend against social engineering?
Train and train again when it comes to security awareness. Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyberthreats. Remember, this is not just about clicking on links.
Provide a detailed briefing “roadshow” on whaling and the latest online fraud techniques to key staff. Yes, include senior executives, but don’t forget anyone who has authority to make wire transfers or other financial transactions. Remember that many of the true stories involving fraud occur with lower-level staff who get fooled into believing an executive is asking them to conduct an urgent action — usually bypassing normal procedures and/or controls.
Review existing processes, procedures and separation of duties for financial transfers and other important transactions such as sending sensitive data in bulk to outside entities. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalysed given the increased threats.
Consider new policies related to “out of band” transactions or urgent executive requests. An email from the CEO’s Gmail account should automatically raise a red flag to staff, but they need to understand the latest techniques being deployed by the dark side. You need authorised emergency procedures that are well-understood by all.
Review, refine and test your incident management and phish reporting systems. Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.
Also, nearly all of the experts interviewed agreed that training, and supporting, the staff in their ability to question interactions when the situation doesn’t feel right, and support them in that ability, will go far in lowering social engineering risk. Train your staff that it’s okay to say no. We have traditionally taught employees that the customer is always right, and that we want to make sure the customer experience is smooth. Attackers use this to their advantage.
Your staff need to know that if a conversation is making them get an uncomfortable feeling, or something feels off, that it’s totally fine to terminate the interaction, or refer it to a manager. It’s very important to back this up — if an employee annoys a customer over what they perceive as potential security issues, they need to know that you will have their backs.
You have to give your employees the freedom to say ‘no’ if they feel something isn’t quite right in a situation.
Are there any tools to help make this process more effective?
A number of vendors offer tools or services to help conduct social engineering exercises, and/or to build employee awareness via means such as posters and newsletters.
Currently, the best defence against social engineering attacks is user education and layers of technological defences to better detect and respond to attacks. No one expects any effective dedicated technical defence to social engineering to arise any time soon. Technical defences will definitely help reduce the occurrence social engineering attacks. Detection of key words in emails or phone calls can be used to weed out potential attacks, but even those technologies will probably be ineffective in stopping skilled social engineers. Also realise that a lot of attacks take place outside of the workplace — striking up a conversation at a bar is an extremely effective way of getting information out of a target; this is where training and awareness can help.
To date, the best defence is to address this is to continuously look at arming your staff with the best and most current knowledge available, see how their attitudes may be causing them to be complacent or indifferent to any potential risks, identify your culture and see if you can change from a fear culture to a rewards culture and ultimately, change your staff behaviour towards these threats.