Social Engineering: Part One: We Don't Expect to be Lied toBy: Rafe Pilling
"In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook."
Matt Honan's recent article "How Apple and Amazon Security Flaws Led to my Epic Hacking" sums up the disastrous impact of social engineering. Social engineering, at its core, is the exploitation of trust relationships at the human level.
As in the case of Matt Honan, a simple phone call allowed an adversary to gain access to a "trusted" system, the first step in a series of exploits of trust relationships that gave the hackers access to the networks, systems and applications the hackers were ultimately targeting.
This type of activity is happening every day, not just against individuals such as Matt Honan, but against employees and the companies they work for.
Doing whatever it takes
Social engineers 'engineer' their way to their objective. They lie. They manipulate. They play on feigned relationships and ties to establish trust with your employees. They play on expectations for how employees behave in their routine work day. They use clever and seemingly innocuous enticements that get your employees to click on malicious content. They say whatever it takes to convince your employees that they need to help you.
They use creativity to their advantage. In most respects, the more creative they are, the more likely their efforts will prove fruitful. A modern social engineer deploys tactics such as phishing, spear phishing and deceptive telephone calls to gain information and network access from you. They exploit customer support to glean information. They use technology such as malware-laden USB sticks placed in locations frequented by employees. They gather open source intelligence via social networks, identify employee interests and relationships, and use an employee's personal and professional information to further their efforts.
Technology only goes so far
The majority of investment to prevent hackers from gaining access to offices, networks and systems is in technology. Of course, technology can help to identify and block an incoming piece of malware as well as malicious outbound activity. Unfortunately, technology doesn't do a good job protecting networks when the "intruder" has managed to obtain valid network credentials through social engineering. Because most employees are ill-trained to identify an instance of social engineering, cybercriminals are increasingly moving to attack this weak layer of the security model to get an initial foothold into a network.
Social engineering exploits our best cultural norms
The fact is that cultural norms in the workplace work to the social engineer's advantage.
Most employees just don't expect to encounter a bad actor in their day-to-day dealings, let alone a nefarious social engineer who is highly resourceful and persuasive. From our experiences, if someone asks an employee for assistance, the employee is willing to give it. People like to be helpful. Indeed, employees are often reviewed and rewarded for it. Employees, especially customer support employees, are trained to be exceptional in helping customers solve their challenges. They aren't trained to be suspicious of everyone who calls in to their support line or to be cautious in their actions. They aren't trained as to the potential harm involved in something so mundane as telling a caller the type of software they happen to run on their system.
Social engineering is winning against today's security awareness training
Many organizations do have extensive security policies and practices in place, and likely provide their staff with some level of security awareness training. They may even reinforce messages with posters, screen-savers and other reminders.
And yet, in almost every social engineering assessment Dell SecureWorks conducts, our security consultants are successful in gaining sensitive information or accessing customer premises.
The reasons for this are many. The program may be too infrequent or its reach may be limited across the organization. Or, the focus is on training without any actual testing regimen to assess the effectiveness of efforts. Or, employees aren't trained to believe that social engineering can very well happen to them.
So, what can you do to protect against social engineering? The solution to the problem of social engineering involves a combination of activities whereby security awareness training is just one component. Stay tuned for our next post, "Social Engineering: Solving for the Problem" where we share recommendations based on our experiences in this area.