Is Social Engineering the easy way in?
Originally published for BCS: http://www.bcs.org/content/conWebDoc/56216
Social engineering techniques have been used by con artists for centuries to trick people into doing things that they wouldn’t normally do. With the advancement of technology, social engineering has also evolved into new forms where the internet makes it easier for cyber criminals to trick employees into unintentionally breaching security procedures.
It combines technology, psychology and art to manipulate people with simple tricks to gain access to information systems. Methods can be very simple, yet they are clever enough to convince people to reveal confidential data that can be used to cause a lot of harm to organisations and individuals.
There are no limits to the techniques as long are there is imagination and creativity to make use of different situations. For a clever and adaptable social engineer, any security challenge is just a matter of time to overcome. The impact can be loss of privacy, reputation, finance and lawsuits. Sometimes these attacks are carried out just like in the movies, if you have seen movies such as ‘The Italian Job’ or ‘Catch Me If You Can’ you get the idea of social engineering and what it could do to businesses and individuals.
There are several phases that an attacker will go through to perform a social engineering attack: The research stage, where the attacker gathers enough information about the target organisation. Choosing a victim - identifying someone easy to lure. Initiating a relationship - disgruntled employees are an easy target as they have less loyalty to an organisation. Finally, exploiting the relationship that the attacker has been developing at the right time.
The most common social engineering targets of an organisation are;
Reception and help desk staff - attackers first establish trust with them and later trick them into revealing the information they are after
Technical support staff - attackers will call them pretending to be someone from higher management, client, staff or vendors and intimidate or trick them into password resets or obtaining other sensitive information
System administrators - attackers will target system administrators to gain critical systems information data on IT systems
Staff and clients - attackers can call these groups pretending to be IT support staff, tricking them into giving out sensitive information.
There are three types of social engineering attacks detailed below, with a fair amount of overlap between them. They are face-to-face attacks, phone-based attacks and computer-based attacks.
This type of attack needs human interaction to gather information. They can be silent or indirect and don’t have to start with a direct conversation. Mainly done by impersonation, a typical example would be: a person walks into your business’s lobby posing as someone who is associated with the business, following an employee in through the doors. They steal valuable documents, setting up access points to sniff data through the network, gain access to the server room or leave a few malware infected USB sticks lying around the office, hoping for an employee to pick one up and plug into their computer.
These methods are defined as:
Eavesdropping - listening in to unauthorised communication channels;
Shoulder surfing - direct observation or sometimes using vision enhancing devices to see sensitive information
Tailgating - following employees through secured doors and using fake IDs to pass security
Piggybacking - is similar to tailgating but an attacker would say they forgot their ID and rely on an authorised person to let them through
Dumpster diving - scanning through organisational/personal trash bins to collect sensitive information
Reverse social engineering - attacker poses as an authority figure where the target then seeks their advice by sharing sensitive information.
When social engineering is done primarily with telephones and mobile applications, attackers commonly target IT staff to reset passwords or call an employee pretending to be someone from higher management asking for a few documents to be sent to a different email they provide.
A recent attack that targeted a large bank was a simple social engineering attack. They identified users by getting employee names from social media and company websites. Then the attacker called employees claiming to be from IT support, told the users that they are looking into users with insecure passwords and convinced some users to reveal their passwords.
Mobile application based attacks are where attackers carry out social engineering with the help of mobile apps. They create apps with features attractive to their target audience and when users download them, attackers gain access to the personal data in the mobile device and progress more elaborate attacks using this new data. Some of these data breaches can be avoided by simply being cautious about what apps you download and checking the permissions they require.
Carried out primarily with computers, these come in many forms such as viruses, Trojans and spyware. There are different types of social engineering attacks:
Infected emails - that collect sensitive information;
Instant chat messages - chatting online to people to gain personal data;
Pop-up windows - that request users to enter login or other sensitive information;
Hoax letters - that send false warnings about computer viruses.
The most common attacks on organisations are phishing and spear phishing attacks. An email phishing attack is a harmful file or a link emailed to users claiming to be from a legitimate organisation. It will then run a script to extract information or redirect the receiver’s browser to a fake site that looks identical to the real one to steal user credentials when users try to interact.
Spear phishing is more personal and specifically targets certain individuals or groups in an organisation. An attacker sends the email claiming to be a trusted authority figure requesting sensitive information such as trade secrets, financial gain or military information.
Is social engineering the easy way in?
Yes, to some extent it could be classed as the easy way into an organisation compared to using other hacking techniques. These hackers don’t require a lot of technical knowledge to begin with and all they need is to figure out a baiting scenario; where they present something that will interest their targets and wait for them to take the bait.
In most cases humans are the weakest link in a security chain as organisations spend much more money on security systems than on educating and training their users to recognise a social engineering attack. For a good social engineer it is easier to exploit a weakness in a human than a computer system. This proves that fancy technology and security fences aren’t always enough to keep an organisation secure when there aren’t any defence mechanisms in place that protect you from social engineering attacks.
What can you do?
Constant vigilance and having the right knowledge to be able to recognise such attacks can help to lessen the chances of an attacker being successful. This requires organisations to take the responsibility to constantly assess and educate staff, clients and anyone associated with their business so they know how to identify sensitive information, threats associated with them and be safe.
Educating staff on how to follow simple security steps such as to be wary of clicking on emails from unknown people, to be mindful with whom and where they talk about their work, to pay attention to the website’s URL you visit and if your browser is complaining about a site, check why before clicking continue, to run regular scans on their computers for viruses, to keep anti-virus software up-to-date and to regularly patch their operating system could make a big difference.
Creating a culture where employees are regularly informed about cybercrime via emails, newsletters, screensavers and other announcements is a very effective way to always keep your employees on alert for cybercrime so they learn how to not be the weakest link of your security chain.