If someone asked you about the weakest element in your computer security, what would you tell them? I imagine many folks might say something like their firewall, password strength, or something to do with encryption.
In most cases, this group would be wrong—if you take the time to consider precautions like running a firewall, enforcing strict password rules, and encrypting sensitive information, your security is likely just fine.
In reality, the weakest link is probably you.
These days, hackers seldomly target computers directly. Why put in all the effort to crack a protected system when you can make a phone call, have a seemingly friendly conversation, and convince the human on the other end to simply grant you access?
Putting it simply, this may sound far fetched at first, but these “Social Engineers” are clever, skilled, and responsible for 43% of the documented breaches for all of 2017. If you don’t think it can happen to you or your organization, then it might be a wake-up call to read about how then-CIA Director John Brennan’s personal emails were stolen by a 15 year-old from Britain.
How Do They Do It?
Social Engineers use a wide array of techniques to steal information and access from unsuspecting victims. Let’s explore a few popular methods…
Phishing attacks bait victims into visiting specific websites which the attacker has prepared to steal information. Oftentimes, these websites will look identical to the login screen of a familiar service, in addition to having a similar URL address.
For example, suppose you have an account with Super Secure Bank and their website is located at www.SuperSecureBank.com. The attacker might send you a text message informing you that there were unusual charges detected on your account and that you should log on to www.SuperSacureBank.com to check your activity.
By exploiting the panic you feel when you think your account has been compromised, the attacker might make you overlook that they’ve actually linked you to their fake site, designed to steal your login credentials.
Pretexting is a general term describing the technique of presenting oneself as someone else in order to obtain information. Attackers will adopt or steal fake identities and use what information they’ve previously gathered to receive more sensitive information or gain immediate trust with others in order to find a point of entry for other attacks.
For example, just knowing the name of an external IT technician could afford an attacker the opportunity to send a well-written email, modified to appear as if it was coming from the correct address, requesting access to a particular system.
Imagine something along the lines of “Hey X, I just got locked out of Y. You know our supervisor Z, if I don’t get this done by the end of the day then I’m going to get chewed out! Could you help me out?” If the recipient doesn’t know to look out for these types of attacks, they might decide to be compassionate and unknowingly give the Social Engineer full access to the system.
Tailgating is one of the most basic types of Social Engineering attack, but it can lead to dire consequences for a susceptible building. An attacker simply waits near a point of entry to the target building and follows an employee through the door, gate, etc, without providing proper credentials.
While this method tends to work better with larger facilities that have hundreds of employees, even small businesses can be vulnerable to this technique. A kind gesture like opening the door for a mailman carrying a heavy box might actually be inviting a wolf into the proverbial pig’s house.
How Can I Protect Myself and My Organization?
Educate. Educate. Educate.
If there’s one thing that all Social Engineering techniques have in common, it’s the human element. The best thing you can do to protect your organization is to properly educate everyone on the dangers of Social Engineering and inform them of how to recognize potential attacks.
Personally, I recommend making security training part of the onboarding process for your organization so that everyone is at least aware of these concepts from day one. Depending on the size and structure of your group, it might also be worth hosting periodic security seminars to go over recent attacks and warn members of new scams.
Where better to learn about Social Engineering than from the Social Engineers themselves? Social-engineer.org has a blog, podcast, and volumes of text information regarding human influence, psychological principles related to Social Engineering, various attack methods, and even the tools used to pull off some of these attacks.
Watch a Professional in Action
Still not convinced it can happen to you? Every year, thousands of hackers gather together at DEF CON in Las Vegas to discuss developments in security and show off crazy accomplishments. Check out this video of DEF CON Social Engineer Jessica Clark gaining full access to a gentleman’s cell phone plan with a simple 2 minute phone call.