When it comes to cybersecurity, the general public tends to think in terms of technology. This is only natural as hackers attack and break into technological interfaces. These attacks turn malicious in the hands of a black hat hacker (i.e. the ones who give the rest of the hacking world a bad name).
If you took an opinion poll at, for instance, a corporate office about how to best guard a network, the chances are most responses would be a technological one. You would likely hear mentions of firewalls and other effective deterrents that are based solely in a cyber world.
This is problematic for those of us in the information security field.
The issue is not that firewalls and the like are bad, it is simply that most do not understand that humans are the greatest guard (and vulnerability) for a network. Human error without a doubt is the constant threat to the security of any given system. Malicious hackers are not only talented at coding and bypassing security measures; many are also talented at hacking people.
By hacking people I refer to a concept known as social engineering. Social engineering is extremely effective for escalating privileges within a network and stealing (or destroying) data. Social engineering has been responsible for successful attacks against private and public sector entities throughout the years, and frankly, it is not hard to understand why:
People tend to put too much faith in technology to protect them.
Hacking really is about finding the path of least resistance. Why crack an encrypted password when you can get someone to accidentally give you the unencrypted version? Why attempt to install a backdoor virus on your own when you can get an unwitting employee to plug in an infected USB drive? Some of the greatest hacks in history have been the result of social engineering and this will continue to be the case until more are educated on it.
While an exhaustive list of social engineering methods is not possible within this article, I will try to highlight the most common ones. Hopefully after reading you can understand how you can be better prepared against cybercriminals.
Human curiosity is a blessing in disguise when you are a hacker. If you leave a USB drive or CD lying around an office, chances are somebody is going to pick it up and insert it into their computer. Unbeknownst to the fool that picked up this bootable media, the hacker has a malicious payload ready to execute the second that it is activated. By the time the cybersecurity division at the company has been alerted, it is already too late. The virus has latched on to the internal network and a plethora of sensitive data is ripe for the picking.
Even at the highest levels of government, the baiting tactic has proven effective. In 2008 the Pentagon was infected with a nasty, undetectable form of malware called agent.btz that allowed numerous backdoors to be opened. The attack originated from a USB drive that was left lying around a US military base with access to the US Central Command. All it took was one person taking the bait to cause what was dubbed "worst breach of U.S. military computers in history."
Of all the social engineering attacks to prevent, baiting is the easiest. In case it was not obvious from the examples given, do not under any circumstances insert unknown USB drives, CDs, DVDs, or anything else of the sort into your work computer. Yes I know the curiosity is killing you, but is it worth compromising the security of your company and possibly losing your job?
You have probably heard of phishing emails. If not, the quick synopsis is that phishing emails are a social engineering attack that attempts to bait numerous people into giving away sensitive information via email. A phishing email usually poses as a financial institution and asks for things like social security numbers and the like.
Spear phishing takes this a step further as it targets one specific person (or more) as opposed to sending emails en masse. What a cybercriminal will do is find a name of somebody that works at their target location. The hacker will then do an exhaustive search on this individual to craft an email that is much more likely to be opened and responded to. The source will look legitimate and the body of the message could easily fool a particular person into clicking malicious links.
There really is no sure-fire way to protect against spear phishing but some measures can be taken. Be aware of what your digital footprint is and how a cybercriminal may use it against you. This information could be on social media (which I suggest keeping as private or non-personal as possible), blogs, or anything else that permanently seals your name into search engine data. Secondly, if an email is asking you to click a link (which is most of the time how the malware is uploaded), look at the URL. Chances are there is something in the address that is off, such as misspelled words or strange symbols not usually present in a URL.
In general, I would advise against clicking any links, even ones you may trust at work, unless it is related to your job. The risk really is not worth it. You may think that security department are a bunch of killjoys for not allowing you to search personal websites at work, but really they are trying to prevent an attack. The same logic applies with spear phishing emails. To truly prevent such an attack, don’t open personal emails at work (especially emails with links attached).
Our nature as humans tends to want to do things like hold door open for strangers. In most cases there is nothing wrong with this act of kindness. There is an ability, however, to exploit human courtesy when it comes to buildings that have badge or security card access. This is a social engineering attack used by hackers called tailgating.
Imagine the all-too-common scenario for a second. You work in an office building that requires you to swipe a badge to enter the front door. As you go to enter your building, an individual says “can you hold the door for me? I lost my badge!” This person is dressed in clothing that reflects dress standards for where you work and you figure “ok, why not?”
You very well could have let in a hacker that now has internal access to your network. It is much easier for a cybercriminal to attack a company from the inside than remotely (which is why a tailgating attack is so advantageous to the black hat).
The solution here is yet again an exercise of common sense. Do not let anyone into your building that lacks proper identification if you work at a “secure” facility. It may make you feel like a jerk to say “no” to somebody, but you are a potential (and unwitting) accomplice in a cybercrime if that individual is not who they say they are. Penetration testers (aka InfoSec experts who get paid to hack companies) often report how simple niceties like holding a door open to a restricted area was a common occurrence during a pentest. Take this as a warning from the experts as you do not want to be the reason your employer loses money or data to criminals.
The last social engineering attack to be discussed is an attempt to gain sensitive information via (at least most of the time) a phone call. Pretexting works in a fashion that puts an attacker in touch with an employee, then posing as a figure of authority (like upper management or the IT division). The phone call could go as follows:
“Hello this is Mr. Smith from the IT division, we have noticed some troubling activity coming from your computer. We would like to temporarily access it to determine what type of virus we are dealing with here. Can you give us your login information and we will send someone over to your cubicle right away?”
If you are goaded into believing this person, you have just given them total access to your machine from which they can escalate privileges (thus starting the next wave of their cyber-attack).
When you think you are being pretexted, don’t be afraid to ask for a person’s identification and badge number. Search your database to verify their identity or get somebody who can. If anything else, most office phones have caller ID nowadays, and as such, you should use this to your advantage. Does the person calling have a number that is not like your typical company numbers?
Even if it is, keep in mind that it is very easy to spoof caller ID, so possibly say “I’ve got a bad reception here, can I hang up and call you back? What number and extension should I call?” Chances are this will shut down the person on the other end as they will not have a logical answer for you. If they do give you a number, do a quick search on it.
Trust me, these methods may seem crazy but you can never be too paranoid when it comes to security.
There will always be new types of malware that cybercriminals try to code and unleash on the world. The attacks on a technological level are always evolving as protections are put in place to defend against such threats. One constant tool is social engineering, however, as no one can force a human to follow security protocols. The “textbook” of social engineering has never needed to adapt significantly as there are always people that fall for the oldest trick in the book.
Hopefully this article has given you some insight into how attackers think and how you can counter their social engineering efforts. You never know when a black hat hacker may try these methods; it happens more often than you think.