We’ve heard it time and time again: your organisation is only as strong as the weakest link. The difficulty that we are facing is that the weakest link (employees) is ever-present. Human error has been and remains answerable for many security tribulations. This contributing factor is spiraling out of control as advancements in technology are encouraging the ease with which cybercriminals can utilise social engineering to take advantage of this weak link and thereby facilitate their cybercrimes. That being said, social engineering epitomises the easy route in.
We have all been victims of social engineering and have also utilised its tactics to get something that we want. Social engineering is in no way new and has been used as a manipulation tool since the beginnings of time. Young children quickly learn their way around this tactic, charming a parent into those few extra minutes before bedtime or obtaining one more scoop of ice-cream; this is accomplished without any awareness of social engineering. It seems to be second nature, although not always used to harm. However, the infamous attributes of social engineering usage are becoming more and more prevalent in cybercrime.
Many examples of social engineering exist throughout history and have proven to often triumph over physical security and security technology.
Social engineering spanning decades
A definitive example--not cybercrime related--roots itself in ancient Greece. Mythical or not, this example represents a social engineering attack so fittingly, enabling an entire malware type to be appointed with its name. Yes… you guessed it! We find ourselves in ancient Greece amidst the battle of Troy! After a futile 10-year conflict, the Greek army appears to throw in the towel, and as recognition of their defeat, they retreat, but not before leaving the Trojans a parting gift (outside of their gates), a gargantuan wooden statue of a gallant horse. The Trojans are elated, as they have won and the enemy has acknowledged defeat; they maneuver the gift inside, unknowingly bringing the enemy inside of their walls, and celebrations begin. In the dark of the night with the the Trojan tuckered out and in deep slumber, the Greek soldiers make their way out from their hiding place, the wooden horse, open the city gates, and are reunited with the rest of the Greek army.
This culminates in the ruin of Troy by the Greeks. Human error at the hands of the Trojans facilitated the destruction of Troy by unknowingly allowing the enemy into their city. Even the Trojans' security measures that kept them and their city secure and held the Greeks at bay for a decade was not enough to halt the weakest link and the clever use of social engineering when it mattered most. In other words, security technology, albeit essential, is not enough and the strongest security technology can be quashed by a cunning social engineer. All it takes is for one employee to let down their guard.
Back in the word of tech, it is quite easy to find numerous examples of how social engineering has been utilised for successful entry into various organisations and their systems. In 2014 GoDaddy and PayPal facilitated the attack that cost Naoki Hiroshima his $50,000 Twitter username (Hiroshima explains the hack). It’s also come to light that social engineering played a part in the big Sony hack of 2014 causing great financial damage, and worse, damage to Sony’s reputation, and social engineering has been connected to the recent hack at US Departments of Justice compromising thousands of individuals personal details including those of FBI employees. These attacks involve sizable entities which goes to show that no one is safe.
We help cyber criminals at a whim
There isn’t a correct or incorrect way to utilise social engineering’s multitude of diverse tactics as long as you are resourceful and creative enough to make use of the varying conditions and scenarios open to you. It’s all down to what works and with whom. The success is reliant on the method, timing, poise, and plausibility of the approach as well as the frame of mind of the victim at that instant in time.
The very nature of human behaviour is also our weakness: we are trusting and are easily lulled into a false sense of security. We want to act on urgency and feel the need to respond--now! These traits are easily exploited through the use of rudimentary psychological techniques. With this in mind cybercriminals are finding it effortless to use the art of social engineering against us. They gather information through conversation, both electronic and physical, and many of us unsuspectingly and freely divulge information without a second thought. By the time we realise what has happened, it is too late.
Furthermore, the way in which majority of us recycle our credentials means one slip-up of our username and password usually allows the criminal access to several services.
Taking all of this into consideration, social engineering is low cost, highly effective, and easy to understand and practise to achieve successful results. It does not require an accomplished programmer or a tech savvy individual, only someone willing to speak to people and send emails, and there are thousands of individuals willing to partake. It is a profitable crime. (Why wouldn’t cybercriminals be all over it?!).
If this was not enough, the evolution of the Internet is further assisting cybercriminals to enhance their trickery. Don’t get me wrong, technology has made some forms of attack more challenging to commit but it has also created a wealth of openings for those flexible "cybercriminal-social engineers."
We are all over social media (both socially and professionally), continuously updating our profiles and statuses, our whereabouts (where we are, where we have been, and where we will be going to), our likes, our personal information… the list goes on and on. This development of the Internet and the manner in which we all use it is aiding cyber criminals. A fundamental aspect of social engineering is to obtain the target's information and as a society we are ensuring that all of our information is readily available (conveniently, usually all in one place) and the cybercriminals know exactly where to look, how to gain access to it, and how to utilise it to compile a very convincing story to get what they want from us.
We also all own probably not one but two or even three mobile devices which we eagerly download applications to without much thought. As organisations are becoming more mobile in the way in which they work and many organisations now allow employees to use their personal mobile devices for work functions too (the BYOD--bring your own device--scheme is now commonplace), this is also offering a further entry trajectory for social engineering type crimes.
The impact of a social engineering attacks on organisations is great. It can impact privacy, reputation, and finance and have pronounced legal ramifications.
Inside the cyber criminal’s head
For the best chance to avoid falling victim to such cyber crime, we need to get inside the criminal’s head--know how the cybercriminal thinks and plays out his/her crime. There is some thought process behind such a crime and a similar pattern and steps are likely followed each time.
Step One: Identify the target
Depending on the type of social engineering cybercrime, choosing the target can be opportunistic but it can also be highly specific. An opportunist crime may be an attack whereby no specific individual is targeted but rather thousands of individuals are targeted in the hope that some of them will fall victim (usually through email, text, message or telephone conversation--a phishing scam of sorts). A targeted attack (spear phishing or whaling scam) will require targeting a particular organisation for a specific reason. An easy to bait employee or individual associated with the target organisation is the point of entry. A discontented employee (and there are many of those) is often more than willing to assist. Other targets may include administrators, clients, and technical support employees, to name a few.
Step Two: Get to know them
The cybercriminal wants to know their target inside-out. They want to gather as much detailed information as possible so that they can confidently gain the trust of the target individual and convince them diligently without allowing any room for doubt or question. The data gathered must be solid and must make for a convincing story. The cybercriminal wants to develop a relationship to later exploit.
Step Three: Identify the right time to attack
The importance of the right timing and ensuring the target is in the right frame of mind at the instance of attack is paramount. Reverting to Troy, the Greeks knew that the timing was right and that the Trojans’ frame of mind was in the right place at the time of attack--the Trojans were celebrating their victory (all part of the Greeks convincing story) and they had no inclination that something sinister was happening under their noses. The Greeks were confident, creative, and clever; everything lined up beautifully and thus the attack was a success!
The success of a social engineering crime must take all these aspects into account. The criminal will have identified the target, researched the target in-depth, and their relationship with the organisation (the employee and a lot of the time is the route to the organisation, which is the bigger target). They will have compiled a convincing story. The attacker is confident and poised, has determined the most fitting method for attack as well as the best time to take action.
Step Four: Attack
With everything in place, the attack transpires. These can take the form of a face-to-face attack, a phone-based attack, a computer-based attack, or an attack using malicious applications.
- via computer:
These usually include viruses, Trojans (there it is again!), spyware, scareware, and ransomware. The most common attacks on organisations are usually phishing and spear phishing attacks.
With scareware such attacks use social engineering to trick users into thinking that their machine has been infected and directs the user to click on a link. The approach of this attack is utilising fear to get the individual to take action with urgency.
Ransomware is social engineering at its best! It holds your files for ransom and leaves you believing that the only way to get your data back is by paying (usually in untraceable Bitcoin). We play right into the attacker's hand and since we keep paying, this form of attack continues to escalate. So…don’t pay the ransom! Seek professional help and always maintain a backup of everything.
- Through malicious applications:
Malicious applications are created with a target in mind, appealing to the target particularly to try to persuade the individual to download the malicious application. Once the application is downloaded, the criminal gains access to the data on the device and can cultivate a more brazen attack which is likely to culminate in a breach.
- The physical approach:
This approach relies on physical interaction between the attacker and the user. Such attacks could encompass the assailant posing as someone s/he is not and gaining physical access to a building of interest. This type of approach could be achieved through tailgating and eavesdropping, for example.
I know of security professionals bypassing all security measures within an organisation through the use of social engineering. They gained access to the offices into the depth of the building used by senior members of staff and obtained critical data. Employees were more than happy to assist without second thought. Although this was undertaken as a lesson in security rather than with any malicious intent in mind, it is proof that it is easily done. It clearly shows the weakest link, once again, and shows no matter the technological and physical security measures that are in place (and this organisation had them all and more and believed that they were untouchable), these are easily sidestepped by the intruder if made futile through the actions of the weakest link in the security chain.
- via phone call:
This has happened to me on a number of occasions where I received calls from so-called Microsoft representatives with regards to an issue that they had noticed with my Windows machines security. The "representative? appeared very professional and composed, and was very keen to assist! Playing the part, I told her that it was strange as I used an Apple machine and not a Windows machine, to which she very quickly hung-up the call. In this circumstance, I was not fooled, but so many other unsuspecting people are and so the criminals continue to pursue such attacks.
Through using information made public on social media and websites, it is easy for a cybercriminal to call an employee pretending to be a senior member of staff and to initiate a conversation, which can culminate in the employee resetting login details or passwords or sending information or documents to a bogus email address provided over the phone. This happens far too often!
What can you do?
Engage your users! It is essential that users are educated and maintain an awareness. This must include everyone associated with the organisation. Training is required but this should be done more frequently and cover small sections at a time, rather than annually, as users are bombarded with volumes of information that is challenging to take in, let alone remember and implement.
Employees must know how to identify sensitive information, associated threats, and the security practices to follow. Recovery procedures should also be outlined, maintained, and known as the likelihood of an attack occurring is high and ensuring appropriate procedures are in place may alleviate the repercussions of an attack.
Moreover, experiencing an attack situation is always a good practice. This can be done through regular simulation attacks so that users do not become complacent and remain on top of their game. Furthermore, it allows for measurement of knowledge and is a good way to gauge progress within the organisation.
Empower, educate, and monitor progress of all employees.
Be a skeptic
Cyber criminals have jumped on the bandwagon and the involvement of the psychological component of a cyber-attack is increasingly evident. The use of social engineering for cybercrime is literally child’s play--it is the easy route in! The multiplicity of attack styles is always developing; ransomware, scareware, phishing, spear phishing, whaling, clickbait attacks, waterhole attacks, social networking attacks--and I can keep on going! With that said, it is an apt time to be a skeptic!
We must try to create a culture where employees are kept up-to-date with the goings-on of cybercrime. It is important to prioritise coaching employees on how not to be the weakest link of the security chain.
Humans remain the weakest link in the security chain, and as long as this is true (always!), the cybercriminals will take advantage of it. Comparable with the battle of Troy, organisations spend time, money, and effort on security technologies for defence but not much consideration is given to educating and training their uses to identify when someone is going to make their way in.
Be cautious, be sceptical and, use your common sense!