The state of the IT industry today barely resembles that of the early 1990s when I began my IT career. Even so, there are a few things that haven’t changed. Take social engineering, for example. Social engineering was a significant threat to security back then and continues to remain a threat even today. Sure, some of the methods have changed over time, but the basic concept of manipulating users in order to gain access to information remains the same.
Those who have bad intent continue to rely upon social engineering for one simple reason — it works. As such, it seems prudent to question what it is about social engineering that makes it so effective, and what you can do to keep your users from falling for a social engineering stunt.
Why does it work?
Over the years, I have heard people say that the reason why social engineering is so effective is because the end users are stupid, gullible, or just don’t care about their jobs. Certainly, there have been documented instances of end-user stupidity lending itself to the success of a social engineering attack. About 10 years ago, for example, I read a story about an IT security firm whose employees stood on a busy street corner promising to give passersby a free Starbucks gift card in exchange for their password. Not only were there are a lot of takers, but one executive who did not know his own password went to his office and instructed his secretary to write down his password and take it to the people who were offering the free Starbucks cards.
Although these kinds of stories may lead to sleepless nights for IT pros tasked with keeping their organization secure, I personally think that they are the exception rather than the rule. While there are stupid users out there, experience has taught me that most users are not actually stupid. They simply have not received the same security education as those of us who work in IT.
So if user stupidity is not the root cause of the problem, what is it about social engineering that makes it so effective? Before I can answer that question, I need to take a step back and narrow down the definition of social engineering just a little bit. At the beginning of this article, I defined social engineering as the manipulation of end-users in an effort to gain access to information. The problem with this definition is that it is so broad that there are many different types of attacks that could be classified as social engineering. As written, even the old Nigerian prince email scam could qualify as a form of social engineering. For the purposes of this article, I am going to limit my discussion of social engineering attacks to those attacks that are made either in person or over the phone.
How a social engineer builds the scam
So with that said, why is it that social engineering attacks have been so successful that they have stood the test of time for decades? It all comes down to the attacker’s method of operation. In order to be successful, a social engineer needs to do two things.
First, the social engineer must project confidence. Imagine for a moment that you are an unsuspecting end user and that someone claiming to be from your company’s IT department calls and asks for some sort of information. In a situation like that, the caller’s confidence plays a major role in whether or not they are going to be successful. Confidence carries an air of legitimacy. An attacker who can portray 100 percent confidence is less likely to be questioned.
If you don’t believe me, then consider this. Imagine that you have been in some sort of accident and are bleeding profusely. Who would you more trusts to help you, someone who says that they need to figure out a way to stop the bleeding or someone who confidently says, “Don’t worry, I know exactly what to do.”
It actually amazes me just how much of a role confidence plays in social engineering. Maybe I shouldn’t be writing about this, but about 15 years ago, I had a friend visit from out of town. Through some chain of events, he found out that there was a highly exclusive country club nearby. I’m not a member, but my friend was insistent that he wanted to go check the place out. I wasn’t wild about the idea, but I knew that there was no stopping him. My friend simply dressed nicely, walked in the front door, and acted like he owned the place. He spent most of the day at the country club, and no one ever questioned our membership. My friend had almost no previous knowledge about the country club. His confidence was his only asset in the situation, and yet he pulled off his objective without question.
I think that confidence is arguably the single most important part of a good social engineering scheme. But there is one other aspect that is only slightly less important. The social engineer has to create a sense of normalcy. If I were to walk into a random office and start asking everyone for their password, I’m sure it would raise lots of red flags. Having a stranger come in off the street and start compiling a list of everyone’s passwords is probably way outside of the norm and everyone at the office would quickly realize that I was up to no good.
A less suspicious approach might be for the social engineer to start out by asking who it was that called about a computer problem. Chances are somebody in the office probably called someone for some type of technical support. If someone does say that they need help, then the social engineer can start innocently asking questions in an effort to lead the conversation in a direction that will ultimately net them the information that they seek. If nobody claims to have asked for technical support, then the social engineer would still want to maintain a sense of normalcy. Perhaps they might suggest that they may be at the wrong location, and ask if the company has another office across town that they were supposed to have gone to instead. I’m grossly oversimplifying things here, but the important thing is that the social engineer needs to remain completely confident so as to project legitimacy, and they have to operate in a way that seems completely normal to those who the social engineer is trying to manipulate.
Two effective ways to stop a social engineering attack
So the real question is how can you defend yourself against a social engineering attack? There are lots of different philosophies about the best way to secure an organization against this type of manipulation. However, there are two things that I find to be particularly effective.
First, I believe in providing users with small doses of security training on a frequent basis. This doesn’t have to be anything formal. Even something as simple as an email newsletter, or a short video clip will do. The important thing is to keep it relevant, and frequent.
Many companies make the mistake of trying to do monolithic end-user security training. The problem with that is that users forget most of what they’ve learned as soon as they walk out the door. Besides, there will always be users who miss out on the training for one reason or another. Providing frequent security training in bite-size pieces creates a culture of security, rather than allowing security training to become a one-off event.
The other thing that I have found to be especially effective is uniformity. The casinos in Las Vegas require dealers to deal card games in a very specific and uniform way. The idea is that anything that happens that is out of the ordinary will be easily recognizable because it does not fit into the rigid way in which things are normally done. This same basic approach works really well for IT security. If you have rigid protocols in place, then any deviations from those protocols will be immediately noticeable.
Featured image: Shutterstock