An HVAC vendor tells you that he needs to check your server rooms for proper airflow. You don’t think twice about letting him in, he does what he needs to, and he is gone before too long. A few weeks later, your company is plastered on the local news for being the latest big data breach. What happened, and how can you prevent this?
The scenario described above is a prime example of social engineering. Social Engineering in information security is “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes” (Google). The attacker was dressed as a trusted individual (HVAC vendor) and exploited that trust to perform malicious activities on your servers.
Social Engineering is the oldest form of “attack” in the InfoSec realm. New technology has given rise to dozens of communication channels as an avenue to perform these attacks. Business owners need to know what Social Engineering looks like before they are able to properly defend against it.
Social Engineering – Common Techniques
Attackers do not need to exclusively rely on technology to achieve their goals. One of the most effective avenues for gaining access into a network is to simply manipulate the employees into handing it over. There are many techniques that are used by social engineers. Always be on the lookout for the things listed below and be sure to maintain a “trust but verify” attitude with all electronic communications.
Security professionals do not want everyone to be paranoid, but the extra few seconds it can take to confirm someone’s identity can determine the fate of a company.
Phishing
Phishing is one of the “technology reliant” methods of social engineering. A phishing attack is a scenario where a malicious actor will communicate via email, phone (often called “vishing”) or messaging service. The intention is always to mislead the employee.
A well-known usage of email phishing is to include malicious links that the attacker manipulates the victim into clicking. Disturbingly, links are not the only method to phish users. More specialized messages will request that a user send confidential data under the pretense of being somebody important. These types of attacks are extra dangerous because they can be harder to train against and indicate more advanced threats.
Baiting
A USB was found in the parking lot with the phrase “Annual Incentive” written on the outside. Eager to see this confidential information, a user connects this USB to their device. Instead of viewing information, this user has now infected your network. This happens far more often than one might think and is a highly successful attack.
This technique of leaving a piece of bait meant to be found is common and exploits our natural curiosity. These attacks are easy to prevent via proper security procedures and training.
Intimidation
Not all intimidation is physical. Many attackers will simply attempt to overwhelm whoever they are contacting by impersonating someone of authority. No role is off limits in the attacker’s imagination. They can impersonate a CEO, manager, or even a federal agent in order to frighten a victim into cooperation.
This approach usually involves calling or messaging a lower-level employee, demanding something urgently while threatening their job or even jail time. Without proper training, many people are easily flustered and simply give the attacker whatever they want to avoid trouble.
Confidence
Many times, simply acting like you belong is enough to gain access. People are busy and naturally trusting. If you come into an office with a water jug on your shoulder, many people will assume you are the water delivery guy and won’t question you being there. Attackers exploit this trust and “hide in plain sight” in order to gain unwarranted access into areas.
This technique is especially powerful when office personnel are expecting major changes or activity for a set period of time (such as an office remodel).
Defending Against Social Engineering
Social Engineering is just another tool in the attacker’s playbook. Being proactive is the single best counter to any threat, but defending against basic psychology can be tricky. You can significantly increase your immunity to social engineering by changing the way your employees think and heavily emphasizing trust but verify within your environment.
Training
Employee training is the main solution to foil dedicated social engineers. A solid, centralized policy for dealing with guests must be strictly enforced to prevent unwanted access. Email awareness campaigns and employee phishing training helps to significantly reduce the chance that a user falls for a phishing scam. Identification verification methods are vital to prevent people from claiming they belong and sneaking by security.
Simulations
“No plan survives first contact with the enemy.” This military mantra fits surprisingly well in the business world. Realistic simulations go along with training to a certain extent. These hidden tests provide real-world experience to your users in the form of emails, calls, and even actors posing as delivery personnel or repairmen. By checking that the training and policies are being followed, owners can get an idea on what needs to be improved or streamlined.
Network Security
The unfortunate truth is that even the best training programs still leave small gaps. The larger the organization becomes, the higher the chance that somebody falls into a gap and doesn’t react properly to their training. When things do get in, an extensive security net can help to prevent the spread throughout the network.
Data Loss Prevention
A relatively new concept in cybersecurity, DLP can help security teams look for information being leaked from the environment. While this will not help the initial compromise, it can stem the bleeding from a successful attack and lead to much quicker remediation.
Administrative Controls
Network Administrators must ensure that permissions are handled properly within the environment. Many social engineering attacks can be thwarted simply by not allowing less-trained associates to have access to confidential data. If an attacker wants to get ahold of a specific financial document but cannot get an account with the proper permissions, the attack is effectively dead in the water.
References
- Sjouwerman, Stu. “New Study Finds Employees Pose the Greatest Cybersecurity Risk.” Blog, blog.knowbe4.com/new-study-finds-employees-pose-the-greatest-cybersecurity-risk.
- “What Is Social Engineering: Attack Techniques & Prevention Methods: Imperva.” Learning Center, Imperva, www.imperva.com/learn/application-security/social-engineering-attack/.
- “What Is Social Engineering? Examples And.” Webroot, www.webroot.com/us/en/resources/tips-articles/what-is-social-engineering.
- “What Is Social Engineering? Tips to Help Avoid Becoming a Victim.” Official Site, us.norton.com/internetsecurity-emerging-threats-what-is-social-engineering.html.