November 25, 2015 •
As human beings, we’re susceptible to a variety of attacks that electronic systems aren’t and consequently we can be manipulated into doing something that might not necessarily be in our best interests. If you’re a parent or know small children, you know how adept at manipulation they can be. This is a social engineering attack in its purest form!
The objective of the criminal social engineer is the same as that of the criminal hacker: Access. Access to systems, facilities, secured areas, documents, information—anything of value. The difference between the social engineer and the hacker is primarily one of human psychology.
Social engineers play to people’s wants and needs, focusing on the mental triggers that can make a person do something. For example, many people will do anything to avoid confrontation while others just want to be helpful and will go out of their way to assist someone who seems to be non-threatening or affable.
If you want to get somebody to do something, you’re going need their buy-in. While there is a focus on gaining the trust of the target, sometimes influence over their actions will suffice. This can be accomplished in a variety of ways depending on the situation, but the focus is on exploiting human tendencies.
For example, consider how willing you’d be to help someone who gave you something—even if it were something simple, such as a coffee mug or a novelty of some type. Most people’s first inclination is to return the favor, which means that the chances of them complying with a follow up request are much greater than if a gift hadn’t been offered in the first place.
Presentation is also a key component. Clothing and appearance play a huge role in a social engineer’s ability to establish themselves:
There are a multitude of other techniques that involve weakening a target’s resolve. A perfect example might involve a phone-based attack that confuses the target with technical jargon to overwhelm them. Compliments are another effective conversational tactic that can help win a target over. Consider a situation where a female attacker is caught doing something suspicious while onsite at the target organization. If the person discovering what she’s up to is male, she may try flirting with him or complimenting him to redirect his attention to the incoming praise and away from the original issue.
The idea behind pre-texting is that of priming the target for the attack. This could be a lie or anything else that establishes a cover. It could be something as simple as a story: Hey, my phone battery is dead and I need to call my wife and ask her to pick up the kids, can I borrow yours? Or it could be something much more involving an elaborate show. One example of such a case might involve a social engineer who feigns anger while on a phone call so as not to be stopped while walking into a building.
Appearance is also part of pre-texting in that the social engineer will present themselves in some fashion that supports their attack. The social engineer might wear a “costume” of sorts or carry props. Dressing up like a copy machine repair person with a bag of tools is one way to get by the front desk. Dressing at or above the target company’s dress code will also sometimes get the social engineer in the door. Many social engineers have been able to walk into offices simply by wearing a suit and carrying a briefcase while talking on the phone and looking busy.
Let’s tackle this from the technical controls side of the house as that’s typically easier to address. Your organization should have a strong spam filtering solution that is updated regularly and well-maintained. Antivirus and web content-filtering solutions are also obvious must-haves, but keep in mind that they’re not a "silver bullet." As an additional hedge against malware, consider deploying application whitelisting or file integrity monitoring solutions.
On the non-technical side of the house, security awareness training is paramount. You must educate your employees about the methods and means employed by social engineers and the risk that seemingly innocuous information can present when pulled together. Make sure that employees know about the risks of discussing projects and other company business in front of outsiders.
You’ll also want to consider having a third party come in and perform a social engineering assessment to give you an idea of how your employees stand up to the test. The results of these exercises can be used to tailor training programs for your organization, which can make the lesson more applicable and “sticky.” Some companies will perform regular phishing and phone-based social engineering testing against their employees. If this is you, consider publishing the results to the employee base after sanitizing them to keep from embarrassing folks who may have fallen for the trap. Doing so makes it “real” for your employees, significantly raises awareness and, subsequently, the bar for future social engineering attacks.
All said, there’s really no catch-all due to the human element involved. You must be continuously aware of what’s going on with your employees. Conduct regular clean-desk walkthroughs to get an idea of who isn’t putting everything away. Identify disgruntled folks who might not have your best security interests in mind and implement a zero-tolerance policy covering the unauthorized release of confidential information.
The key point is to have your finger on the pulse of your organization so that you can proactively address things. Keep in mind that these recommendations aren’t meant to be comprehensive, but will certainly go a long way toward addressing the human weaknesses that threaten your organization.