People hack people
The aim of this blog is to emphasise the detrimental effects that organisations can encounter if they are faced with a social engineering attack. The blog will outline different types of social engineering mechanisms, Equantiis’ first-hand experience of dealing with them for Clients and recommendations on how not to fall into an attacker’s trap.
The term Social Engineering is defined as a malicious attack conducted by humans to attain confidential or personal information – essentially hacking people! Whilst the end result may evolve into compromising a system, the approach isn’t directed at technology.
With cybercrime skyrocketing, organisations often overlook the weakest link in information security – people. This allows fraudsters to take advantage of individuals’ naivety and psychologically manipulates them into becoming an accomplice to their nefarious goal.
Social Engineering Techniques
Whilst there are a number of techniques used in social engineering, areas covered here are:
Baiting – a method that attempts to lure or place someone into a false sense of security by laying a trap in order to exploit them. This could be by giving them infected equipment (e.g. a USB stick with malicious content) or sending them an email or post with links to a fake website.
Quid Pro Quo – is often regarded as a subcategory of baiting. The targeted individual is offered something in exchange for something else, e.g. divulging personal information that could be used to reset an account.
Pretexting – is when a perpetrator creates a false sense of trust between themselves and the to-be-victim in order to gain access to confidential information. They often disguise their identity and impersonate co-workers or figures of authority in coercing the victim into providing sensitive information.
Tailgating – also known as piggybacking, is an inconspicuous technique involving an unauthorised person physically following an authorised person into a restricted area. This technique is so powerful that the authorised person with access will often hold the door open for the person following behind. Any employee handbook should already warn employees about challenging unknown staff on work premise.
Using these techniques in practice
Equantiis recently made some security recommendations to a client’s Executive Board. In order to help the project sponsor develop a compelling business case to invest in security, Equantiis carried out a ‘Mystery Shopper’ style social engineering experiment.
The team successfully bypassed the building reception desk using a pretext cover story and tailgated their way past the client’s reception.
After entering the client’s offices, Equantiis was challenged by an employee around two minutes later. Again, using the pretext, a fictitious venue hire enquiry, the employee was happy to guide the team around the offices.
Equantiis was able to photograph parts of the building with permission on the pretence of the venue booking (the quid pro quo!). After being left alone, Equantiis photographed confidential locations within the offices, including; meeting rooms, computer screens and employees. Finally, on departure, Equantiis dropped a malware infected USB device on an SMT’s desk in the hope that the employee would take the bait and plug it into a computer.
This example highlights the importance of thinking about security without just looking through a technology lens. It is at the end of the day an organisational wide issue!
Key takeaways and actions for organisations
Ultimately, social engineering is an imminent problem that is affecting businesses on a large scale. The C-suite should use Equantiis’ experiment as an example, to demonstrate the impact of a simple social engineering attack on organisations.
Equantiis’ advice to businesses on protecting themselves against social engineering attacks are:
1. In depth and continuous training
All employees should receive comprehensive security awareness training that is regularly updated and revisited. This will enable employees to identify the different mechanisms social engineers use to conduct attacks. The training should also include techniques that employees should look out for when identifying a social engineering attack.
Organisations could introduce bi-monthly mystery shopping exercises, to test employees’ vigilance and thought process when combating or questioning the issue.
2. Introduce processes and countermeasures
Organisations should identify a process that all employees can follow if they are faced with a social engineering attack. Having strict guidelines and countermeasures in place will equip staff with a procedure that they may follow in order to report and action if and when they spot anything suspicious.
3. Tighten your primary defence mechanisms
Reception desks are usually the first point of contact any fraudster will have to approach before gaining access into the building, and if the primary defence is easily penetrable then the latter may seem substantially easier. Therefore, organisations need to enforce strict policies that equip reception employees, with the necessary skills to challenge or even refuse visitors entry.
A policy could simply involve introducing name badges that visitors need to wear at all times in a visible location, so that all personnel can identify visitors in the building.