Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
Even if you've got all the bells and whistles when it comes to securing your data center, your cloud deployments, your building's physical security, and you've invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).
Here are answers to some frequently asked questions about social engineering, including the common tactics social engineers use and tips for ensuring your staff is on guard.
What is social engineering?
Social engineers take advantage of human behavior to pull off a scam. If they want to gain entry to a building, they don't worry about a badge system. They'll just walk right in and confidently ask someone to help them get inside. And that firewall? It won't mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend or LinkedIn connection.
Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the '90s, although the idea and many of the techniques have been around as long as there have been scam artists of any sort.
How is my company at risk?
Social engineering has proven to be a very successful way for a criminal to "get inside" your organization. Once a social engineer has a trusted employee's password, he can simply log in and snoop around for sensitive data. With an access card or code in order to physically get inside a facility, the criminal can access data, steal assets or even harm people.
Chris Nickerson, founder of Lares, a Colorado-based security consultancy, conducts 'red team testing' for clients using social engineering techniques to see where a company is vulnerable. Nickerson detailed for CSO how easy it is to get inside a building without question.
In one penetration test, Nickerson used current events, public information available on social network sites, and a $4 Cisco shirt he purchased at a thrift store to prepare for his illegal entry. The shirt helped him convince building reception and other employees that he was a Cisco employee on a technical support visit. Once inside, he was able to give his other team members illegal entry as well. He also managed to drop several malware-laden USBs and hack into the company's network, all within sight of other employees. Read Anatomy of a Hack to follow Nickerson through this exercise.
“People inherently want to trust, that's what a successful social engineering attack comes down to,” says Chris Blow, offensive security architect at property and casualty insurer Liberty Mutual. “If someone sends a co-worker an e-mail and it says that it's from another co-worker, most people are going to look at that and want to trust it, especially if it relates to something real and specific,” says Blow. “As long as it says it's from somebody that appears to be a coworker, most people will open it. And most people will actually click on whatever is in the body of the e-mail too,” he says.
That’s with e-mail, but why do these attacks work just as well over the phone, or in-person, such as when someone uses co-worker or other pretexts? “People don't want to appear skeptical of another person's actions,” adds Blow. “Most people want to be kind and courteous and are trained to be compliant, especially in a work environment. If I call up as an angry executive and say "I want to know why this wasn't taken care of a week ago. What the hell is wrong with you guys? This routing number and account number were supposed to be changed, and nobody's taken care of it. I need you to take care of this right now!" Especially if you do something with a sense of urgency to it, people are all over it,” he says.
What are some examples of what social engineers say or do?
Criminals will often take weeks and months getting to know a place before even coming in the door or making a phone call. Their preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook.
On the phone:
A social engineer might call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor).
According to Sal Lifrieri, a 20-year veteran of the New York City Police Department who now educates companies on social engineering tactics through an organization called Protective Operations, the criminal tries to make the person feel comfortable with familiarity. They might learn the corporate lingo so the person on the other end thinks they are an insider. Another successful technique involves recording the "hold" music a company uses when callers are left waiting on the phone. See more such tricks in Social Engineering: Eight Common Tactics.
In the office:
"Can you hold the door for me? I don't have my key/access card on me." How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
In the same exercise where Nickerson used his thrift-shop shirt to get into a building, he had a team member wait outside near the smoking area where employees often went for breaks. Assuming this person was simply a fellow-office-smoking mate, real employees let him in the back door without question. "A cigarette is a social engineer's best friend," said Nickerson.
This kind of thing goes on all the time, according to Nickerson. The tactic is also known as tailgating. Many people just don't ask others to prove they have permission to be there. But even in places where badges or other proof is required to roam the halls, fakery is easy, he said.
"I usually use some high-end photography to print up badges to really look like I am supposed to be in that environment. But they often don't even get checked. I've even worn a badge that said right on it 'Kick me out' and I still was not questioned."
Social networking sites have made social engineering attacks easier to conduct, says Blow. “We have all of the different social network platforms we can check now to gather information. Back in the old days, before Facebook and Twitter, if you wanted to find information on companies, you weren't going to find a lot on the internet. It was about casing out a place for a couple of weeks, seeing a bunch of stuff that's happening, going and checking dumpsters, and all of old-school hacker tactics,” says Blow.
But today social engineers and attackers have such tools, and they can go to sites like LinkedIn and find all of the users that work at a company and gather plenty of detailed information that can be used to further an attack. “It's now a matter of minutes that I can put together a good social engineering exercise, versus days and weeks in the past. And if I send out a hundred spear phishing e-mails, based on gathered information, it's almost a guarantee that I'm going to get a good hit rate,” he says.
“Most successful social engineering techniques for me are usually those that have me posing as a person in a peer position, seeking assistance. I'm not a fan of pretexts that are authority based (i.e., I'm a boss demanding assistance, or posing as an auditor). I do research on my target, and posing as a peer I can slip in the occasional gripe about the work environment. This usually helps create a bond between myself and the target, and the information begins to flow,” says Shane MacDougall principal partner Tactical Intelligence Inc.
When it comes to online scams, social engineers leverage both fear and curiosity, such as sending phishing emails asking if the target has seen videos of themselves or tech support scams claiming that the target’s computer has been breached. These scams are impossible for many to skip if they aren’t on-guard.
Social engineers also take advantage of breaking news events, holidays, pop culture, and other devices to lure victims. In Woman loses $1,825 to mystery shopping scam posing as BestMark, Inc. you see how criminals leveraged the name of a known mystery shopping company to conduct their scam. Scammers often use fake charities to further their criminal goals around the holidays.
Attackers will also customize phishing attacks to target known interests that can be leveraged to entice users to click on malware-laced attachments such as artists, actors, music, politics, philanthropic. Such tactics are also used on social networks, says Blow. “Maybe the attacker creates a fake Facebook app designed to harvest information. It could be designed to attract a user based on the things they already expressed an interest in, and from their you harvest their contacts and other information. You can start then building out these big social networks of exactly who they're connected to, and whether they are connected to anyone who would be another juicy target,” he says.
How can I educate my employees to prevent social engineering?
Awareness is the number one defensive measure. Employees should be aware that social engineering exists and be familiar with the most commonly used tactics. For elements of an effective security awareness program, see Seven practical ideas for security awareness and Now hear this!.
Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws. Chris Nickerson's success posing as a technician is an example of a story that gets the message across in an interesting way. Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is who they say they are.
"In my educational sessions, I tell people you always need to be slightly paranoid and anal because you never really know what a person wants out of you," said Lifrieri. The targeting of employees "starts with the receptionist, the guard at the gate who is watching a parking lot. That's why training has to get to the staff."
Social engineering tricks are always evolving and awareness training has to be kept fresh and up to date. For example, as social networking sites grow and evolve, so do the scams social engineers try to use there; see New social media scams: can you tell friend from foe?
But it isn't just the average employee who needs to be aware of social engineering. Senior leadership and executives are primary enterprise targets. See Whaling emerges as major cybersecurity threat; Work in finance or accounting? Watch out for ‘whaling’ attacks; and 10 whaling emails that could be by an unsuspecting CEO.
What are the bests ways to defend against social engineering?
Dan Lohrmann, chief security officer and chief strategist of security awareness training firm Security Mentor offers the following advice:
Train and train again when it comes to security awareness. Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyberthreats. Remember, this is not just about clicking on links.
Provide a detailed briefing “roadshow” on whaling and the latest online fraud techniques to key staff. Yes, include senior executives, but don’t forget anyone who has authority to make wire transfers or other financial transactions. Remember that many of the true stories involving fraud occur with lower-level staff who get fooled into believing an executive is asking them to conduct an urgent action — usually bypassing normal procedures and/or controls.
Review existing processes, procedures and separation of duties for financial transfers and other important transactions such as sending sensitive data in bulk to outside entities. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalyzed given the increased threats.
Consider new policies related to “out of band” transactions or urgent executive requests. An email from the CEO’s Gmail account should automatically raise a red flag to staff, but they need to understand the latest techniques being deployed by the dark side. You need authorized emergency procedures that are well-understood by all.
Review, refine and test your incident management and phish reporting systems. Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.
Also, nearly all of the experts interviewed agreed that training, and supporting, the staff in their ability to question interactions when the situation doesn’t feel right, and support them in that ability, will go far in lowering social engineering risk. “Train your staff that it's okay to say no,” says Shane MacDougall, principal partner Tactical Intelligence. “We have traditionally taught employees that the customer is always right, and that we want to make sure the customer experience is smooth. Attackers use this to their advantage. Your staff need to know that if a conversation is making them get an uncomfortable feeling, or something feels off, that it's totally fine to terminate the interaction, or refer it to a manager. It's very important to back this up — if an employee annoys a customer over what they perceive as potential security issues, they need to know that you will have their backs,” MacDougall says.
Liberty Mutual’s Blow agrees: “You have to give your employees the freedom to say ‘no’ if they feel something isn’t quite right in a situation,” he says.
Are there any tools to help make this process more effective?
A number of vendors offer tools or services to help conduct social engineering exercises, and/or to build employee awareness via means such as posters and newsletters.
Also worth checking out is social-engineer.org's Social Engineering Toolkit, which is a free download. The toolkit helps automate penetration testing via social engineering, including "spear-phishing attacks", creation of legitimate-looking websites, USB drive-based attacks, and more.
Another good resource is The Social Engineering Framework.
Currently, the best defense against social engineering attacks is user education and layers of technological defenses to better detect and respond to attacks. No one expects any effective dedicated technical defense to social engineering to arise any time soon. Technical defenses will definitely help reduce the occurrence social engineering attacks. Detection of key words in emails or phone calls can be used to weed out potential attacks, but even those technologies will probably be ineffective in stopping skilled social engineers. Also realize that a lot of attacks take place outside of the workplace — striking up a conversation at a bar is an extremely effective way of getting information out of a target; this is where training and awareness can help,” says MacDougall.