TraceSecurity Security Services Manager, Nathan Turner, frequently performs social engineering testing for organizations of all sizes across all industries. In a recent interview, he answered seven questions organizations typically have about social engineering and how they can protect their company from cyber attacks.
1. What is social engineering and why should organizations be concerned about it?
Social engineering is a term used to describe social attack methods used by malicious individuals to gain access to sensitive company or personal information. The attacker may also want to gain access to an organization’s critical systems to cause interruption or destruction.
Often, social engineering involves what appear to be harmless personal interactions between an individual and an attacker. During these interactions, the attacker gains the trust of the victim, who in return provides the attacker (sometimes unknowingly) with access to sensitive information, critical systems, or critical areas. Sensitive information can include personally identifiable information (PII), private organization information, or user credentials. Critical systems can include servers and network infrastructure devices while critical areas include the spaces that house the information, servers, and network infrastructure devices, as well as electronic/mechanical rooms that house critical facility equipment such as electronic control boxes and breaker boxes. Social engineering attacks can be performed in person or remotely.
An example of a remote social engineering attack involves an attacker sending an email to an unsuspecting victim in order to convince the victim to visit a malicious website. By visiting the malicious website, a virus or other form of malware could be downloaded unknowingly to the victim’s system. The malware could then provide the attacker access to sensitive information on the victim’s system or within the organization’s network.
An “in person” or onsite attack can occur when an attacker visits an organization’s facility and impersonates a service vendor such as an IT consultant or network administrator. The attacker may convince the organization’s employee(s) that system or network device updates are required and therefore gain access to personal computers. However, the attacker’s true intent may be to install a backdoor component that will enable them to access the system and/or the organization’s network at a later time. The attacker could also simply be looking for opportunities to gain unmonitored access to sensitive information or critical systems during the visit.
It has been stated that an organization’s greatest resource is its personnel. This would appear to be true since personnel play a key role in keeping sensitive information and critical areas secure. However, studies have shown that personnel can also be an organization’s greatest liability when it comes to data security. This is exactly why organizations should be concerned about social engineering. The human element has to be considered when attempting to keep information or critical areas secure. Social engineering attacks focus on taking advantage of human errors and/or lack of employee awareness. A quick Google search and review of one’s inbox indicates social engineering attacks, especially remote attacks, are happening all the time.
2. Why is social engineering so widely used among hackers?
Social engineering attacks do not typically require a lot of sophisticated technology and often take little effort to perform. Additionally, social engineering attacks can prove fruitful to an attacker in more than one way. In some cases, a social engineering attack may fail to provide the attacker with access to the information or systems originally targeted, but the attack may still furnish them with some critical information which could be used in a second attempt or perhaps as part of a more sophisticated attack.
3. Why do so many people fall victim to social engineering attacks?
Lack of awareness, which is typically due to inadequate security awareness training, makes staff members prime targets for social engineering attacks. Without security awareness training, human elements become a vulnerability. Attackers will attempt to use methods such as flattery, sympathy, intimidation, and distraction to con the victim into providing them access. A person susceptible to any of these tactics could potentially fall victim to an attack.
Also, weaknesses in the organization’s visitor authorization, escorting, and monitoring procedures may cause a successful compromise by a social engineering attack.
4. When performing onsite social engineering engagements, what are some of the tactics you use that are most likely to result in a compromise?
I’ve found the most successful tactic is to send spoof emails to personnel of a location that I am testing which appear to be from a manager or administrator of that organization. The purpose of the email is to request authorization of my fake vendor visit and access into non-public areas of the facilities.
Truthfully, it is easy to locate and find email addresses and titles for an organization’s personnel. Once the key personnel titles and email address are identified, I can send emails which appear to originate from proper authorizing personnel to the necessary employees of a location. With the sent spoofed emails, an organization’s employees often allow me to access the non-public areas of the facility and are often unconcerned about my presence around critical systems or information.
In addition to the spoof emails, I also like to keep things simple. While a lot of props may be fun and very useful for onsite social engineering testing, I’ve found keeping it simple and using only the necessary props is more effective. I focus more on my mannerisms and trying to make the employees comfortable with me. So yes, I utilize the human elements. If the situation calls for it, I will also use flattery and distraction techniques.
5. When performing remote social engineering engagements, what are some of the tactics you use that are most likely to result in a compromise?
TraceSecurity’s remote social engineering service includes testing by phone calls (a.k.a. vishing) and/or spoof emails which appear to originate from vendors and other common services (a.k.a. phishing).
When testing with phone calls, the tactics I use are pretty much the same as when I am performing an onsite test. The goal is to get personnel to provide sensitive information or take actions which could provide instant or delayed access to the organization’s network and critical systems. I have experienced the most success by focusing on my mannerisms to make the person comfortable while pretending to be a vendor of the organization’s computer systems or critical applications. I will usually drop a name from the organization’s IT personnel as the person who authorized the call. I will say that I am performing a critical security update and need the client to browse to a website and/or run a command on their system. During the testing, the websites are actually safe or don’t exist. The requested command to execute is also harmless. During a real attack, an attacker’s request would not be harmless. The website would be malicious, and the command requested to run could help further compromise the personnel’s system or the organization’s network.
6. What are the top five things you suggest an organization do or implement to protect themselves from social engineering threats?
Implement an effective security awareness training course which thoroughly covers social engineering attacking and mitigation methods. Training should not be a one-time-only activity but instead should be conducted on an ongoing basis.
In addition to training, social engineering testing should be performed periodically to help determine whether the training is effective.
Spoof emails are easy to create and can often be difficult to identify. Therefore, organizations should not rely on emails as a method to authorize facility visits. Verbal approval should be the preferred method to authorize visits or vendor interaction with staff.
Implement and constantly re-evaluate the organization’s visitor authorizing, escorting, and monitoring procedures. Re-evaluations will help the organization identify and address vulnerabilities within their protocol.
Implement effective physical and technical security protocols as a supplement to the actions which are expected to be performed by personnel. For example, as a physical control, doors to critical areas should remain locked at all times to prevent unauthorized access.
7. What is the most effective strategy an organization can use to educate employees on social engineering threats and are there any tools available to help?
The most effective strategy an organization can implement is to provide ongoing training and testing scenarios for employees. I recommend both being done at least once a year. If done once a year, I recommend providing the training first and then performing the testing and review about midway through the year. However, training and testing, especially testing, should not be performed around the same time every year. If so, employees will begin to learn the testing pattern and will be prepared for the test but may become relaxed and unprepared for a real attack during the remainder of the year.
Organizations can create their own training courses and materials, but there are a number of third-party vendors who provide security awareness training and testing scenarios. The organization should evaluate which option is most feasible for their environment.