Social engineering is the process of deceiving someone electronically, in person, or over the phone, with the sole purpose of breaching (fracturing) some level of security within a company. By using psychological manipulation – an attacker attempts to lure the victim into disclosing sensitive or confidential information.
Humans are, by far, the weakest link in any information security system.
Today social engineering attacks are far more sophisticated than they were a decade ago. They’ve morphed from Ripple wine to Romanee-Conti.
Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology. — Kevin D. Mitnick | The Art of Deception.
Critical Thinking Skills Are Necessary
At Defcon 2012, Shane MacDougall used social engineering tactics to hack a Canadian Wal-Mart store manager. It only took MacDougal 20 minutes to get a complete picture of the entire store’s operation — lauding MacDougal as the champion of Defcon’s 2012 social engineering “capture the flag” contest. MacDougal told CNN Money that he believes social engineering is the biggest threat to the enterprise because corporations spend all the money on securing their networks but spend zero dollars on awareness.
Though it has been argued that you should not train employees for security awareness, I disagree. I emailed Graham Cluley a few days ago and told him that I was leaning toward social engineering as a major security threat for my 2015 prediction — with us mere humans being the weakest link in the security chain. He responded: yes, I agree, social engineering is a definite HUGE challenge.
Critical Thinking Skills Reemphasized
In a Dark Reading flash poll on Hacking Humans, out of 650 survey respondents — 56 percent believe that the most dangerous social engineering threat to organizations is that employees aren’t aware of it. If employees are unaware because they lack critical thinking skills, then they need to learn how not to accept everything at face value in order to protect company assets.
If your annual company security training’s are comprised of boring and dead pan security policies — that’s blanket training. If training’s are not honing any critical thinking skills, that’s rote.
The goal should never be directed toward developing a paranoid employee pool. You certainly don’t want your workforce showing up at work every day with their backs arched (with raised hackles), teeth barred and hissing at you. Right? The goal should be to embed security training into company culture and combine real-world (social engineering) security-threat scenarios into the fabric of the daily work beat — whether it is in the form of role playing [such as tailgating], or testing employee gullibility by shooting Jack a faux email. The overall goal should be directed toward encouraging employees to become more vigilant.
Social Engineering Redux
Even if an employee does not have higher level access to restricted areas of the network – they still have adequate access credentials to enable a social engineer entrance into the company network. Regardless of what level an employee is on the company food chain– the methods used to apply social engineering tactics to a human in any organization is as multitudinous as the methods used to attack hardware and software.
In The Art of Deception, Kevin Mitnick devoted an entire chapter on entry-level employees:
An attacker targets entry-level employees because they are typically unaware of the value of specific company information or of the possible results of certain actions. Also, they tend to be easily influenced by some of the more common social engineering approaches–a caller who invokes authority; a person who seems friendly and likable; a person who appears to know people in the company who are known to the victim; a request that the attacker claims is urgent; or the inference that the victim will gain some kind of favor or recognition.
Awareness is the Key
Monitor what is coming in and going out of your organization and help your employees gain critical thinking skills in the area of company security and social engineering tactics.Placing the responsibility on an employee to read and understand company security policies is counter-intuitive. Too many employees will find these policies boring and filled with too much niggling legalese. In the past, I’ve sat through many orientations and annual refresher mandates where I had to read binders of company policies – I always felt like I was trapped in a tank with half a dozen blowfish.
Raising people’s awareness and instilling a sense of shared responsibility for protecting vital information assets is critical to securing them against the two most common threats: malicious insiders and external cybercriminals. — Jon Ramsey | Dell
Harden The Human
You would never let a toddler run out in the middle of the road alone to retrieve her discovery ball. Would you? Though employees are obviously not toddlers — many are naive to social engineering tactics. Humans are innately curious and would naturally want to help the vendor (who slipped through font door), by giving him directions to the company cafeteria. Or, they might pick up that ultra-sleek USB stick they found in the parking lot and peruse it at their workstation later. If employees are unaware that the USB stick could breach their company network or that the vendor is not really a vendor, and if a company does not have verification channels in place — they are merely functioning like a router with a disabled firewall — inviting the bad guys(gals) in.
Take the Social Engineering Quiz — how did you score?
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit TechPageOne. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.