It’s an undeniable fact, that we are all creatures of habit. From before we’re born, to the moment we die, our entire lives are a never-ending series of patterns. From the fundamentals of learning human speech, to when we take our meals and even when and how we go to work. Of course, there are those who will argue the opposite, but as security professional it’s our job to look at these patterns and analyse them for any potential threats. Airline security procedures could be offered up here as a perfect example. As human’s we have the innate instinct to trust people. Our family and friends. Our bank, our food suppliers and even our government. Even on the internet, we casually talk to friends on Facebook or make purchases over the internet using our credit cards. Much of this is based on trust. We trust that the person we’re talking to on Facebook is actually the person who we think they are. Or that the email I’ve just received from the bank is genuine. But what if it’s not? What if the letter is malicious? What if the person we’re talking to, isn’t the person they claim to be? What are the possible consequences?
Social engineering is of course nothing new. in fact, it’s been around for thousands of years. A classic example would be the famous wooden horse of Troy story. But in the modern digital world, Social engineering has become the favoured weapon for not only cyber-criminals, but also professional hackers alike. In the next section we’ll take a look at just a few of my favourite social engineering techniques and I’ll explain not only how they work, but also why. I’ll also discuss some remediation solutions.
Phishing: This classic attack method is what I like to call a drive by attack. Whereas it doesn’t particularly target a specific individual. This catch all method is excellent at blanketing or throwing out a large net and essentially waiting to see what comes back. Typically, this type of attack can be technical, i.e. in the form of a malicious email, link or even a web page. It can also be non-technical such as a phone call from someone pretending to be from your bank asking you questions about your account. In most cases this type of attack is successful because the attacker is attempting to illicit a response from the victim by informing them that there is something wrong that requires some form of urgent attention.
Your Netflix account is going to be locked out, or you have a virus in your computer that he / she can help you eradicate. In the early years these types of attacks were fairly common and easy to spot, there are literally thousands of examples on the web. But in recent times, criminals are using increasingly sophisticated methods, which on the surface can seem benign, but in fact obscure something far more sinister. One example is the humble QR or (Quick Response Code). It’s essentially a next generation bar code which resembles a matrix or square containing a mish mash of jumbled up characters. The problem with this type of image along with other shortened URLs (Tiny URL), is that the receiver cannot verify the content until the link or code is clicked. The problem is once activated, it’s potentially too late.
In a nutshell, many of these types of attacks will often play on fear and try to entice the victim to take some form of action. If it’s an email from your bank informing you that your account is going to be deleted. You have to ask yourself; firstly, would your bank ever send such an email and why. The solution of course is simple, use a little common sense. If you are concerned, verify the information by calling your bank using an official phone member, and not by the phone number indicated in the email. A little effort can quickly reveal the truth.
In the case of technical phishing. Unsolicited emails, links, attachments and so forth. Never click on links from an untrusted source or open attachments from people you don’t know. In the case of that scam letter that’s just informed you that you’ve won the Nigerian lottery, do yourself a favour and file it under rubbish. Remember, if it sounds too good to be true, it probably is a scam. There are of course variations on phishing. Whaling for example, typically targets high profile executives within a company. CEO’s, CIO’s CTO’s in the form of targeted attacks, specifically for the purpose of industrial espionage and ultimately financial gain. In most cases, companies can prevent such attacks by adopting a solid corporate security policy and generate anti-social engineering procedures. This can be done by providing staff awareness, through an internal or external security awareness training programme. Education and awareness in the best prevention.
Ransomware: Historically, the computer virus is nothing new of course, and the web is full of horror stories about their capabilities. Usually delivered through malicious links, mail attachments and rogue software. The humble virus can be used to deliver a malicious payload, designed to steal confidential information or even damage a computer or its components.
What probably started out in the early years of computing as an innocent prank. The virus often involved the delivery of a silly message. However, at some point in time, criminals suddenly realised that selling drugs on street corners or carrying out complex bank robberies were often a risky endeavour. The solution was to create malicious software that could essentially deliver automated attacks, thus effectively allowing criminals the ability to attack multiple targets simultaneously. With the ultimate goal to either damage a victim’s machine or steal personal or valuable data.
As discussed, viruses have been evolving since the early 90s, but in recent years seen we’ve seen a new type of threat emerge, ransomware.
Ransomware represents a new breed of malicious software which combines a traditional delivery mechanism, such as a malicious link or payload along with an added encryption sting in the tail. Once delivered the malware proceeds to encrypt the victim’s data, rendering the computer useless. Of course, the victim is then offered a get out of jail card. Which normally involves the payment of a ransom. Obviously, once paid, the victim can only hope that the criminal will unlock their data, but in many cases, sadly they do not. These types of attacks commonly target older operating systems such as Windows 7 or unpatched machines and has sadly caused havoc for a number or large organisation worldwide, including the National health Service in the UK.
Conclusion: I could write endless pages on providing examples and detailed descriptions of both the physical and automated attacks that may or could attack your organisation. But, too be honest the internet is littered with thousands of them, all of which can be found by a simple Google or YouTube search.
Within the scope of this article, I’ve tried to provide a description of what social engineering is and how its many facets can be used to steal cause malicious damage. So, the question you’re asking now is probably, how on earth can I defend myself from these attacks right?
Too be honest, there’s no golden ticket here. The modern cybercriminal has become a profession, and the task of exploiting countless victims is ever evolving. Now, of course, technology changes constantly, and new attack vectors are emerging all the time. The Internet of Things (IoT), robotics, mobile apps and the blockchain will all provide the criminal with new opportunities, and as security professionals we have to be ever vigilant. But if I had offered some advice, it would be this. Many of us approach cyber-defence from a technical standpoint, and it’s assumed that in most cases the hacker can circumnavigate the modern network fairly easily. So, the chances are, is that the bad guy is already on your network. So, if you are going to simply view this from a technical standpoint. Start thinking is a different way. Instead of keeping the bad guy from getting in, start protecting your data so that it cannot get out. The use of encryption, information protection, rights management and file classification can mean that even if the bad guy gets your data, it’s useless to him as it’s encrypted or has some kind of call home feature.
So, simply considering a technical resolution is not the answer, you need to think like management. If your organisation doesn’t have a security policy, one, then one should be adopted. As such, a strategy can be draw up on how your business deals with the threat of social engineering. In doing so, staff can be trained to a uniformed standard in procedures from anything from how calls should be answered, to how visitors are admitted and escorted around buildings and even how unsolicited emails should be dealt with. Once adopted and implemented, the threats of these types of attacks, though never completely mitigated will hopefully be greatly reduced.
(c) Copyright 2019 Andy Malone