All the investments a business makes into cyber security are "meaningless" if it does not take steps to protect itself against social engineering, said social engineer Jenny Radcliffe, of Jenny Radcliffe Training, at the ITWeb Security Summit 2016 in Midrand on Wednesday.
"People are the weakest link" in any security system, said Radcliffe, and a social engineer does not "need to fool all of the people all of the time. [They] just need to fool the right person, one time".
"As the [security] tech gets better, the people stay the same," and businesses need to become more aware of social engineering as "psychological hacking", she urged.
Social engineers prey on a variety of instinctive social responses to gain information that can be sold or used to hack into a company, Radcliffe explained.
Commonly, a social engineer may develop a close personal relationship with a key member of an organisation, until they are trusted with information and access to the company, she said.
Social engineers can also gather information about the inner workings of an enterprise quite easily through casual conversation with current or former employees, particularly those who are or were dissatisfied with their work there and are likely to sound off about their reasons for this, Radcliffe reported.
The same is true of people or organisations a company has "annoyed," such as their suppliers or partners, she added.
A particular trick some social engineers use is to gather basic information about an employee, namely their job title and approximate salary, and then phone them pretending to be a head-hunter with a lucrative new career offer for them, Radcliffe reported. In this situation, employees will typically give away detailed information about their work and the company's processes if they believe it is in the interest of proving their eligibility for a more rewarding job, she explained.
Blackmail is another element of the social engineering industry, Radcliffe continued, explaining that in addition to using the information they have already found to extort money or more information from a firm, these attacks can become more personal, for example if a social engineer finds out information that enables them to threaten the safety of individuals or their family members.
Dangerous assumptions
While many fall victim to social engineering simply because they trust too easily, the assumptions people make about other people can also form part of a social engineer's arsenal, said Radcliffe.
"People expect hackers to look a certain way," and this means that social engineers who do not fit stereotypical 'hacker' or criminal profiles can find an easy pathway into a company because nobody perceives them as a threat, she explained.
Social engineers can also use authority ploys to gain access to a company's premises, simply by adopting an authoritative communication tone with low-ranking staff, by claiming they have been employed by the enterprise to perform certain tasks, or by using information such as other employees' names and job titles to create the illusion they have been invited onto the property or are trusted by other members of the firm, Radcliffe added.
Even Edward Snowden adopted this technique, obtaining several NSA employees' login credentials by telling them he needed them to complete his work as a systems administrator for the agency, Radcliffe reminded attendees.
Furthermore, persuading employees to open a door that is usually locked, and leave it open, is too often a simple matter of sticking a printed-out paper notice to the door that says "Please DO NOT SHUT THIS DOOR. Thank you," Radcliffe observed.
Social engineers often work in tandem with cyber attackers to hack into a company, she continued, adding that gaining physical access to a commercial property is often for the purpose of implanting surveillance devices - for example, a camera hidden in a mundane object such as a water bottle - in critical areas, or injecting malware into a computer via a USB drive, she said.
Fighting back
While social engineers can be remarkably crafty, convincing and manipulative, it is possible to take security measures against these kinds of attacks, said Radcliffe.
Fortunately, most employees can understand and identify with the mechanisms of social engineering better than they can "the technical stuff", she reassured.
All staff should be trained in social engineering, and particularly in thinking like a social engineer would, for example via exercises in which they pretend they are a social engineer trying to access the company, and think about how they would do this, said Radcliffe. Learning to recognise social engineering vulnerabilities and techniques will make staff more likely to recognise when they are being targeted, she explained.
While many companies think it is just the corporate "big fish" who are targeted in these kinds of attacks, businesses should be aware that some social engineers practise on small companies "for fun", but are likely to move onto another small company as soon as they run into an obstacle, because they know that easy targets are plentiful, Radcliffe warned. For this reason, just one complication or savvy staff member can be enough to send certain casual attackers packing, she prompted.
'Don't call me soft'
In conclusion, Radcliffe warned businesses against viewing social engineering as a "soft" skill.
"Don't call me soft. I can kill you with my brain," she said, adding that one does not need advanced technology to execute a social engineering attack - merely a phone, some cheek, and "lots of courage".
It is important to remember, too, that "this is a very low risk, high-reward crime", she said.
Share