On 20 June 2017, CWSI and Check Point Software Technologies hosted a joint event in Dublin, and I had the pleasure of hearing Jenny Radcliffe—aka “The People Hacker”—share her knowledge and highly interesting stories from her career (as the good guy) in social engineering. From talking to prospects and clients, I have noticed that the vulnerability of the human element still tends to be somewhat overlooked, and so with my background in psychology, I was delighted to see the amount of interest this topic sparked on the night.
What is Social Engineering?
For those less familiar with this term, social engineering—also known as “human hacking”—uses cunning ways of tricking people to disclose confidential information, such as login credentials, to gain access to networks and accounts (Conteh & Schmick, 2015).
What are these ways you ask? This is the dangerous part—it can be any kind of manipulating technique that gets the targeted person talking. Think flattery, praise, excitement, fear, blackmail, etc. And with technology constantly getting more sophisticated and complex, it is the human element in organisations that is seen as the easiest target to go after. So rather than trying to disable all security cameras and open the heavily guarded safe door using the most innovative and expensive gear, the hacker will use psychological methods to get the teller to practically hand over the gold bars.
Your typical hacker
Surprise!—there is none. The typical image of the hooded man in his mid-30s hunched over a PC in the middle of the night is long gone. Misplaced suspicion is also another reason why social engineering is so dangerous and fast growing. People are often manipulated by someone they would never have thought could be a hacker.
Firstly, it is no longer a man’s world; this list of notorious female hackers is just the tip of the iceberg. What’s more, we now have teenage kids able to get into the most secure places in the blink of an eye. The new “Gen Z” have grown up in the digital age and are well familiar with the technology around them, getting what or where they want without much trouble. Earlier this year, the National Crime Agency (NCA) reported that youngsters get to exploit the dark side of the Internet particularly through the use of video game consoles, such as PlayStation and Xbox.
So what are these hackers mostly after? That exact question was asked by Chitery, Singh, Bag, & Singh (2012) and so they approached a number of IT professionals with a questionnaire to identify attacker trends. See their findings in the graph below:
Getting to the roots of your deepest secrets…
The bottom line is that organisations need to be extremely cautious, as practically anyone can be a hacker. However, it is not just the C-level employees that are being spied on. Even the most junior employee in a company needs to enter the building to get to work every day, and this is all a fraudster needs—a way in.
The same study conducted by Chitery et al. (2012) showed that it is in fact the new employees who are most likely to fall prey to an attack by a social engineer. Not only is this because they are new to the company’s policies and procedures, but as people try to be helpful, they become more vulnerable and, in some cases, careless.
As individuals, we have our secrets and a private life we care about. This is the particularly vulnerable side of all humans that social engineers tap into to get what they desire. They build an entire profile based on what we are familiar with—our likes, hobbies, friends, family, places of interest, etc.—and use these to craft cleverly formatted messages that we will trust and fall for. Luo et al. (2011) identified a four-step process to an attack:
In terms of the actual attack, phishing, cookie thefts or using fake WAPs are some of the most common hacking techniques to extract the sought information.
So, next time you are at Starbucks sipping your morning latte, you might want to resist the urge to join that free hotspot on your phone. Why? Because it could have been easily generated by the lady sitting over by the window pretending to be working on her Mac. Man in the Middle (MitM) attacks are very common, and unless you have the means in place to protect yourself from such threats (and luckily we do), the potential exposure and leaked data is just too great. Imagine just one of your employees accessing a sheet containing all sorts of PII about your clients that could get into the hands of a hacker. How do you respond to this breach under the new GDPR’s 72-hour window? The answer is simple: either a) you will not be able to, or b) the hacker now possesses a very powerful tool to blackmail you with. Either way, you will pay for this dearly (4% global turnover or €20mill, whichever is greater according to GDPR’s fine levels, or whatever the hacker’s demands will be).
Here we have looked at just a few examples of the risks that social engineering poses to organisations, and it certainly is a topic that deserves the attention. As Jenny showed us on the night, everyone is hackable. Even if you try to remove your social media footprint, social engineers will always find a way to get to you. In many ways, their approaches are often very simple and do not require complex technology to be executed. As a result, social engineering is considered to be low-risk but high-reward, and that is exactly why it has been so successful.
Luckily for you, there are ways to strengthen your shields and minimize the human vulnerability in every organisation. As mobile devices have become an essential part of our lives (and in most cases, part of our very being), we at CWSI have partnered up with the industry’s leading vendors to help organisations embrace mobility while we provide you with security and compliance – and of course, with a peace of mind.
Chitrey, A., Singh, D. & Singh, V., (2012). A comprehensive study of social engineering based attacks in India to develop a conceptual model. International Journal of Information and Network Security. 1(2):45-53.
Conteh, N. & Schmick, P.J., (2015). Cybersecurity: risks, vulnerabilities and countermeasures to prevent social engineering attacks. International Journal of Advanced Computer Research. 6(23), 31-38
Luo, X. et al, (2011). Social engineering: the neglected human factor for information security management. Information Resources Management Journal. 24(3):1-8.