Originally posted here on May 25
Social engineering is commonly misunderstood and even ignored by businesses because it’s a harder concept to grasp when businesses can point to firewalls or antivirus patches for their cybersecurity protection. Alarmingly, only 3% of malware will try to exploit an exclusively technical flaw whereas the rest targets people through social engineering (KnowBe4). Social engineering has been around for far longer than computers were even thought of, the con artist was somewhat of an early form of this.
“Now we can join the two worlds of social engineering and technology to make it a very difficult type of attack to stop.” — Bastien Treptel, Co-Founder of CTRL Group
Technology is now helping people with creative social engineering techniques. Affordable and accessible devices can allow you to copy people’s voices or typing patterns. For example if you have a few minutes of someone’s voice online, you can download it and put it into an AI or ML system. This will synthesise the voice so that you can call up anyone pretending to be that person. The game keeps changing because new tools can be used to trick us into thinking that a claim is legitimate, and often those tricks will harp back to original human emotions. Essentially a successful social engineer is trying to achieve access into an organisation that they wouldn’t otherwise have, whether it be to get identities, data or just access to a function or asset.
“It’s a shame that businesses aren’t thinking about these things because it is by far the easiest way to get into an organisation.”
The biggest challenge with social engineering is education, which is perhaps the cause of why it is so misunderstood. The pain in this misunderstanding is how the onus falls on the IT department to protect data and systems. This department is great at technical solutions, such as enabling endpoint protection, firewall, and antivirus systems, however these solutions are limited to the technical realm. There needs to be involvement with the business leaders and other departments because social engineering attacks require the attention of a holistic mindset. This kind of thinking will allow for fairly simple preventative measures to take place, such as mandating a question that everyone in your office needs to ask, for example “How was your weekend?” And have a specific response to it that changes monthly. This isn’t a technical solution but it’s enough to scare a hacker away because it’s confronting.
A typical ethical attack carried out by CTRL Group would involve gathering as much information as possible. This would be information about the business, its employees and their roles. Even getting onto the dark web to see if anyone who works for that company has been in a previous breach, because this could reveal some useful passwords. The team will make sure to have a fair bit of information about the organisation before they go anywhere near it, understanding the people and who’s in what role (often sharing the name of the IT manager will get you through the door).
Then they look at taking the path of least resistance. An example could be to call the accountant and mimic the CTO with the voice mimicking tool and ask them to pay money to an account and tell them you’re going to send an email so they can verify it’s you. With this tactic you’ve essentially ensured them that you have two forms of verification, voice and email. A simple strategy to overcome this vulnerability is to have multi-factor authentication, or make your two factor authentication an outbound, such as calling back the number yourself to check that it was the right person calling.
“The hacker mindset is just curiosity.”
Psychology, cultural trends, and news are all tools used by hackers. The current global pandemic of COVID-19 has seen the cybersecurity landscape shift and increase in orders of magnitude. A lot of hackers are using this opportunity to use the natural goodwill of people wanting to help victims and healthcare workers. Criminal organisations even use the help of psychologists to understand when humans might be vulnerable and then create scripts for people who will make calls to unsuspecting victims.
Social engineering remains as one of the top causes for successful exploits along with unpatched software, as they have been for over three decades now. It’s time to get your whole organisation talking about this and treating it like the threat it actually is.