09-07-12 | Blog Post
Social engineering is an amorphous subject. In essence, the idea is to coerce someone into giving you information and/or access that, by all accounts, you shouldn’t have. However, the ways that social engineers can maliciously get anything from credit card information to usernames and passwords is almost infinite.
And why not use this method? If I had the choice between breaking a door down, or having someone from inside opening it for me, I can assure you it wouldn’t take me long to decide which one to pick. Social engineering in many cases can be easier than trying to break into a system, and could leave the hacker with less fingerprints on the proverbial door-knob. Likely, most people are at this point familiar with Mat Hunan’s story from Wired Magazine. In just half an hour he had all his passwords changed, his phone, tablet, and macbook wiped, as well as his Google account deleted. Goodbye baby pictures of his daughter, and extensive contact list (among many other things). All this because the hacker liked Hunan’s Twitter handle, and wanted to get into the account. The social engineer was able to do this by calling up the support lines of both Apple and Amazon, and gathering enough info from one rep to call the other and get a temporary password sent. Once he was in, he locked Hunan out, and proceeded to completely destroy his online presence.
Other examples of social engineering tactics can include simple things like a man dressed as a UPS worker standing outside an office, looking for help with the door. An email designed to look like a large (and trusted) company explains that there’s some security trouble, and needs you to follow this link and enter your username and password so you can change it and keep your information secure. A virus-laden USB drive left around the office, waiting for the first unsuspecting worker to plug it into their computer so they might find the owner in order to return it.
If there are so many tricks and tactics used by social engineers to get this information, why aren’t people more aware of the risks? A fundamental issue as illustrated by Bruce Schneier in the TedTalks lecture Bruce Schneier: The Security Mirage, is that security is split into Feeling and Reality. Feeling secure and being secure are two different aspects of the same concept, and this oftentimes is the gap that social engineers sneak through. If someone dressed as a police officer or an auditor walks up to you, there’s an inherent feeling of safety and security. I spoke with Steve Aiello, Sr. Systems Engineer, CISSP at Online Tech, who explained to me that ‘security is a mindset. It’s important to look at each situation before giving information and wonder ‘What is the motivation behind this? Why do they need this information?’
He went on to talk about specific examples of instances when hackers had attempted to get information from him. “People used to contact me all the time offering jobs. They would explain this great opportunity and spend some time with me on the phone. Then they would send me an application that requested information like my social security number. Simply doing some research on the company I found that they weren’t a real business, and told them I wouldn’t give them any information. They can be really patient too, I remember him spending a lot of time on the phone trying to convince me.”
Asking yourself why someone needs the information they’re asking from you is one of the simplest ways to catch some of these threats. There should be no reason that anyone would need your login credentials. So if someone’s asking, you need to wonder why. Also, be aware of what the information you’re giving out can potentially do. What can someone do if they know your email address? Your home address? Your phone number? It might not be as obvious as ‘give me your bank account number’, but with just a few details and a little research it won’t be hard for a social engineer to get everything they need.
Steve also explained some other measures you can take to keep yourself and your business as safe as possible: ‘Nothing can fully prevent social engineering from happening. Antivirus is useless if you’re a specific target because they’ll get their information from people. That’s why it’s so important to train your employees. You need to have very specific processes, and they need to be followed exactly. Also, the workers need to know that they have support from their superiors. I always say if a client is upset because of a process that we have in place, and that makes one of our support individuals uncomfortable, let me talk to them. I’ll back them up so they know it’s okay to push back on those clients. I usually get on the phone and explain that the process is in place for their safety, not to be inconvenient. Getting that backup means I have a better chance that they’re going to follow that process, and keep our center more secure.’
In a world of ‘the customer is always right’, this is something that needs a little more focus. A customer service individual might get nervous when the person on the other end of the line starts getting upset, and could potentially bend or break the rules to make them happy. After all, their entire job is to help give the customer what they want or need, and to have them leave feeling that they had a good experience. Knowing that they can say no when appropriate can keep a business safer.
It’s also important to make sure the staff understands not just what processes are in place, but why they are. Understanding the reason behind a rule is going to make them less likely to break that rule when put in a bad situation. Much like having a supervisor back them up, a reason for the process gives the worker’s action (or inaction) weight and validity, instead of that ‘why am I even doing this’ feeling. If something doesn’t seem important, it’s much easier to forget or disregard.
Lastly, keep in mind that this education and awareness is ongoing. While it might take some time and money to continually and periodically train employees, it’s nothing compared to what a security breach could cost in the future. Training sessions, testing, and reinforcement are some of the best investments a company can make to keep the social aspect of their security as impenetrable as possible.
About Steven Aiello
Steven Aiello is a Senior Systems Engineer with Online Tech, the Midwest’s premier managed data center operator. His certifications include CISSP (Certified Information System Security Professional), ISACS CISA, VMware VCP ( VMware Certified Professional), Cisco CCNA ( Cisco Certified Network Associate), Comptia Security+,and Certified Incident Responder (New Mexico Tech).