As networks and endpoints have hardened, hackers have turned to time-tested exploitation of human psychology. Whether in the digital or physical realm, neglecting the risks of social engineering could put companies in a precarious position.
In a previous blog post, we described how network penetration testing contributes to a proactive approach to vulnerability management. However, hardening endpoints and networks is not enough. As networks and endpoints have hardened, malicious actors have begun to exploit human vulnerabilities, manipulating people into revealing sensitive information or acting in a “harmful way”—a practice known as “social engineering.”
Humans have always been targets for social engineering. According to mythology, during the Trojan War, the Greeks infiltrated the walled city of Troy by hiding inside a large wooden horse that the Trojans mistook for a victory trophy. When the Trojans went to sleep at night, the Greeks slipped out and captured the city, ending the war. In the 1960s, Frank Abagnale Jr. impersonated persons from more than six professions, tricking numerous people and organizations, including Pan-Am Airlines, into believing he was someone who he was not. Social engineering has migrated into the digital world and is one of the most pressing vulnerabilities that organizations face today. The New York Times, RSA, Target, the Office of Personnel Management, the Department of Justice, and the Department of Homeland Security are all victims of devastating social engineering attacks.
ANGLING FOR ACCESS
Suppose you’ve just received an email notification from your company’s email provider. According to the notification, your account was recently accessed by a computer in a country that you’ve never been to. You’re prompted to click on a link and enter your username and current password to reset your account. Should you? Is this a legitimate alert or a phishing attempt? How do you know?
It’s estimated that 91 percent of cyberattacks originate from social engineering in the digital realm, known as “phishing.” Phishing is characterized by a purportedly legitimate communication, usually an email, that hides malicious intent. An attacker attempts to coerce you into disclosing sensitive information (usernames, passwords, payment information, and so on) or trick you into opening a malicious link or attachment.
The stereotype of phishing attempts is that they’re farcical and obviously implausible, like emails from the now infamous Nigerian princes. This common perception is problematic because modern phishing attempts often masquerade as legitimate entities, carrying a polished and trustworthy veneer (logos, iconography, and professional language). Modern phishing attempts have also abandoned outlandish content in favor of more relatable and commonplace elements. A phishing attempt may mimic an account breach alert or include an attachment carrying a routine label like “project update” or an interesting label like “payroll information.” Even generic and automated phishing attacks have adopted these characteristics to arrest your criticality and exploit your trust.
While most phishing attacks are generic and automatically distributed to hundreds or thousands of recipients to maximize the likelihood that someone is exploited, some phishing attempts target specific people or groups of people. These targeted phishing attempts are termed “spear phishing” or, for important and influential targets, “whaling.” Spear phishing attempts to personalize attacks by including information relevant only to their targets. Most of the information is readily available on the Internet, and, with widespread social media use, a cursory search can yield rich personal information that can lend phishing emails credibility. After all, we’re more likely to open an email from a “relative” or “colleague” than an email from a stranger.
To prevent phishing, companies should incorporate multiple layers of security. In addition to leveraging software and establishing and enforcing proper protocols, companies should train employees to recognize social engineering attempts and should nurture a culture of security. Security awareness training is the most effective way to educate users on what methods attackers will use to try and obtain access to sensitive corporate assets. Training should cover threats that target individuals in an attempt to gain access to a facility or data contained within and be based on real world examples. The objective of the training is to prepare you to identify security threats and strives to develop heightened security awareness.
NOT JUST A CYBER ISSUE
Social engineering in the physical world is no less dangerous. A social engineer may adopt a trustworthy persona, like that of an IT technician or delivery person, or a believable story. An employee may not think twice about letting a “trustworthy” person follow them into their building. Once inside the building, the person has access to sensitive information, and, given the right pretext, employees are likely to divulge even more details. For example, as you scan into your office building, you see out of the corner of your eye a delivery man with a package jogging toward the door. Should you close the door on him, or is that rude? When he gets inside, do you ensure that he delivers the package to the right person, or is that not your job? Proper security training and awareness and the right physical security protocols can prevent situations like these and the breaches that may result.
How do you know if your company is prepared against social engineering attacks? Cybersecurity firms often offer social engineering penetration testing that pits professional social engineers against your employees and your company’s security protocols. These white-hat social engineers leverage the full range of social engineering techniques (telephonic, electronic, and physical) to assess and identify latent vulnerabilities before they are exploited by malicious actors.
Universal human vulnerabilities make every employee susceptible to exploitation. While technological solutions and security protocols can improve your resilience to social engineering, employees should be the focus of any security plan. Security-conscious employees can be nurtured through training and awareness. As companies invest in hardware and software to improve their cybersecurity posture, they shouldn’t ignore the threat of social engineering and the vulnerabilities posed by complacent employees.