Living at the height of the Information Age means information security has never mattered more. With a greater amount of people and businesses going paperless, there is an ever-increasing need and demand to keep digital information secure. The CIA triad or the Confidentiality, Integrity, and Availability of a company’s data is a general model designed to guide security policies for information security inside an organization. Confidentiality refers to the privacy of data – making sure that only people who are allowed to access data are able to access it. Integrity refers to maintaining a data’s accuracy and trustworthiness – making sure that data cannot be altered by an unauthorized person. And lastly, availability refers to the ability to access data when an authorized person tries to access it.
Cybercrime is a billion-dollar industry, which is built upon hackers breaking an organization’s CIA triad. This includes but is not limited to: selling classified information after violating a company’s confidentiality, deleting important research data, setting a company back and allowing another to triumph – violating a company’s integrity – or locking an organization out of their own servers, using ransomware and denying the data’s availability. As a result of cybercrime being such a lucrative industry, there is a myriad of techniques that hackers use to break into a company.
An Overview of Social Engineering
Social Engineering is one of many dangerous threats to information security. Social engineering uses psychology to deceive and manipulate people, with the goal of extracting personal and confidential information from unsuspecting victims, which may then be used for fraudulent purposes. The act of employing a social engineering technique split into three parts: the initial act of intrusion, the social aspect and preparing and carrying out the intrusion, and finally the acquiring of something.
Social engineering can be used to achieve many things, ranging from something as simple as getting people’s login credentials to an online game and taking over their account, to gaining access to an organization’s network, granting the engineer access to valuable, confidential information. This article will focus on the latter and more malicious type of social engineering. However, to demonstrate what social engineering looks like, let us take a brief look at the former example:
- Low level: The hacker messages a person playing the game, impersonating an employee of the game’s company. The hacker claims something is wrong with the player’s account and that they require their username and password to fix it.
- Mid level: The hacker messages someone playing the game, impersonating an employee of the game’s company. This time they message with a limited time offer of something appealing to the player, but that they have to act fast, or else the offer will expire. The social engineer will then attempt to get the player to tell them their secure information and attempt to access their account.
- High level: The social engineer messages the player saying something is wrong with their account and they will be banned unless they fix it by going to a website. This site will look identical to the game creators, but will instead be controlled by the hacker. When the user inputs their login information, they will in fact be transmitting it to the hacker, thereby granting them access. From here, the social engineer can change passwords and completely take over the account.
While the above could be considered a seemingly mundane and innocuous use of social engineering, this can be easily adapted to steal a person’s log-in credentials, such as for emails or online banking. The recent PayPal scam was essentially the same as the above High-Level example where hackers, using social engineering, sent people phishing emails claiming to be from PayPal saying that their account was closed and they needed to click the following link which directed users to a realistic PayPal site controlled by the hackers. When users typed in their log-in information in an attempt to reopen their accounts, they gave their security details to the hackers, who were then able to input the victims’ login credentials into the genuine PayPal website and access their accounts.
The initial act of intrusion was the sending of the phishing email, the hackers then prepared and carried out the intrusion by creating a fake website and directing the victims there, and finally acquired multiple login credentials. This violated the whole CIA triad, as the PayPal accounts were no longer confidential, their log-in credentials were changed, which violated the integrity of their accounts, and as a result, were not available to the users. This shows just how powerful a tool social engineering can be as it can directly or indirectly violate the confidentiality, integrity, and availability of data.
There is a debate going on at the moment discussing the best way to counter social engineering. Some believe it should be through technological means such as filters and scanners so that the user is never even aware of the attempt of social engineering, to begin with. The other side of the debate focuses on the human aspect and asserts that education and making people aware of social engineering tactics is the best way forward. While a degree of technological countermeasures can be effective, especially when it comes to filtering emails to counter phishing, focusing on producing technological countermeasures alone to resist social engineering attacks is not enough as this does not address the main problem. Because social engineering preys on the susceptibility of people, educating and making employees aware of social engineering techniques needs to be a part of the solution.
In order to help ensure corporate information security, it is essential for employees to be aware of the many different social engineering techniques that can be used against them. If employees are educated and aware of the plethora of attacks that can be used against them, they will be more prepared to deal with and recognize such attacks when they arise.
Social Engineering Fundamentals
There are a variety of different social engineering techniques that are used today. In order to use them, a social engineer first needs to develop a sense of trust with their target. This can be done through a multitude of ways, such as pretending to be an employee (tailgating), reciprocation by way of exchanging favors, and more. This will then open up a communication channel that the hacker can exploit, asking for small favors at first, and gradually increasing the size of the favor until the employee does not even realize how much information they are giving away and to whom they are giving it away to. This is successful, especially when calling places like customer service, or help desks because they are designed to be helpful and not question the authenticity of every call – if every call was questioned, it would become an extremely inefficient service, which could in itself be an attack, causing a denial of service for the customer service phone lines.
Using technology to change one’s voice to sound more female lowers a target’s guard, as females are believed to be more successful at persuasion, and less likelihood of a threat. As this technology is very cheap, it is a small price to pay for what could make the difference between a successful and unsuccessful attack.
Trust can also be achieved through a method known as reverse social engineering. Reverse social engineering refers to when a hacker creates a problem for an organization and then makes himself available to fix it. Upon the social engineer’s arrival, the target is so grateful for the help that they are already to perform favors for the social engineer. After they solve the problem, the target is now in the hacker’s debt and will undoubtedly be willing to reciprocate and do a favor for the hacker. While this requires a lot of planning and research, it is clearly a highly effective tool for establishing trust.
There are other methods of social engineering, and establishing trusts, such as phishing and tailgating. The next section will describe these in more detail.
Types of Social Engineering Techniques
Phishing scams are the most common social engineering scams being used today. The majority of phishing scams will generally be in the form of an email and try to extract personal information such as the target’s name, address, bank account details, and more. Most phishing scams will utilize a sense of urgency – that the reader needs to act in a certain amount of time and that something bad will happen as a result, e.g. missing out on an opportunity or – in order to make the reader panic and act without thinking.
Other phishing scams will pretend to be from a well-known company and give you a URL to click on the looks genuine, but will instead send the reader to a website controlled by the hacker. This website could then either use drive-by code installs which will install malware on your computer, or impersonate a known website in order to trick you into entering personal account details. Phishing emails are generally sent to a large number of people and maybe poorly constructed, going for quantity rather than quality. Upon receiving responses to emails, they will then become more carefully crafted, having analyzed the emails and seeing potential targets that they may be able to exploit.
Spear phishing is essentially a more targeted version of phishing. As opposed to casting a wide net and reeling in a lot of people, spear phishing is targeted at specific individuals. For example, a phishing email will target a large number of people with the salutation “dear user,” spear-phishing however will be more targeted and use people’s names, which makes the email seem more legitimate.
Vishing, also known as phone phishing, uses voice solicitation to extract information from unsuspecting people. This technique can be used in multiple ways, from soliciting people at home to extract personal information such as account details by using a fake interactive voice response (IVR) that tricks users into believing they are communicating with their bank or other accounts, to the vishing support staff that work at companies where people have accounts. This can result in these employees giving away information about account holders, and in some more extreme cases, can cause the hacker to gain control of other people’s accounts.
It is important that customer support staff are educated and warned against such vishing attacks. There need to be strict protocols in place that aid in preventing such attacks, which employees can adhere to when such a situation arises.
Baiting is very similar to phishing. The main difference between them comes from the hook or “bait” that the hackers use. The bait can be either physical or digital in nature. Common examples include storage devices such as CD Roms or USBs, or digital downloads such as free MP3s or videos. The content of the bait is carefully chosen using psychology in order to tempt people into taking the bait by appealing to their greed or curiosity, for example, a USB with a label implying that the USB contained employee salary information. This would appeal to both an employee’s curiosity and greed, as they would want to see what their co-workers were being paid, as well as whether they could be getting paid more money.
Quid Pro Quo
Quid Pro Quo, is similar to baiting in that the hacker offers something in exchange for information. However with Quid Pro Quo attacks the hacker offers a service, as opposed to a good. A common attack is when a hacker, claiming to be from technical support, spam calls as many direct numbers of a company that they can find. They do this until they find someone who actually requires technical assistance, and then under the guise of providing assistance, get the user to perform acts such as disabling their antivirus or installing a fake software update, which installs malware instead.
Pretexting is a form of social engineering in which attackers attempt to instill a sense of trust in their victims, in order to get the end-user to willingly send the hacker personal or company information. Hackers can achieve this by impersonating a co-worker, or someone with more authority than the victim, such as the head of IT, or even going so far as to impersonate the chief executive officer or chief financial officer of the company. However, this social engineering technique is not just for employees to be made aware of, but rather anyone who uses a computer or accesses the internet.
Tailgating, also known as piggybacking can be a very simple, but highly effective social engineering technique that can be used to gain access to restricted areas or buildings. Typical techniques include having your hands full, for example with a few coffee cups, in order to trick overly helpful employees into holding open a door for the tailgater, which would otherwise require a key card or some other security measure to get in.
Social Engineering – The Threat It Is Today
According to the Verizon (2016) Data Breach Investigations Report (DBIR), social engineering has increasingly become more of a threat, with phishing continuing its rise in use, with a total of almost 10,000 incidents last year alone – one-tenth of which had confirmation that confidential data had been disclosed. Furthermore, the DBIR conducted an experiment to see how many people fell victim to simulated phishing attacks. Of the population tested, approximately one in seven participants clicked on and opened phishing attachments. This is a non – statistically significant increase from one in eight people downloading a phishing attachment the previous year but is still a worryingly high statistic.
Furthermore, there was a vast increase in the number of people who opened the phishing email – 30% of tested participants opened the phishing mail, a statistically significant 7% increase from the previous year, where only 23% of participants opened said email. This clearly shows that social engineering techniques such as phishing are still a major problem, and steps need to be taken to reduce their effectiveness.
Verizon reports email attachments to be the number one delivery vehicle for malware. The most common delivery mechanism is an email attachment, followed closely by web drive-by attacks, with a hybrid of both being third, i.e. an email with a link to websites that have drive-by code installs. With email attachments being the number one source of malware downloads, it is more important than ever to work on combatting social engineering, so that employees are able to recognize these fraudulent emails for what they are.
Multifaceted Defence Combatting Social Engineering
Now that the vulnerabilities and weaknesses that social engineering exploits have been evaluated, we can now begin to discuss a defense model for countering such tactics. Since there is a veritable plethora of social engineering techniques, a multifaceted defense is required, in order to attempt to combat most if not all of them and reduce their effectiveness.
A company without such a defense will face a bombardment of attacks and while some will fail, without a defense, the hacker will eventually gain access to the organization and start wreaking havoc.
First and foremost, a company needs to have a security policy that addresses the threat that social engineering poses. A security policy sets out the security standards and constraints put upon employees who sign it. This covers a broad range of topics from access control to a computer security policy – What employees are and aren’t allowed to do on company computers. In order for a security policy to be effective, and followed by employees, a security culture needs to be fostered by management.
Security culture refers to the beliefs and approaches a group of people takes towards security. A beneficial security culture can be developed by doing security awareness training – making employees aware of security issues and how to overcome them, i.e. not just giving them a contract and telling them to sign it, but by using active teaching methods, such as activities.
A common clause in a security policy refers to forced, frequent, password changes. While there is a case to be made for regular password changes, they generally pose more of a threat than a solution. There are many security specialists, and government organizations such as the Federal Trade Commission (FTC) in the US, and the National Cyber Security Centre (NCSC) in the UK, who are in agreement that forced, regular password changes do not provide the security benefit that was previously thought.
The dangers of enforcing regular password changes are numerous and include that a weaker password will generally be chosen, or that the passwords will generally be similar to the old one so it’s easier for the user to remember, this will result in attackers being able to guess the new password much easier. In addition, some people report that people will just stick post-it notes on their monitor with their passwords on them, in order to remember their frequently changing login credentials. If a company was infiltrated by a tailgater, this would give rise to a major security breach and the tailgater would be able to easily access an organization’s computer network.
To prevent people like tailgaters, access control mechanisms are key. Lots of companies are using smart cards to protect and monitor access to a building, and in more advanced access control systems, who have accessed certain rooms. For smaller companies, this may not be necessary, as smaller companies are generally more close-knit, where everyone knows everyone.
Once the security policy has been set out, all employees need to undergo active awareness training. Employees must be told about the dangers of social engineering, and how easy it is to fall prey to their tactics. In addition, they must understand the possible consequences that one small action can make. For example, one person downloading an attachment from a phishing email onto a company computer could have disastrous consequences, which could in extreme cases make a company go under, and therefore the employee out of a job. This needs to be made clear to all employees so that they understand just how important it is to be vigilant at all times.
For employees not to fall prey to such tactics, they need to be told specifically how social engineers work. Employees should be able to identify what confidential information is and protect it. Most importantly, they need to be able to say no when required and be backed up by management in cases where an innocent person may be suspected of attempting social engineering techniques.
After awareness training, companies should regularly send their employees fake phishing emails, to test their employee’s vigilance. In order to maximize compliance we will use operant conditioning practices, using both positive reinforcement and positive punishment techniques (Commonly incorrectly referred to as negative reinforcement). Positive reinforcement refers to encouraging the desired behavior by offering a reward when the behavior is performed. Positive punishment refers to presenting an unfavorable stimulus after performing an undesired behavior or action.
By way of positive reinforcement, employees will be rewarded for their behavior of reporting phishing emails as malicious attempts at hacking and will have a score showing how many phishing emails they’ve correctly reported. In order for employees not to just label everything as phishing, there will be a value of -1 added to their score for each phishing email they incorrectly label as spam. At the end of each month, top-scoring employees could be entered into a raffle for a Gift card, or all-expenses-paid trip, depending on the company’s expense account.
By way of positive punishment, employees could be ‘punished by having to attend a mandatory awareness training seminar after falling prey to three phishing e-mails. A three-strike system is useful here because even if they fall prey to fake phishing emails sent by the company, no harm will have been done. Upon downloading an attachment, they will be taken through a brief online course showing them where they went wrong. However because of the ineffectiveness of such courses, after three repeated failed attempts, a mandatory in-person seminar will be required.
Such phishing emails will act as ongoing reminders, such that nobody ever forgets the threat of social engineering. If the seminars are just a one-off thing then people will rapidly forget, so it is important to constantly remind employees by sending them such phishing emails.
Social Engineering Land Mines (SELM)
Social Engineering Land Mines (SELM), are traps set up to identify and expose a social engineering attack. These traps are set up in such a way that it can stop an attack mid-way and possibly result in the social engineer being caught.
- The Know It All – This is a social engineering land mine, in the form of a person. This person’s job is to know everyone who is on their floor and walking around their department. With the use of an access control mechanism using key cards, this person’s job can be made much easier and they may be able to catch a social engineer attempting to tailgate their way into an organization’s building.
- Call Back Policy – A fairly well-known and used policy is the callback policy. This policy will defeat people spoofing other people’s numbers and attempting to reset passwords, as the target will attempt to call the social engineer back, by using the registered number, but the social engineer will not be able to answer, due to them not actually possessing the phone with that number. This is also a useful technique to attempt to counter the psychology behind social engineering, by allowing the target to think about the requests that the social engineer is making.
- Stop and Think policy – Finally the stop and think policy requires employees to put people on hold when requesting services such as password changes. The psychological research into social engineering asserts that one of the things that make social engineering so effective is that people can become overloaded when there is a sense of urgency, surprise, or pressure. The stop and think policy counter this tactic, as this then gives the employee time to think about the request, and the ability to consult with management if required.
Incident Response Layer
The best defense is a good offense. Even the best defense in the world will crumble without a strong offense. With no offense, blow after blow can be levied against the defense, and while a strong defense will last a while, a weakness will eventually be found and the attacker will get in.
The same principle applies to social engineering. There needs to be an offense that can help the defense. This can be achieved through an incident response department. Without such an offensive layer, a social engineer will get better at navigating the organization’s defenses as they will learn something new with each attempt until finally, they will be able to break through the defenses and infiltrate the organization.
The incident response layer stops social engineers from navigating the organization’s defenses because as soon as a social engineer is revealed, an incident report will be filed with the hacker’s tactics noted and distributed so that employees can be on alert for such a person, and know what to expect if they come across them. For such an offensive layer to work well, there needs to be a clear and easy-to-follow procedure that an employee can start as soon as they notice suspicious behavior. This process should result in active pursuit of the hacker, and with the appropriate employees given forewarning of such an attacker. Otherwise, every incident of contact with the social engineer will be dealt with in isolation by individual employees, and no connection will be found between incidents until it is too late.