That’s all we seem to hear about in the news today. Hackers, hacktivists, security breaches, compromised data, stolen information, ransomware. Terms that used to be familiar to a select few in the IT sector are now frequenting our 5 o’clock news almost as often as some politicians get spray tans. Unfortunately, it doesn’t matter how many times cybersecurity is talked about in the news. People still just don’t get it. Business owners, most commonly small business owners, still place less importance on their information security than their clients would like to know. Hackers love this.
But even the companies that have picked up their game when it comes to dealing with cyber threats are still frequently missing the mark when it comes to one huge factor: social engineering.
For those of you who don’t know, social engineering is a pompous way of describing the manipulation of the weakest part of any security model — humans.
Still confused? Here are a few cliché examples:
- “I’m a rich dying woman from Denmark with no one to inherit my millions. Please send me your bank information so I can wire you $475 million.”
- “Hello, this is Mark from U.S. IRS. You owe the government $10,000. Drive to store and purchase $5,000 in iTunes gift cards or you will go to federal prison.
- Elliot Alderson-looking fellow drops a thumb drive labelled “FANTASY FOOTBALL BETS” in parking lot, Jim from Marketing picks up said thumb drive and inserts into computer, entire office is infected with ransomware and Jim is fired.
These are obviously pretty simple tactics that, while ridiculous, have been used successfully, although they’re not quite as likely to succeed today.
Social engineering does still pose a threat, however. In fact, as folks in the infosec field can tell you, it’s the hardest threat to protect against, because it’s rooted in human psychology, and whether we like to believe it or not, human behavior is very predictable and easy to exploit for those who are so inclined to.
Let’s start off with highlighting some commonly used attacks today.
Phishing is, in its most infantile form, the inheritance example I used above. Unfortunately, successful phishing attacks are far less obvious and far easier to fall for. Here’s an example:
You own a company, and Karen from accounting gets an email. It goes something like this:
We’re updating email software on the server today. We’re going to have to reset all passwords, if you could just forward your credentials so that we can back up your mailbox.
Karen sends back her credentials, because this seems plausible to her, and she doesn’t have enough training to recognize the threat. Now we have vital login info that we can use to access accounts, carry out more phishing attacks poised as Karen, etc.
Whaling is another form of phishing. It’s called whaling because it targets “whales”, or big fish, or big wigs. So if someone wanted to phish the CFO of SomeCompany, Inc, here’s how that could go:
Now that we have Karen’s email address, we send a couple more emails to various people in the office who know and trust Karen, and we escalate our privileges to a point that we’ve gained access to the actual mail server. Oh, Gordon the former CFO still has an email account? Thanks, IT department. We’ll just reset that password and take over it. Now we can send an official looking email poised as an executive from your company to another company that you’ve been looking to do business with, because it’s all public and we read the Wall Street Journal. We already read through a bunch of emails from Mark in Finance to John in Finance at SomeCompany, Inc, so we get the gist that a deal is going to go down soon. So we sweeten the deal and email CFO of SomeCompany, Inc. He accepts and gives the order to pay your company. Karen gets an email from SomeCompany, we intercept it, we give false bank information, we get the money. You’ve been pwned. On the way out, we clean up the logs, delete all emails, transfer all the money to Bitcoin, and make it look like we were never there.
Baiting is essentially the USB drop. The concept is based on the natural human curiosity that we all have. Improperly trained employees can fall short here, and it’s a good example of why training is so important for proper information security.
Tailgating is a pretty simple trick that almost always works. Imagine you’re going to work, you’re going to be late in 5 minutes and you’re in a rush. You head into the lobby at your building and scan your ID to get on the elevator. The doors are about to shut, when along comes a man in a wheelchair. You’re late, but you’re not a monster. Because you naturally feel guilty that you can walk and this poor fellow can’t, you hold the door and let the guy on the elevator. Your conscience is clear, and you smile as you hit the button for the 14th floor for the guy, and wave goodbye to him when he rolls off the elevator on floor 14, aka the server room. Good job, buddy. You just made an attacker’s life so much easier.
Not all hope is lost
As scary as this little narrative may be for some business owners reading this, there is still hope. You can check out the links at the bottom of this post for free IT security awareness training resources.
And if you’re not a little unnerved by this stuff, just keep this little quote in mind:
“There are only two types of companies: Those that have been hacked and those that will be hacked.”
— Robert S. Mueller, III