“Human beings are often easier to attack than technology. Cyber criminals can hack people faster than they can hack firewalls.”
So says Jenny Radcliffe, a social engineer from the UK who addressed media, members of the public and cyber security analysts via video at the Mimecast Cyber Security event held in Johannesburg this morning.
“Employees can be used as a conduit for information,” says Radcliffe.
Social engineering is used by cyber criminals to extract information about a company, their personal life or the lives of others by way of earning their trust, threatening them or playing on their sensitivities.
It’s all very psychological and Radcliffe says that the key to executing a good cyber attack by way of social engineering is patience.
To illustrate just how much patience a cyber criminal might have, Radcliffe explains how much work a cyber criminal does before they even start hacking the digital side of a company.
It all starts with choosing a target for the attack. There are numerous reasons for why an attacker might choose a particular target. The entity might be selected by an attacker for financial gain, disruption or simply to prove that they can hack the organisation. Cyber criminals often choose their targets incredibly carefully. They spend a lot of time identifying which organisations are weakest in terms of their culture and staff. Once the target has been selected you would think the hacking would begin and it does, but forget the stereotype of a mirror-shaded individual hunched over a keyboard hammering out code.
Attackers start looking for information about the organisation as provided by its employees through social media. “The internet has made the job of researching people easier. Facebook, Twitter, LinkedIn; all these services that want you to tell them as much as you can about yourself are a gold mine of information for a social engineer,” Radcliffe explains.
Attacks on companies are well planned and target specific people rather than try to catch out the whole organisation with a phishing attack. Attackers choose prey by trawling through posts on social media to find unhappy employees who appear to be unhappy at work – tweeting missives like “thank god its Friday”.
This reconnaissance is not restricted to what one posts online. Radcliffe explains anecdotally how an attacker could identify a bar that an employee frequents and then go there to listen in on conversations the employee might have, waiting for them to mention an important piece of information in passing.
All of this research takes time to collect and once it’s done, unless a company changes everything, an attacker has all they need.
Gatekeepers such as a chief executive officer’s secretary are inherently harder to crack because by nature they will be rather protective, but that doesn’t mean it’s impossible.
“An attacker could call up the secretary of a CEO and request an interview with him. This would give the attacker not only access to the CEO but also a reason to film everything,” the social engineer says. Similarly, IT staff are hard to crack but not impossible.
“How may help you?”
But attackers don’t need to go through these gatekeepers. Cleaning staff, helpdesk agents and call centre staff are usually the weak chink in a company’s cyber armour as they often aren’t included in training courses that discuss social engineering.
“If an attacker calls a call centre they can use fear to intimidate these people into handing over information. An attacker need only angrily ask things like “Who is your boss? What is their name? What is their full name?” to get a call centre agent to hand over the information they need,” says Radcliffe.
Beyond staff that work on your premises, what about buyers and contracters that are brought in for specific projects? Radcliffe says that a company’s supply chain is often an easy way into it.
“I would often target buyers because I know how to speak to them,” says Radcliffe who has since traded in her black hat for a white one,” she says.
Perhaps the scariest thing Radcliffe mentions was that attackers could potentially tail-gate an employee as they enter the building. Even worse they could pose as a person who needs to urgently meet with the person in an office only to by-pass that office and dive deeper into a building.
We ourselves here at htxt.africa have experienced this sort of pre-cursor to an attack. We won’t spoil the ending for you but let’s just say we’re all a lot more aware of who comes and goes in our office these days.
“Most staff in many organisations think cyber security is not their problem. They think there are other people that do that job or they don’t care because they don’t understand the tech that is used,” says Radcliffe.
Organisations need to make people care and companies need to show employees how doing something as innocuous as plugging in a flash drive could potentially lead to huge financial losses. Once an attacker is in your company things escalate dramatically.
Access is gained digitally by exploiting the social engineering target through phishing or another attack vector. From there an attacker will either acquire valuable information, erase that information, disrupt the business or – in the worst case scenario – execute all three. “The attacker could go unnoticed because they’re already a plausible imposter,” says Radcliffe.
At its core, social engineering is only effective if the attacker is targeting people who don’t know better. For this reason its vital that staff – all staff – are trained to identify social engineering.
“Protection such as passwords and firewalls is important,” Radcliffe says in conclusion, “but they are worthless if people can just be let in by other people.”