What is social engineering? What are the most common and current tactics? A
guide on how to stop social engineering.
You've got all the bells and whistles when it comes to network firewalls and
your building's security has a state-of-the-art access system. You've invested
in the technology. But a social engineering attack could bypass all those
defenses.
CSO's ultimate guide to social engineering
Say two fire inspectors show up at your office, show their badges and ask for a
walkthrough—you're legally required to give them access to do their job. They
ask a lot of questions, they take electrical readings at various wall outlets,
they examine wiring under desks. Thorough, aren't they? Problem is, in this case
they're really security consultants doing a social engineering 'penetration
test' and grabbing access cards, installing keystroke loggers, and generally
getting away with as much of your business's private information as they can get
their hands on. (See How to rob a bank for details from this real-world
example.)
Social engineers, or criminals who take advantage of human behavior to pull of a
scam, aren't worried about a badge system. They will just walk right in and
confidently ask someone to help them get inside. And that firewall? It won't
mean much if your users are tricked into clicking on a malicious link they think
came from a Facebook friend.
In this article, we outline the common tactics social engineers often use, and
give you tips on how to ensure your staff is on guard.
Social engineering is essentially the art of gaining access to buildings,
systems or data by exploiting human psychology, rather than by breaking in or
using technical hacking techniques. For example, instead of trying to find a
software vulnerability, a social engineer might call an employee and pose as an
IT support person, trying to trick the employee into divulging his password.
Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in
the '90s, although the idea and many of the techniques have been around as long
as there have been scam artists of any sort. (Watch the video to see
social-engineering expert Chris Nickerson size up one building's perimeter
security)
Through a Social Engineer's Eyes
Social Engineering expert Chris Nickerson reveals what criminals are looking for
when it comes vulnerabilities in building security.
How is my company at risk?
Social engineering has proven to be a very successful way for a criminal to "get
inside" your organization. In the example given above, once a social engineer
has a trusted employee's password, he can simply log in and snoop around for
sensitive data. Another try might be to scam someone out of an access card or
code in order to physically get inside a facility, whether to access data, steal
assets, or even to harm people.
Chris Nickerson, founder of Lares, a Colorado-based security consultancy,
conducts 'red team testing' for clients using social engineering techniques to
see where a company is vulnerable. Nickerson detailed for CSO how easy it is to
get inside a building without question.
In one penetration test, Nickerson used current events, public information
available on social network sites, and a $4 Cisco shirt he purchased at a thrift
store to prepare for his illegal entry. The shirt helped him convince building
reception and other employees that he was a Cisco employee on a technical
support visit. Once inside, he was able to give his other team members illegal
entry as well. He also managed to drop several malware-laden USBs and hack into
the company's network, all within sight of other employees. Read Anatomy of a
Hack to follow Nickerson through this exercise.
In What it's like to steal someone's identity professional pen tester Chris
Roberts, founder of One World Labs, says he too often meets people who assume
they have nothing worth stealing.
"So many people look at themselves or the companies they work for and think,
'Why would somebody want something from me? I don't have any money or anything
anyone would want,'?" he said. "While you may not, if I can assume your
identity, you can pay my bills. Or I can commit crimes in your name. I always
try to get people to understand that no matter who the heck you are, or who you
represent, you have a value to a criminal."
Sneaky stuff. Give me some specific examples of what social engineers say or do.
Criminals will often take weeks and months getting to know a place before even
coming in the door or making a phone call. Their preparation might include
finding a company phone list or org chart and researching employees on social
networking sites like LinkedIn or Facebook.
In the case of Roberts, he was asked to conduct a pen test for a client who was
a high-net-worth individual to see how easy it would be to steal from him. He
used a basic internet search to find an email address for the individual. From
there, it snowballed.
Useful Books on Social Engineering!
Social Engineering: The Art of Human Hacking
By Hadnagy and Wilson (Wiley, Dec 2010)
"This book covers, in detail, the world's first framework for social
engineering."
No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder
Surfing
By Johnny Long et al (Syngress 2008)
"Whether breaking into buildings or slipping past industrial-grade firewalls, my
goal has always been the same: extract the informational secrets using any means
necessary."
"We searched for the e-mail address online were able to find a telephone number
because he had posted in a public forum using both," said Roberts. "On this
forum, he was looking for concert tickets and had posted his telephone number on
there to be contacted about buying tickets from a potential seller."
The phone number turned out to be an office number and Roberts called pretending
to be a publicist. From there he was able to obtain a personal cell phone
number, a home address, and, eventually, mortage information. The point being
from one small bit of information, a social engineering can compile an enitre
profile on a target and seem convincing. By the time Roberts was done with his
pen test, he knew where the person's kids went to school and even was able to
pull a Bluetooth signal from his residence.
Once a social engineer is ready to strike, knowing the right thing to say,
knowing whom to ask for, and having confidence are often all it takes for an
unauthorized person to gain access to a facility or sensitive data, according to
Nickerson.
The goal is always to gain the trust of one or more of your employees. In Mind
Games: How Social Engineers Win Your Confidence Brian Bushwood, host of the
Internet video series Scam School, describes some of the tricks scam artists use
to gain that trust, which can vary depending on the communication medium:
-- On the phone:
A social engineer might call and pretend to be a fellow employee or a trusted
outside authority (such as law enforcement or an auditor).
According to Sal Lifrieri, a 20-year veteran of the New York City Police
Department who now educates companies on social engineering tactics through an
organization called Protective Operations, the criminal tries to make the person
feel comfortable with familiarity. They might learn the corporate lingo so the
person on the other end thinks they are an insider. Another successful technique
involves recording the "hold" music a company uses when callers are left waiting
on the phone. See more such tricks in Social Engineering: Eight Common Tactics.
-- In the office:
"Can you hold the door for me? I don't have my key/access card on me." How often
have you heard that in your building? While the person asking may not seem
suspicious, this is a very common tactic used by social engineers.
In the same exercise where Nickerson used his thrift-shop shirt to get into a
building, he had a team member wait outside near the smoking area where
employees often went for breaks. Assuming this person was simply a
fellow-office-smoking mate, real employees let him in the back door with out
question. "A cigarette is a social engineer's best friend," said Nickerson. He
also points out other places where social engineers can get in easily in 5
Security Holes at the Office.
This kind of thing goes on all the time, according to Nickerson. The tactic is
als o known as tailgating. Many people just don't ask others to prove they have
permission to be there. But even in places where badges or other proof is
required to roam the halls, fakery is easy, he said.
"I usually use some high-end photography to print up badges to really look like
I am supposed to be in that environment. But they often don't even get checked.
I've even worn a badge that said right on it 'Kick me out' and I still was not
questioned."
-- Online:
Social networking sites have opened a whole new door for social engineering
scams, according to Graham Cluley, senior technology consultant with U.K.-based
security firm Sophos. One of the latest involves the criminal posing as a
Facebook "friend." But one can never be certain the person they are talking to
on Facebook is actually the real person, he noted. Criminals are stealing
passwords, hacking accounts and posing as friends for financial gain.
One popular tactic used recently involved scammers hacking into Facebook
accounts and sending a message on Facebook claiming to be stuck in a foreign
city and they say they need money.
"The claim is often that they were robbed while traveling and the person asks
the Facebook friend to wire money so everything can be fixed," said Cluley.
"If a person has chosen a bad password, or had it stolen through malware, it is
easy for a con to wear that cloak of trustability," he said. "Once you have
access to a person's account, you can see who their spouse is, where they went
on holiday the last time. It is easy to pretend to be someone you are not."
See 9 Dirty Tricks: Social Engineers Favorite Pick-up Lines for more examples.
Social engineers also take advantage of current events and holidays to lure
victims. In Cyber Monday: 3 online shopping scams and 7 Scroogeworthy scams for
the holidays security experts warn that social engineers often take advantage of
holiday shopping trends by posioning search results and planting bad links in
sites. They might also go as far as to set up a fake charity in the hope of
gaining some cash from a Christmas donation.
Why do people fall for social engineering techniques?
People are fooled every day by these cons because they haven't been adequately
warned about social engineers. As CSO blogger Tom Olzak points out, human
behavior is always the weakest link in any security program. And who can blame
them? Without the proper education, most people won't recognize a social
engineer's tricks because they are often very sophisticated.
Social engineers use a number of psychological tactics on unsuspecting victims.
As Bushwood outlines in Mind Games, successful social engineers are confident
and in control of the conversation. They simply act like they belong in a
facility, even if they should not be, and their confidence and body posture puts
others at ease.
This is your brain on social engineering
Brian Brushwood is really good at tricking people. So good he founded a website
called "Scam School".
Brushwood understands how social engineers mislead people. Four basic
principles:
"People running concert security often aren't even looking for badges," said
Brushwood. "They are looking for posture. They can always tell who is a fan
trying to sneak back and catch a glimpse of the star and who is working the
event because they seem like they belong there."
Social engineers will also use humor and compliments in a conversation. They may
even give a small gift to a gate-keeping employee, like a receptionist, to curry
favor for the future. These are often successful ways to gain a person's trust,
said Bushwood, because 'liking' and 'feeling the need to reciprocate' are both
fixed-action patterns that humans naturally employ under the right
circumstances.
Online, many social engineering scams are taking advantage of both human fear
and curiosity. Links that ask "Have you seen this video of you?' are impossible
to resist if you aren't aware it is simply a social engineer looking to trap you
into clicking on a bad link.
Successful phishing attacks often warn that "Your bank account has been
breached! Click here to log in and verify your account." Or "You have not paid
for the item you recently won on eBay. Please click here to pay." This ploy
plays to a person's concerns about negative impact on their eBay score.
"Since people spend years building eBay feedback score or 'reputation,' people
react quickly to this type of email. But, of course, it leads to a phishing
site," said Shira Rubinoff, founder of Green Armor Solutions, a security
software firm in Hackensack, New Jersey. "Many people use eBay, and users often
bid days before a purchase is complete. So, it's not unreasonable for a person
to think that he or she has forgotten about a bid they made a week prior."
Recent phishing lures even take advantage of the economic downturn, said
Rubinoff. It has not been uncommon for fake emails to turn up that claim to be
from human resources which say: 'You have been let go due to a layoff. If you
wish to register for severance please register here,' and includes a malicious
link.
No one wants to be the person that causes problems in this economy, so any email
that appears to be from an employer will likely elicit a response, noted
Rubinoff. Lares' Nickerson has also seen cons that use fake employer emails.
"It might say, 'In an effort to cut costs, we are sending W-2 forms
electronically this year,'" said Nickerson.
How can I educate my employees to prevent social engineering?
Awareness is the number one defensive measure. Employees should be aware that
social engineering exists and also aware of the tactics most commonly used.
For elements of an effective security awareness program, see Seven Practical
Ideas for Security Awareness and Now Hear This!.
Fortunately, social engineering awareness lends itself to storytelling. And
stories are much easier to understand and much more interesting than
explanations of technical flaws. Chris Nickerson's success posing as a
technician is an example of a story that gets the message across in an
interesting way. Quizzes and attention-grabbing or humorous posters are also
effective reminders about not assuming everyone is always who they say they are.
"In my educational sessions, I tell people you always need to be slightly
paranoid and anal because you never really know what a person wants out of you,"
said Lifrieri. The targeting of employees "starts with the receptionist, the
guard at the gate who is watching a parking lot. That's why training has to get
to the staff."
Social engineering tricks are always evolving, and awareness training has to be
kept fresh and up to date. For example, as social networking sites grow and
evolve, so do the scams social engineers try to use there; see 5 Facebook,
Twitter Scams to Avoid and 5 More Facebook, Twitter Scams to Avoid.
The National Cyber Security Alliance recently launched a 'Stop.Think. Connect.'
campaign to get users to give more thought to their online behavior so they
recognize social engineering cons before they get in trouble.
But it isn't just the average employee who needs to be aware of social
engineering. A study conducted in 2010 found executives are actually the easiest
targets. In Social engineering: 4 reasons why executives are the easiest targets
Jayson Street, a security consultant and CIO of Stratagem 1 Solutions, says
executives are soft targets for many reasons, including a lax security attitude
and their tendency to use the latest technology—even before it is properly
vetted.
Although it's a tactic to use with great caution, fear of embarrassment is a
strong motivator. Nobody likes to look foolish, and a successful social
engineering test does make the victim feel foolish. This is partly why
storytelling works—the reader or listener feels empathy for the person who "got
suckered."
Consider this factor if you choose to design an in-house social engineering
penetration test. A little embarrassment will put everyone on their toes;
crossing the line to humiliation will only make employees angry.
