Headlines about new data breaches, ransomware variants, and costly phishing scams seem to be popping up on a daily—sometimes hourly—basis. The media tends to focus on large Fortune 500 companies that are attacked, which leads many small business owners to assume that these threats are unlikely to affect them. Unfortunately, this is not the case—anyone can fall for a social engineering attack, and small businesses are targeted often.
What’s the first thing that comes to mind when you think of social engineering? A scammer trying to trick someone into giving away their banking info or social security number? That’s one common way it’s used, but social engineering is more than that. Social engineering is an all-encompassing term, and it’s all around us—whether it’s someone trying to get a raise or get a friend to share a secret. What it boils down to is the art of convincing people to change their frame of mind—and often divulge confidential information.
Even with extensive education and training, you can still be susceptible to falling for a social engineering attack. To get better context on why this tactic can be so convincing, we recently read Social Engineering: The Art of Human Hacking by Christopher Hadnagy. While they may be unsettling, the examples in the book illustrate that if you are committed enough, you can hack any company at any time.
The art of manipulation
Convincing someone to divulge sensitive information is tricky, and it can be time-consuming. The first step is to gather as much information as you can about your target and their company. In the book, Hadnagy points out that people are often careless about their information, and this leaves them vulnerable to threats. For example, you might not think twice about leaving your trash behind in a rental car, but sometimes those forgotten pieces of paper are the most telling of all. In fact, Hadnagy has found bank receipts and even a check ripped into four pieces stuffed inside a Taco Bell bag.
If pertinent information can be found that easily in a rental car, imagine what might lie in your office trash or what can be revealed about you online. Malicious hackers can obtain information through social media sites, job openings, as well as profiling websites, and password profilers. While you may be consciously aware and limit your activity online, if someone is committed enough there is a way to obtain the information.
The next step, elicitation, involves drawing personal information out of others, and it’s usually done over the phone or in person. It doesn’t need to be with the CEO, but a simple conversation can reveal quite a bit if someone asks the right questions. An example pointed out in the book was a simple conversation at a charity event. The social engineer managed to gain the CEO’s trust, and after a long conversation asked the CEO what he thought of RFID card systems, claiming he wanted to implement them at his own business. The CEO’s answer confirmed that entry to his company’s building is controlled by a new key card system. Although you might think a single piece of information like that is not valuable at the time, once it is pieced together with knowledge about modes of entry to the building, security systems in place, and even vacation time, it can hold detrimental consequences.
Pretexting is a way of setting someone up to believe you are someone else. This can be done online, over the phone, or even in person. Basically, the social engineer creates an alter ego to gain access to confidential information or to get an initial foothold that will help them get the information they want.
One way the book suggested that pretexting could be used is a malicious hacker posing as someone who is looking for a job and wants to drop off a resume with the CEO, who happens to be on vacation. After entering the building and dropping off a fake resume, the hacker asks to use the restroom. In the restroom they put a USB device in an envelope marked confidential and drop it on the restroom floor, hoping someone will place the drive into a computer to see who the owner might be. This is just one example of how pretexting preys on people’s instincts to help someone out.
Safeguards against social engineering
Preventing a social engineering attack is more involved than just setting up firewalls and security systems. To reduce the risk of these types of attacks, you need a comprehensive policy that covers your entire company. Here are the top things the book suggests you need to do:
-Identify attacks. Your entire staff should not only recognize what a phishing scam might look like, but also understand how to identify an attack. Start a security awareness program to teach employees about threat vectors and common methods used to extract confidential information.
-Protect valuable information. While you might not think it’s all important, keep personal information like vacation time, charitable donations, employee information, etc., confidential. All of this information could be used as a piece of a larger puzzle that could be used in a detrimental way.
-Develop call scripts. Have pre-made call scripts for anyone on the phone. While each call might not be an attack, these scripts give employees a protocol to follow and make it harder for information to be divulged.
-Keep systems up to date. Routinely replace old security systems and keep current systems up to date with the most recent patches and updates. While human error can be the main cause of numerous breaches, having a secure system in place will help mitigate some of the risks.
-Have a security professional audit your business. Learn about the holes in your system and how to strengthen your defenses. Put best practices and policies in place for handling visitors, phone calls, and information shared over email.
Security is complex, and even one mistake can be used against you. As scary as it sounds, if a hacker wants to attack they will—but you can deter them by beefing up your security and making it more difficult for them to succeed.
Social Engineering: The Art of Human Hacking
By Christopher Hadnagy
Wiley Publishing Inc.
Have a suggestion of what we should read next for The MSP's Bookshelf? Leave us a comment.