Deception is fast and effective for a criminal trying to access a company's data and assets, because it's easier to trick people than to hack their hardware or break into their offices. Well-intentioned employees will offer account numbers, volunteer passwords, and even open locked security doors if the request seems reasonable or the threat seems real — or if the stranger seeking physical access is a decent actor with an adequate disguise.
Emails with interesting content, infuriating social media messages, bogus package deliveries, and phone calls with tantalizing offers — four basic forms of social engineering — seem innocuous, and a waste of company time. But they're among the biggest risks organizations now face. When businesses catch on to current tricks and mount new defenses, the perpetrators change the rules, so flexibility and virtually constant vigilance are necessary — and human resources executives, IT managers, and physical plant security personnel need to be involved. For internal auditors, the shape-shifting challenges of social engineering demand assessment and advice on evolving threats and a diverse, integrated, and coordinated response.
|What Is Social Engineering?
Social engineering often starts with recon: Criminals get an idea of an organization’s internal operations and corporate lingo first, then target security guards or receptionists, who offer access rather than information. They then use various forms of deception to trick employees into volunteering sensitive information or responding to bogus email enticements, often exposing the organization’s entire IT infrastructure to attack.
Social engineering is such an effective tactic and comes in many forms:
Baiting. Placing a malware-infected physical device somewhere it’s sure to be noticed; when it’s loaded onto another computer, the malware is installed (such as a USB flash drive).
Phishing. Sending fake email, often claiming it’s from a trusted source.
Pretexting. Lying to gain access to privileged data, such as pretending to need personal data to confirm someone’s identity.
Quid pro quo. The social engineer pretends to provide something — claiming to be a return call from tech support, for example — in exchange for the target’s information.
Scareware. Tricks the victim into thinking a computer is infected and offers a solution to the problem that actually installs malware.
Spear phishing. Precision phishing, tailored to a specific individual or organization.
Tailgating or piggybacking. Following someone into a secure building, assuming that person is willing to hold the door open.
Vishing. Voice phishing; social engineering over the phone.
Water-holing. The attacker targets a specific person or people by infecting websites they’re known to frequent.
One of the things that's changed over time is that now "the individuals doing this are highly sophisticated," says Kimberly Hagara, vice president, audit services, at the University of Texas Medical Branch (UTMB) in Galveston, part of the University of Texas (UT) System. "In the early days, you received emails asking you to contact some foreign government," she says — usually to "help someone out" or to claim a cash windfall. "Now the tactics are much more trust-based," she adds. "Getting into an organization or a system relies more on human interaction."
The No. 1 way to get into an organization's system is by spear phishing, mainly because it's global in reach and free. "Or with phone pretexting, you can simply talk to anyone on the phone and get instant compliance from the victims, often getting them to take the time to follow instructions," says Kevin Mitnick, CEO at Mitnick Security Consulting in Las Vegas. The hacker gains access when the recipient clicks on a link in an email, a button on a website, or opens an attachment, he adds.
Phishing succeeds when the culprit convinces the recipient there's something at stake if he or she doesn't comply — even if the fake invoice attachment comes from a vendor the organization doesn't do business with. Mitnick, who was once the U.S. Federal Bureau of Investigation's Most Wanted Hacker for hacking into 40 companies, explains that an employee who's just curious may not stop to "think critically about whether the email makes sense." And then it's too late. Organizations can install email filters to help identify questionable content but they may find that hackers can bypass them. "When you fix one thing," he says, "they'll attack another."
Social media can present effective social engineering targets, Mitnick says. "When organizations give employees permission to use social media on company equipment, those who haven't been trained could fall for LinkedIn attacks, for example," he explains, which can be messages encouraging them to click on a link for a business opportunity. "The link redirects the victim to a malicious website," he says. "If an attack like that is well-targeted, it will probably work. If it's sent to a lot of people, it's less likely to." That's because word gets around fast, and then the jig is up.
Simply picking up the phone works, as well. In fact, "phone pretexting has a high level of success depending on the hacker's skill set," Mitnick says. "People need to understand that social engineering isn't just a phishing problem. It's deception." Indeed. Social engineering isn't just duping someone online — it's also used to gain access to physical premises. An attack like that is a much higher risk for the social engineer, though, which is another reason perpetrators focus on email and phone scams.
Physical access is sometimes breached, too. Many organizations maintain multiple buildings — in the UTMB's case, that includes offices, classrooms, health-care services, and research facilities — with varying types and levels of security. Says Hagara: "We look at physical security from a risk perspective, focusing on which buildings hold sensitive information or access to other information, and what the physical security requirements are."
One requirement, she says, is that "we have to remain an open campus. We have a lot of people coming and going, including patients who come to campus, colleagues from others institutions, and vendors." The UTMB conducts an awareness campaign around wearing ID badges, and stresses that someone who suspects something shouldn't be afraid to speak up.
Still, she adds, people want to help, and they don't want to be rude, asking people to justify what they're doing. But social engineering — which may start with someone looking over a shoulder to gather information and then develop into someone pretending to carry a heavy box while asking, "Could you hold that door for me?" — requires a tougher stance. "Even though we're a 24/7 operation," Hagara points out, "is a printer really going to be delivered at 10:30 p.m.?" In those cases, demanding identification is OK.
Fool Me Once
When Mitnick's firm starts a social engineering training engagement, his team members use phone calls, spear phishing, and phone pretexting pretending to be people they're not, and they can "always convince the client to do things" they want them to do. He adds that social engineering is a problem that needs to be addressed because there's too much at stake to ignore it.
"Most social engineering schemes I've seen are individuals giving up confidential system identification or passwords," says Kenneth Pyzik, vice president, audit professional practices, at Western Alliance Bancorp. in Las Vegas. That's often the entry point the hackers want, so they can implant a Trojan horse or other piece of malware for later data mining exploits. Initial entry may not be detected, he adds, and the longer the breach remains unnoticed, "the more brazen the attack becomes to get at any kind of valuable information."
|Prevention and Detection Tips|
Experts offer advice on how to keep attacks from happening, or catching them early if they do.
Start with the basics. Passwords should not be shared among employees for any reason, says David Bryan, associate partner and global leader of technology for IBM’s X-Force Red security testing service. “If you make that a part of the corporate culture, employees will be less likely to freely give passwords to outside persons.” Kenneth Pyzik, vice president, audit professional practices, at Western Alliance Bancorp. in Las Vegas, emphasizes: Don’t forget automated spam filters on email and an easy-to-use phishing icon to quickly report suspicious correspondence.
Include everybody. All system users should be subject to the same email precautions and restrictions, Pyzik says. “There’s no executive privilege,” he adds. “Executives can sometimes be the weakest link.”
Practice beating perpetrators at their own game. “Attack your employees like the bad guys do,” Kevin Mitnick, CEO at Mitnick Security Consulting in Las Vegas, advises. There are email phishing platforms that “train and inoculate” staff members.
Don’t make matters worse. When testing employees’ vulnerability to social engineering scams, make sure they know in advance that they’re being tested, so employee morale isn’t ruined. Explain that added security helps them, too — when they buy movie tickets, say, and pay with a personal credit card on the company computer. “You want to be transparent,” Mitnick adds. “You can’t make testing completely transparent, but make it part of everybody’s job duties to be knowledgeable about how scams are carried out.”
Be fair. “You can’t punish employees for making human mistakes,” Mitnick says. He prefers the carrot to the stick , such as “an educational message saying that you made a mistake, and that you need to stop and think before you click.”
Keep sending the same message. Raising awareness of social engineering scams may not keep employees from falling for them. Measure how employees perform at a baseline level, then track testing results to see who needs special attention, such as more training videos for additional education.
Don’t stop short of true enforcement for repeat offenders. Some institutions conduct random testing and then let supervisors know when their employees have failed the tests. “Education is then required, and repeat offenders should be reprimanded,” Pyzik says.
Focus on esprit de corps. “Protecting the network and protecting the company’s confidential information needs to be part of every employee’s job,” Pyzik says. Mitnick adds, “Build a human firewall. Make sure everybody shares the common goal of increasing security for all.”
Use advanced technology. “You want a good endpoint security product that works well at detecting threats,” Mitnick says. Depending on the sophistication of the perpetrator, you might catch ransomware or other malware before it can do much harm.
In his experience, the perpetrator's target is usually customers' credit card numbers, Social Security numbers, and driver's license numbers "that can be used for financial identify theft or some other illegal gain," Pyzik says. And they don't want just the data from the person who answers the phone or opens the email. "The real asset is customer lists and customer data," he says. "The mother lode is not duping a single person for a single credit card number, it's getting to the customer file for thousands of them."
Risks for Hagara include researchers' intellectual property, patients' clinical and financial information, UT's financial data, and sensitive details about students and employees. For example, payroll information includes tax identification and Social Security numbers, she explains. And simple email hacks and bogus pizza deliveries often aren't a school's biggest worry, Pyzik adds. "In addition to financial hacks to commercial enterprises," he says, "if the entity doesn't have valuable customer data, then another objective is to plant malware that can later lock system files and demand ransom" (see "Held Hostage").
Small and medium-sized enterprises (SMEs) don't escape social engineers' attention, either. "They're regularly targeted," Mitnick points out. SMEs often don't have the funds for IT staff and security, so they're low-hanging fruit — a perpetrator doesn't have to work as hard, and a phishing expedition is very likely to work.
"Generally, employees want to do good — they want to help others get their jobs done so they can go back to getting their work done," says David Bryan, associate partner and global leader of technology for IBM's X-Force Red security testing service in Minneapolis. "Email phishing can't be stopped, but a targeted attack can be prevented with training and testing to determine if the training was effective." Mitnick advocates combining user education and training videos. "When you know what the scams are, you're less likely to fall for them," he says.
Where to Start
When the C-suite asks for advice on addressing social engineering, "the thought processes internal audit needs to emphasize are education, simulated phishing, and a layered security approach," Mitnick advises. "And make sure to recommend that the enterprise maintain a process for mitigating risk when something is infected" — whether that's determining internally if the threat is "domestic or something in the wild" or outsourcing the investigation.
Also, Mitnick says, internal audit should recommend that organizations maintain a social engineering instant response program to mitigate an attack. Often, a third-party sets up a system that sends an alert when an employee clicks on a suspicious email icon, then advises the organization and helps it measure people's progress on compliance. He also suggests regular penetration testing to see if security controls are holding up.
The internal audit department can recommend those programs and policies, Pyzik says, and can periodically audit the information security department to make sure it's addressing social engineering risk as a priority. The UTMB regularly runs scenarios to help teach its employees about social engineering techniques and technology solutions. "We do a lot to try to protect our system before a perpetrator gets into the network," Hargara says. "That includes quarantining email that appears suspicious or malicious. And we monitor foreign access to our network, among a variety of other technical controls that supplement administrative, individual, and behavioral controls."
Technological controls can be assessed by internal audit, she notes, and her shop does so periodically. The information security officer at the UTMB "does annual third-party penetration testing scenarios and walk-throughs," she adds, to provide a level of assurance that controls are operating as intended.
Trust and What's at Stake
During a recent penetration test conducted at the UTMB, one employee who knew about the test in advance said, "You won't be able to get past me," Hargara says. But during the testing process, that employee clicked on the bait, and could have given up sensitive information. What worked? The email had a professional look, and the information it purported to contain was close to a real-life scenario, like a press release the employee would normally respond to. "It looked right and it felt right," she says.
"The incident exposed a vulnerability," Hargara adds, "and that helped us understand, from an employee standpoint, where the greater risk was and how we could further protect sensitive information. Humans are incredibly trustful." That's why, she emphasizes, defending against social engineering is really about education and awareness training of the risks for the organization, employees, and students. Make sure, Pyzik says, that employees understand what's at stake. "The whole company is at risk when employees are lax," he says. "One mistake can end up costing a company millions of dollars and many peoples' jobs."