When we think of cybersecurity, it's common to consider things like firewalls, patching, and other types of computer controls that are constantly being updated to mitigate the latest threats from hackers. What doesn't get as much attention, although it's probably the No. 1 cause of successful cyberattacks: the human element. People are falling for devious schemes engineered by increasingly sophisticated hackers that circumvent software protections.
The website www.social-engineer.org defines social engineering as "any act that influences a person to take an action that may or may not be in their best interest." In terms of hacking, social engineering relates to a combination of psychological, physiological, and technological techniques that prey upon human emotions to get victims to take some sort of action they otherwise would avoid. Most common are phishing emails where victims are tricked by an email convincing them to click on a link that will ultimately install malicious code.
Proportional in their potential to inflict damage are smishing (phishing via text) and, perhaps the most overlooked, vishing (use of the phone to solicit personal information). Vishing is particularly dangerous because it can get personal really fast. In all of these "-ishings," fraudsters are essentially preying on natural human instincts such as the desire to help and the desire to avoid uncomfortable situations. They also exploit the human tendency to trust those who appear to have some sort of authority.
I recently attended a session at an IIA conference where the presenters described some simple social engineering techniques. They told a story of a hacker, sitting at a hotel bar, who successfully obtained the information he needed by engaging with conference attendees. How was he successful? With a little online research about the conference and attention paid to attendees' badges, the hacker knew enough to get his victims engaged in a conversation that, over a few drinks, then gave him all the information he needed to guess some of their passwords and hack their accounts. All the while, the victims felt like they had just made a new best friend. Needless to say that since then, I make sure to take off my conference badge as soon as I leave the event for the day.
One of the best examples I have found to demonstrate just how easy social engineering can be is a video shot at Def Con, a large hacker convention that has been around since the early 1990s. (Important: Before you click to view the video, please note the victim's shocked response results in an expletive at 2:11.) In the video, the female hacker calls the cell phone provider pretending to be the victim's wife. With prerecorded sounds of a crying baby in the background, the hacker plays the part of a stressed-out mom and preys on the customer service agent's desire to help. In just a couple minutes, the hacker has not only accessed the victim's account, she has successfully changed the password, essentially locking the victim out of his own account.
Another example from CNNMoney demonstrates a hacker calling a company's IT help desk and convincing the support tech to click on a website link that the caller is "unable" to open. Clicking on the link installs malware on the support tech's computer giving the social engineer complete access.
While some hackers work alone for personal gain, many are backed by sophisticated organizations. The FBI has uncovered global criminal enterprises that hire hackers to infect computers, paying monthly salaries in the hundreds of thousands of dollars. These organized crime groups even have help desks complete with ticketing systems for when their hackers have issues.
Even if your IT department has cutting-edge cybersecurity controls in place, it only takes minutes for a successful social engineering hack to render it all useless. For auditors, there are a few basic questions to consider in helping organizations become more resilient against these types of attacks:
- What is the level of awareness among both management and staff regarding social engineering techniques?
- What type of ongoing training and education programs has your organization put in place to arm employees with the necessary skills to defend themselves and the organization?
- Are employees empowered to say "no" to their peers and even customers when faced with a suspicious situation?
Since social engineering preys on human emotion and our desire to be helpful, awareness is critical. Take time to make yourself aware of common social engineering techniques and, as any good auditor does, maintain your professional skepticism.
That's my point of view, I'd be happy to hear yours.