December 12, 2019
Becoming a successful hacker might depend more on a person’s knowledge of psychology than on their expertise in information technology, according to cybersecurity experts.
A hack doesn’t necessarily require manipulation of a company or organization’s network connections or systems. It’s often accomplished with clever social engineering, or more simply, deception.
Social engineering – attempting to influence someone to do something that is likely against their best interests – is “the path of least resistance,” said Stephen Haunts, a software development manager and cybersecurity consultant from the United Kingdom.
“It is generally easier to try to get information out of someone (at an organization) than it is to try to break into their network,” Haunts said during the Norwegian Developers Conference in Sydney, Australia, in August 2017.
Sometimes dubbed a “touchless hack,” this type of invasion preys on people’s natural inclination to trust others.
Cybersecurity consultants like Haunts and Jen Fox, a senior cybersecurity consultant at New Jersey-based All Covered technology services, have some chilling anecdotes of employees falling for social engineering.
In one example shared by Haunts, a technical support employee “Keith” answers a call to the help desk late at night. On the other line, is the panicked voice of a man who identifies himself as “Tom, senior financial VP from Floor 9.”
“‘I’ve got a big meeting tomorrow and can’t get into my systems to access the PowerPoint and spreadsheets. If I can’t access these systems, then I’m screwed,’” Tom says.
Asked by Keith whether he has tried the password reset, Tom responds: “‘Of course, I’ve gone through it. Why do you think I’m phoning you? It keeps on locking out…’”
And Tom starts to “get quite irate and upset at this point,” Haunts said.
After a back-and-forth, Keith decides to do a password reset for Tom to get him back in the system.
“‘You’re an executive,’ Keith says, ‘I don’t want to piss you off.’”
After helping Tom to access the system, Keith feels satisfied with himself, Haunts said. “He has just helped a senior exec on Floor 9, and this exec now knows who Keith is.”
As Keith is thinking this, “Tom who is not actually a senior VP at the company (he’s actually a hacker), is copying lots of documents off the network.”
This is a typical instance that can happen during social engineering and has happened at banks in the United Kingdom, Haunts said.
The example illustrates the importance of a principle taught by Fox, a nationwide cybersecurity consultant who works for All Covered technical services in New Jersey.
“People have to know it is O.K. to say no, and do not make exceptions for entitled VIPs at your company,” Fox said during a presentation at last year’s SANS Institute Security Awareness Summit, in Charleston, South Carolina. “That breaks everything.”
Here are some other tips from Fox on how to avoid a “touchless” social engineering heist:
- Training for all
Not everyone in an organization has access to sensitive information, or at least, that’s what you might think. The problem is that social engineers can target employees with low-level information access to get to higher-level executives. Fox, during penetration tests for a client, was able to obtain access to a company’s employee directory from a low-level employee and use the information in the directory to target social engineering toward bigger fish in the company. The moral of that story is that all employees should receive training on cybersecurity precautions and processes, Fox said.
- Processes trump rules
Setting rules on not giving out passwords seems intuitive, but if you don’t prepare employees for how to respond to odd or high-pressure requests for information, they may make a snap decision against their interests and the interests of the company.
For instance, an organization would be wise to compose scripts for employees for potential social engineering scenarios, Fox said. One example of a scripted response is “I’m sorry. I’m unable to disclose that information. How else may I help you today?”
Fox suggested creating formal procedures and scripts for all employees.
“It’s not just a documented process, but it’s something where the interaction really gives you some emotional energy, as well,” she said.
For more on creating interactions that give “emotional energy,” she recommended reading “Ceremony: A Profound New Method for Achieving Successful and Sustainable Change” by Tom Meloche, available on Amazon Kindle for 99 cents.
- Buy up similar domain names
One of the ways Fox has succeeded in fooling employees who work for her clients is by creating portals with links to legitimate work websites or websites with similar URLs. It’s a good idea for companies to buy domain names which look like theirs, she said.
“Buy them and get them out of the way so someone can’t use that against you like an ‘L’ instead of an ‘I’ where visually they look the same.”