Let me ask you a few questions—first, how confident are you that you could spot an online ruse, and second, did you know there’s a stain on your shirt right now?
Did you look?
If so, you’ve just fallen for the school playground version of social engineering, a serious threat. Let’s discuss the kind that you’re more likely to see in terms of your business’ cybersecurity.
To begin, let’s analyze what social engineering really is, and why it works so well on us.
When all is said and done, that’s really what it boils down to. Instead of trying to find the right combination of 1s and 0s to bypass your cybersecurity, social engineering is the use of the right emotions and thought processes to bypass your human employees.
Let’s examine the stained shirt example I provided above. While it probably wasn’t as effective coming in through text, chances are good that you’ve also experienced the old-fashioned version where someone pointed at your shirt and flicked your nose when you looked down—more than likely, many times. Why do we keep looking?
We do so for the same reason that social engineering works—hearing that we have something on our shirt has some effect on our emotions. We fear that we’ll look silly, or sloppy, in front of people we respect and (more importantly) we want to respect us. The need to confirm that the stain is there becomes so urgent in the moment that we have to look down immediately, despite being intimately familiar with this kind of trick.
In addition to all this, this trick is usually played by someone we trust. This will be important to keep in mind later.
Of course, in a business-focused social engineering attack, the stakes won’t often involve a bit of the special sauce from the #5 value meal on your shirt. The professional kind of social engineering plays on different fears and anxieties that are more directly related to the workplace. Since this usually takes some preparation, let’s go through the steps that the person behind the attack will generally take:
With some variance in the time spent by an attacker based on how sophisticated they want their attack to be, the first step the attacker will take is to plan their attack, doing their research to figure out their most effective option to fool someone. Let’s step into their shoes for a moment and run through what this research might look like.
Let’s say we wanted to attack XYZ Widget Company. As social engineers, our first step is to collect as much data as we can on them. The Internet and its plethora of open-source intelligence (OSINT) make this easier than you might expect. For example, we could turn to the company’s LinkedIn, and discover that Jane Doe and John Q. Public both work there in customer-facing roles. A quick jaunt over to Facebook might reveal that Jane enjoys doing crossword puzzles and fantasy sports, while John is big into DIY activities, ranging from cheesemaking to quilting. From there, it’s an easy matter for us to reach out to either Jane or John using the OSINT we’ve collected and gain some of their trust. Once this trust has been established, we stand a pretty good chance of convincing them to give us more access than is warranted, or share information that they shouldn’t have shared.
Of course, we could also take the simple route and instead try our luck with fear tactics. It’s generally a safe bet that an employee doesn’t want to get in trouble in the workplace, so sending a message that claims they’ve done something wrong or need to address something right away—posing as an authoritative figure or representative—might just motivate them to take action.
If we’re really resourceful, we could utilize both. Maybe John Q. Public had a recent picture on his Facebook with a laptop in the background and the caption, “Just hanging at home on my day off.” If we can tell that the laptop has an integrated webcam, we could just as easily reach out to John Q. claiming that we have footage of him doing “certain things” as he used the laptop, threatening to release the footage to all his contacts—personal and professional—it if he doesn’t provide us with the information we want.
Stepping back out of the role of attacker, it should be clear how important it is that your team is able to spot the hallmarks of such attacks, like:
Furthermore, it never hurts to confirm any suspect communications through another means. For instance, if you get an email that seems to come from your boss that makes an odd request, don’t hesitate to give them a quick call or pop by their office to confirm it is legitimate. I promise, they’ll be happier that you checked—it shows you were cognizant of the threat of social engineering.
Heart of Texas Network Consultants is here to help your team ready themselves to be the security asset they should be for your business. Find out what we offer by calling (254) 848-7100.
Comments