Social Engineering: It’s Never About the Security, It’s About the People

October 12, 2017

By Jennifer Kazy

If you are a Doctor Who fan, you likely recognize the title used for this post in the episode where the evil organization hacks people through the Wi-Fi. Clara Oswald eventually hacks the evil organization through a social media phish, but prior to the hack, The Doctor tells Clara “the security is absolute,” to which she replies, “it’s never about the security, it’s about the people.” Clara then proceeds to use popular and trusted social media apps (Facebook, Vevo, MySpace, etc.) to trick the employees.

Like Clara and the evil organization in Doctor Who, cyber attackers have shifted from hacking computers to hacking people. As such, humans have become one of the biggest threats to an organization’s computer system. As stated by one of the world’s most notorious hackers, Kevin Mitnick (now Chief Hacking Officer at KnowBe4), it is easier to get someone to “reveal” something than it is to “hack” into their system.

Cyber threat actors know that not all businesses are investing adequate time and resources to effectively train their people to recognize threats. In addition, attackers are good at bypassing technology controls by using simple, non-technical tactics to trick us. As this October marks the 14th National Cyber Security Awareness Month (NCSAM), we would like to discuss the schemes cyber threat actors use to trick us, and why these schemes work so well.

Social engineering is not a new technique, nor is it a complex method; con-artists have been using social engineering to dupe us since the dawn of time.

What is Social Engineering? To describe what social engineering is, let us first discuss what it is not. Social engineering is not a college major, or a new social network. According to Symantec, “Social engineering is a way that cybercriminals use human-to-human interaction in order get the user to divulge sensitive information. Since social engineering is based on human nature and emotional reactions, there are many ways that attackers can try to trick you- online and offline. Simply, the manipulation of the human tendency to trust. Social engineering is not a new technique, nor is it a complex method; con-artists have been using social engineering to dupe us since the dawn of time.

Why is This Important? Why is it important to understand what social engineering is in the context of cybersecurity? As mentioned above, it is important to know that social engineering is not complex; it is not a high-tech strategy used by cyber attackers to compromise a computer system, but rather a simple psychological method designed to elicit a response toward a desired outcome. At face value, social engineering is not malicious; however, from a cybersecurity perspective, social engineering is subtle, dangerous, and unashamedly used to attack our organizations through us. People are the first and last lines of cyber defense. We can be the best, or the worst, depending on our level of awareness at identifying suspicious activity.

Trust. At the core, social engineering schemes are designed to usurp trust; trust that we have placed in persons, brands, etc. Not long ago, common advice to stay safe online was to not open emails, and not to click on links or attachments from people you did not know, did not recognize, or were not expecting. We still clicked, but eventually the word got out and we clicked less (but we still click…). That was bad news for the attackers, and meant they needed to shift tactics, and so they did. Today, bad guys are using our advice against us; they are mimicking brands and people we trust.

“According to the top 10 global phishing email subject lines for Q3 2017 by KnowBe4, examining email subject lines from simulated phishing tests, the most clicked was ‘Official Data Breach Notification’ followed by common tactics such as fake delivery notes and workplace issues, including password expiry advisories, account updates and information claiming to be from HR.” – Info Security Magazine, 11 Oct

Threats. It is doubtful there is a single one of us who has never received a “package delivery failure notice” pretending to come from a well-known courier service, or some sort of “account suspended – action required” email designed to look like it was sent from our bank or other service. Malicious actors construct themes, or phishing lures, to elicit an emotional response – typically fear or urgency. However, they also use curiosity and compassion. Little time is wasted sending out scam campaigns when disasters strike, or the latest news to pique our curiosity, or charity scams to appeal to our compassion. Those scams may be an attempt to capture our credentials, steal our money, or commit other forms of fraud. One way or the other, the bad guys are successful at bypassing email filters or other technology controls, which is why we need to have a higher level of awareness to identify a scam when technology does not. Another Kevin Mitnick quote sums this idea up nicely, “Social Engineering bypasses all technologies, including firewalls.”

What Can We Do? Some notorious breaches have occurred due to a lack of employee awareness surrounding social engineering tactics. Investigations consistently reveal that greater proactive employee awareness would stop the majority of data breaches. Do not underestimate an investment in employee education.

  • Defeating social engineering begins with us. Cybersecurity starts with people; from the breakroom, to the boardroom. The more knowledgeable we are, the less profitable the bad guys are. Security awareness does not have to be expensive or complex, but it does need to be intentional.
  • Increase our cyber hygiene. This includes creating strong unique passwords, and most importantly, not reusing them across multiple sites or services. Information is only as safe as the password protecting it. Even the most complex password in the world is useless if we fall for a phishing email.
  • Increase our awareness and vigilance. Keep abreast of the latest data breaches and know where your credentials may have been stolen from. Also, learn how to recognize a phishing email; when in doubt, delete it. Even a fully patched computer can be compromised if we click on a malicious link. It only takes one click to compromise a device.
  • Mobile devices are vulnerable too. Today we are more likely to open an email on a mobile device. Our smartphones and tablets will navigate to phishing sites just as easily as a traditional desktop computer. In addition, there are malicious apps designed to infect our phones to steal from or spy on us. It is important to only install apps from official app stores.

 

Gate 15 provides intelligence and threat information to inform routine situational awareness, preparedness planning, and to penetrate the decision-making cycle to help inform time-sensitive decisions effecting operations, security, and resourcesWe provide clients with routine cyber and physical security products tailored to the individual client’s interests.  Such products include relevant analysis, assessments, and mitigation strategies on a variety of topics. 


This blog post was written by Jennifer Kazy, a Gate 15 Risk Analyst for Cyber Intelligence and Analysis. Jennifer brings over 15 years of cybersecurity experience to Gate 15, including almost 10 years in the Financial Services Sector. Jennifer provides informed threat and risk analysis for internal activities, and lends her experience to assist clients looking to bolster cyber capabilities, including malware investigations, and security awareness programs. Before joining Gate 15, she embarked on an entrepreneurial journey to help small healthcare practices strengthen their cybersecurity posture through building or refreshing HIPAA compliance programs, with extreme emphasis on education and awareness. Her motto: “Why settle for compliance when you can achieve secure?”


Related Posts