Exploiting human firewalls through social engineering is an increasingly popular method of attack. Recently, a hacker has claimed that they compromised CIA Director John Brennan’s email by tricking a Verizon employee into divulging details of his account. These human exploits are likely to get worse as technical controls improve and organizations continue to liberalize their social media policies. This month I caught up with Jenny Radcliffe, social engineering expert and popular Tedx talker from Jenny Radcliffe Training to ask how we can better prepare our human firewalls.
What is a social engineering attack?
Social Engineering is the term used to describe a “people-based” hack on a business. Attackers use non-technical means to obtain information or access by manipulating the human element of an organization or, in the case of an individual, their human weaknesses and characteristics such as naiveté, misplaced trust, fear or the will to help. Social Engineering often forms part of a wider attack that at some point will incorporate a technical element, and can be a form of intelligence gathering and preparation for complex and serious organizational breaches.
Why is it that social engineering attacks can be so effective?
Social Engineering is effective because we are all human and therefore vulnerable. Provided the message is tailored correctly most people will talk too much, reveal too much or be fooled into giving away details that can later be used against them. Being overly suspicious of everyone we engage with on a daily basis isn’t healthy, psychologically speaking, so most of us don’t have our guard up all of the time. Moreover, because social engineers build a profile of the target organization over time using social media, much of the activity goes undetected so it is hard for companies to learn from their mistakes.
Do you think that enough is being done to educate people about the risks of social engineering?
You can never have enough learning and reminders in this area, because the malicious social engineers are doing this persistently, imaginatively and in an organized and targeted manner. Awareness really is key here because the only thing that will help is to make people question themselves and those they communicate with, as well as think twice about the information they post online or otherwise give away. Education makes organizations and the individuals within them harder targets and helps people understand how their own actions and personal information can be used to assist a work based or broader attack. I still come across organizations who either ignore this element of security altogether, or state that they “have this covered” or for whom this is seen as a lesser threat than more technical attacks. Unfortunately, people are often easier to “hack” than technology and are not as easily repaired, so I see a lack of attention to the topic by an organization as negligent to the duty of care they have to protect their employees.
You stated recently that security teams are sometimes ‘lost in the weeds’ when it comes to defending against social engineering attacks. Can you explain your thinking on this?
Security teams do a difficult job and being “in the weeds” is a term that describes the situations when we are so immersed in the details of a task it is hard to rise above that and look at the situation objectively. For those teams whose job it is to perform mock social engineering attacks within their own organization it can be very difficult to achieve the level of disengagement required to scam your own colleagues effectively in the same way a malicious attacker would. There is a group dynamic and a social contract which is unhelpful in the role, that those from outside the organization (malicious or not) are simply not bound by. The more emotional distance you have from a target the better for a social engineer, and internal teams inherently do not have that advantage.
What’s the best form of training against social engineering. What works and what doesn’t?
In my opinion, it’s not the delivery method that really matters here as much as the strength of the message and the strength of that personal connection people need with it in which to act. Training relies on engagement and participation regardless of the topic. For Social Engineering the best training engages the learner on a personal level by connecting their own experience and situation with the topic at hand, and then prompting them to behave differently in both their own interests and that of their organization.