What is Social Engineering –
Recognizing the Threat and Fixing the Real Problem
In today’s corporate America we find ourselves in an ever-evolving war against a flourishing variety of threats. Threat actors performing Denial of Service attacks, Phishing Schemes, and Malware distribution look for and exploit breaks in systems. As victims, there are usually symptomatic ways of identifying these attacks, generally preventable or manageable with systems and technology. Invisible and often undetected however is another brand of antagonists looking to expand their knowledge about you and your company, seeking not only information, but weak links for further exploitation and benefit. Each tidbit of seemingly meaningless knowledge, builds upon itself as this advanced persistent threat evolves through continued exploitation and analysis. These attackers identify the weak links in the human element and work from the inside-out, often without visible symptoms until it is too late.
WHO IS THE SOCIAL ENGINEER?
I am sure that most of you have heard the term “Social Engineer” by now. If you haven’t, you may be familiar with more common names like Con Artist, Hustler, Swindler, Fraudster, and Scammer to name a few. In the tech world, the Social Engineer is simply a new age term for this line of deception. Don’t be confused with my use of gender in this article either, it’s merely to simplify the conversation; the Social Engineer can be anyone!
The social engineer has an elaborate tool box at his disposal and unfortunately for us as victims we have a predisposition to give him what he wants. With aggressive actions he uses fear, intimidation, and extortion to meet his ends. More commonly, he can manipulate using sympathy, empathy, and altruism and often times be completely invisible in our daily routines. Understanding how this works goes a long way, but it’s useless without a true risk analysis of information, determining what is private and what is public.
WHAT IS THE TARGET?
The target is typically confidential information where the value is determined through analysis. This classification of information or data allows Social Engineers to better understand the data and how it impacts the business.
The target is a wide swath of information as even those things deemed for public use can be manipulated to force the hand of the willing or unaware. This information can range from Credit Card data and PII to insider information to trade secrets. These tidbits are usually easy to identify; Social Security Numbers, home addresses and employment records are just a few of the targets. Softer targets like where you bank, your favorite airline, or even your email accounts can become another proxy used to get to the end game of completing the breach. The real danger is that Social Engineers find ways to easily gather this information as items left un-filed on your desk, misplaced in the garbage, or even volunteered through conversation become open books to someone who knows what they are doing.
Having a good outline of what’s important and what isn’t should be a requirement for every company. It’s not enough to merely think that your employees will know right from wrong, it requires education. No matter the expertise of your employees, someone will not know the threats and consequences of Social Engineering unless it’s laid out for them. The process isn’t a simple one and to make matters worse, it’s persistent in today’s corporate America. Proper risk analysis is the key to keeping your information safe, negligence and ignorance is not an excuse. If you don’t know your targets you can’t protect them. If you don’t educate your staff to be gate keepers on these matters they actually become the “real” targets as people are now conduits to this information and the weak link.
HOW DO YOU HANDLE THE RISK?
Hopefully by now you have identified your risk. Without that information you are simply reacting to problems and issues as they arise. If you do your proper due diligence (even if you choose the status quo) you are still being proactive about the situation.
If you want to do more, you can reduce the risk by implementing counter measures. As examples, you can transfer the risk using insurance or by outsourcing your service needs. You can also eliminate risk by discontinuing activities that leave you exposed. Although simply doing nothing and accepting the risk may not seem like a proactive approach, certain things just can’t be planned for. Just because my car might break down doesn’t mean I need to have a second car. I will accept that risk and deal with repairs when and if they are needed. I could even save a couple bucks just for that event, though that’s now an example of risk reduction.
One of the hardest things for people to understand is that you, your coworkers, and everyone around you are a risk themselves. Everyone from the gossiping neighbor to your tight-lipped boss all present differing levels of risk, especially in today’s digital age where people volunteer endless amounts of personal information shared through social media. Coming to terms with “people” as a risk is imperative if you want to truly combat the Social Engineer. He knows how to manipulate any situation to advance his pursuit. But once you know and recognized that he is present and that the risk is people, it’s a start.
HOW DO YOU FIX THE PEOPLE PROBLEM?
Here we are at the point where we have several pieces of important information. We know the likelihood of being attacked by a Social Engineer and understand what he is looking for. We further recognize that we have a weakness in the human element. This information coupled with the understanding of what’s at risk gives us an opportunity to react accordingly.
Defending the company isn’t simply about the implementation of technologies like Firewalls, intrusion detection, intrusion prevention, and SIEM (System Information and Event Management). Although they are all necessary in today’s environment, it’s not enough. The fact remains that the weakest link will be the target for attackers. Technology can only give the appearance of safety if not coupled with additional resources for your staff to reduce risk.
To fix the people problem you need to train and educate. Don’t assume that people will know how to react to a tough situation. Techniques like email phishing are well known tactics yet they still work because the social engineer creates content that entices targets to ignore right from wrong. Simply telling them don’t touch the shiny object doesn’t work. Train them to ask questions and be curious about their safety and that of the company. Teach them to ask questions where they have uncertainty. Give them methods of thought that change their paradigm in a manner in which their decisions naturally protect them. As an example, if I get an email from the bank with a link, I don’t click it; I always assume it’s not real. This type of behavior keeps us safe. I manually navigate to the bank site to see what’s up. Sure, it’s very possible the correspondence is valid, but it’s not worth the risk to me, legitimate or not.
You may ask yourself, “Can simply making people aware fix the problem?” and the answer is a resounding, yes. If you are persistent about teaching the right from wrong, behaviors will most definitely change. Force people to take interest in their own security and the consequences of negligence. Continued vigilance towards these threats is the best way to help shape behaviors and decision-making.
HOW DO I PROTECT MYSELF AND MY COMPANY?
Finally, we need to take all of these pieces of information and use them to increase our awareness about what we share and who we are sharing with. Remember it’s the information we make public that lays the groundwork for further damage. As our lives become more complex and the age of data mobility expands, we need to heighten our ability to see what we share as a risk.
Let’s go over some things we can do to protect ourselves, our company, and those around us.
- Know your assets – Know the things that are most important to you or your business. If they are important enough for business, they are important enough that someone else will want it. Whether it’s intellectual property, credit card numbers, or Personal Identifiable information. Without the knowledge of what your assets are you can’t protect them.
- Educate yourself – You need to know the things you can do to protect yourself. It’s this education that will change your behavior and reduce your attack surface. Don’t give the Social Engineer a reason to pick you. He preys on the weak in the herd, don’t let it be you.
- Keep your Tech up to date – Since we know we are all targets, we can use technology to combat the threat. Make sure you patch your programs. Windows takes care of this for you, but many of us use lots of different programs. Keep them up to date including your anti-virus software. It can seem overwhelming, but many patches are there to protect identified weaknesses in your programs. It’s just good housekeeping.
- If you aren’t sure, ask – When you aren’t sure if you should proceed with an email or a line of questioning on the phone, stop and ask an “expert”. They don’t have to be a security expert, but maybe they are a lead or manager that has more experience. Odds are in your favor that if create resistance, they will pick an easier mark. It’s not always true, but suspicious activity can be thwarted this way in many cases.
- Be a little paranoid – It seems like a silly thing to say, but remember trust is something that needs to be earned over time and not just a given. If you are inherently suspicious it can work in your favor. The social engineer is trying to earn your trust and use it to make you do things you wouldn’t normally do.
- Watch your back –There are several best practices that you can incorporate into your daily routine that can help protect you and your company’s interests:
- Be mindful of your surroundings and those near you, on the lookout for people in your area that don’t belong.
- Make sure doors close behind you when entering or exiting secure areas.
- Don’t leave your computer logged in and unattended.
- Don’t allow guests and visitors into non-public areas without escorts.
- Clearly mark internal and confidential documents to increase employee awareness of sensitive materials.
- Have a locking mechanism on your phone.
These are seemingly common sense approaches that anyone can use to minimize their risk. If you remind yourself of these things with regularity it will become more and more part of your routine. It’s these behaviors that once innate, can protect us from being the easy target. It will take time to change your mindset, but if you aren’t the easy target it’s likely you won’t be the target at all.
Contact Roach Howard Smith & Barton to speak with our experts on how your company can protect itself from Social Engineering Fraud through insurance coverage and risk management resources.
972-231-1300 or 817-331-1313