No matter how technically secure we set our devices, systems and accounts to be, there is always a human component to any cyber security protocol. Hackers and bad actors recognize this, and often times resort to manipulating users who have access to these systems to provide the information necessary to enter through the front door. This process of manipulating human behavior is called Social Engineering. Consequently, users and cyber security experts always need to be wary and suspicious of any communications, since there’s always the chance that they could be hackers in disguise trying to gain illicit access. Here is a list of some of the most common Social Engineering techniques and the methods available to detect and prevent them upon which cyber security experts should train their system users.
Hackers often use a technique called phishing to gain account information over email, instant message, or some other form of electronic communication. Once a hacker has gained access to one users email account, they often will use that email account to try and gain access to more accounts via phishing. If you receive an email, even if it’s from a friend, colleague or acquaintance, and it contains a link or download, a sense of urgency, and possibly either a promise or a threat, be very suspicious. Do not open the link, or download the attachment since it could be a malware or virus ready to infect the system. If it’s from a sender that you know, call them and see if they did indeed send that email first. Oftentimes, these phishing messages will contain a narrative. Classic narratives they will use will be either a bating scenario where something is dangled that entices the user to continue the communication, a response to an unasked question scenario where response(s) to an alleged request for help entices the user to continue the communication, or a threat scenario where particularly malicious hackers will intentionally try to sow distrust by using threats to end access to an account, or threats containing illicit language, accusations of impropriety, illegality or violations of social norms, or threats to property or limb in order to gain compliance from the victim. Eventually, the goal of each of these scenarios is to compel the user to provide protected or sensitive information. Consequently, system policies and methods must rely on password, username, and account information not being shared electronically. Coach your users to never electronically share passwords, financial account information, or usernames of any type, not just the corporate propriety type. Furthermore, if you are in charge of managing these user accounts, and need to reset passwords or create usernames as a part of your day to day routine, never deliver them electronically. Always write them down on a sheet of paper (you cannot hack pen and paper) and hand deliver this information. This way, you are providing an example upon which to you should coach your users.
Pretexting is when a hacker impersonates or fabricates somebody else to provide a pretext for a victim to divulge information. Pretexting relies on trust; the hacker will need to create a convincing enough persona with as little holes as possible in order to disarm the victim. They will thus be required to fit a role where the victim will trust that they are entitled to the information requested. Consequently, hackers who utilize pretexting are often great researchers. They will know what companies the victims hold accounts with, and at the very least will know the names of the victims before they make contact. Common examples of pretexting include unsolicited calls from someone pretending to be a representative from an outsourced IT service who needs your username or password in order to complete some routine behind the scenes maintenance, or a rep from your bank requesting your account number and passcode in order to verify your account has not been hacked. Consequently, IT and security professionals must implement a system where every contact from clients, vendors, and other companies through which business is conducted is known and has a proper channel of communication. There should be a designated contact for each account, and that contact should know everyone they do business with on that account, and require an introduction from an existing contact before new contacts are allowed to conduct business with said account. Other policies should include not relaying any sensitive passcodes or account identifiers to unknown persons or entities, even if they claim to work for a known contact.
Tailgating is when a hacker physically enters the premises, often by impersonating a delivery driver or by simply following authorized personnel closely onto the site (often by acting like they are supposed to be there and asking an employee to hold the door). This is most commonly seen with small and mid-sized businesses which often lack physical onsite security. Larger businesses or businesses that are located behind a security checkpoint (such as in large towers in urban centers) are fairly immune to this. However, once a hacker has tailgated onto the premises, they will try to find a physical access point by which they can enter the network. Consequently, those in charge of coordinating IT and security policy should require that all users lock their machines when they are not using them. Server rooms and central system nodes should remain in a control accessed environment behind a door or gate that is always locked. If these policies are kept, it will be close to impossible for an attacker to gain access to the network before they are discovered.
In the post-recession era where there is the (often factual) perception that companies are not loyal to their employees, the same employees have often proven to not be very loyal to their employers. Consequently, hackers as of late have found that simply asking employees to provide information in a quid-pro-quo deal is a fruitful quest. There are examples of employees giving away their login credentials for as little as bars of chocolate. More high-end targets require more investment though, as many Apple employees have been offered 5 figure payouts for their account information. Consequently, it’s not uncommon to see system administrators monitoring accounts for suspicious activity. IT Departments have also been known to include anonymous tip lines to protect their systems, as well as maintaining regularly scheduled password updates in order to limit the window of availability for hackers who gain access to a network.
While bribery is a carrot approach, threats are the stick approach. While it’s always a possibility, the number of hackers who resort to directly contacting users and threatening them into providing information is not very high. This approach often requires hackers to break more than just cyber laws. Physical intimidation, assault, battery, slander, libel, stalking, kidnapping, and theft are all charges that could be levied against hackers who utilize threats. However, it happens. Hackers have been known to physically threaten family members or loved ones of users to gain access to networks, like in the Harrison Ford film Firewall. Similarly (and more commonly), hackers have used blackmail to achieve their aims, like what has been documented after the Ashley Madison hacks. Consequently, organizations will want to know the personality of their employees. If something becomes amiss, coworkers and IT departments should be aware of behavioral changes. Provide a safe space and resources for users so that if they are threatened, they are not treated like malicious threats to the network, but coworkers and friends that need help. Allow for anonymous tips on behavioral changes, and don’t be afraid to ask what’s up if a user seems to be acting differently. However, if they are acting differently, monitor their accounts as closely as you can to ensure that their usage and habits are not changing. Again, a password-expiration policy will limit the window a hacker will have to access information.