Blog Home Page Next article: HIPAA Understood: An Introduction
Social Engineering: Hacking the Human Brain
How do you hack a network with every modern safeguard and tool in place and a seasoned team of veteran professionals at the helm of your IT department? Surprisingly enough it doesn’t take that much. After all, who needs to be an all-star hacker looking for a small crack to wiggle through if they can convince your users to open the front door? That’s basically what social engineering is all about. Attackers have one target – the mind of the user – and the objective is to hack their brain so they can circumvent the technical and physical security safeguards and entice them to forget or ignore organization policies, procedures, and training. Anyone, at any time can be targeted by these attacks and it only takes a single user connected to a single system to bypass complex and expensive security controls in place. In this post, we hope to pass on the knowledge we have learned from our social engineering engagements and maybe benefit someone with the knowledge of how to identify and avoid even the most cleverly-designed attack methods.
There are generally two major types of social engineering attacks: remote and onsite. Within each are a myriad of techniques that attempt to trick the user into divulging sensitive information or to perform a task that leads to the system becoming compromised.
Anyone, at any time can be targeted by these attacks and it only takes a single user connected to a single system to bypass complex and expensive security controls in place.
Remote (Phishing) Attacks
The target is contacted by phone in an attempt to get passwords, usernames, names of network administrators, or proprietary information. Typically, the assailant will try and obtain small pieces of information from several different users to keep from looking suspicious. At other times, they may go for broke claiming to be from the IT department or help desk and calling every user on their list until they reach a “thankful” person who is relieved to finally get their ticket answered.
There are many types of attacks that come through this medium. The first is similar to the phone call where the attacker attempts to lure the user into divulging information with an email from someone who appears trustworthy. Another type of email contains malware-laden attachments that infect a system when downloaded. Still others may contain links to spoofed sites (clone of a real website or page) that promise rewards for users if they enter their credentials (also known as “water holing”)
By far, the most successful type of social engineering attack comes in the form of spear phishing. Users are selectively targeted for characteristics such as technical level, title, or previous successes by the same attacker. Normally, the assailant will attempt a small volume of emails or calls to avoid spam filters and detection systems and will converse multiple times with willing participants. Patience rewards these criminals, however, because after earning the target’s trust they can expect in upwards of a 33% success rate in these types of attacks.
Engaging someone in conversation and asking them a question that will require accessing the network or the Internet with the intent of reading or recording their username and password as they are typed.
Following on the heels of employees entering a building can be all it takes to beat a company key card access control. We find that simply pretending to be courteous and holding the door can work wonders for someone seeking access to a building or secured area. These are especially effective around designated smoking areas where the attacker can immediately become part of a social clique and earn the trust of others who share a common interest.
With the appearance of performing an IT asset inventory, the attacker installs a USB key logging device on common-use/shared workstations to record usernames and passwords.
Portable Media – DVDs, CDs or USB drives – are placed in common-use areas like bathrooms, stairwells, and parking lots with enticing labels like “Executive Salary Payouts 2017” or “Confidential.” Just as effective, dropping off a box of USB drives with the company logo to reception with a “Hi I’m Bob from marketing we ordered way too many of these thumb drives – can I leave a few boxes here so that anyone that wants or needs one can get them? Please make sure everyone gets just one!” These devices “call home” with the local username, password, IP address, computer name, and MAC address. The PC remains unharmed and each user completely unaware.
...you should be taking the time and effort to build layers of safeguards into your network... But it all amounts to nothing unless there is a culture of security surrounding your end users.
There are many ways to avoid falling prey to the above techniques, but we cannot list them all here. From a technical standpoint, it goes without saying that you should be taking the time and effort to build layers of safeguards into your network infrastructure with the latest AV software installed on all your systems with alerts and update notifications throughout the day. You or your IT team are already doing that. But it all amounts to nothing unless there is a culture of security surrounding your end users. How do you do that? Think of it like this – How do you update antivirus and patch code in the human brain? Education, training, and testing.
At Spohn Consulting we offer customized Social Engineering engagements customized to test your specific environment including training, policies and procedures. We tailor it to your desired target audience – IT dept., help desk, administrative assistants, or all employees. We can also customize to meet specific regulatory requirements such as NERC or HIPAA/HITECH. At the conclusion of the engagement you receive a detailed report of findings along with in-person consulting and recommendations on where to start with addressing any issues found. For more information on engagements, please visit our Social Engineering page.