On this blog, we’ve had a lot of discussion about the problem of human behavior when it comes to cybersecurity. For example, we have looked at the Sony Pictures breach, which was caused by spear-phishing emails. We looked at Edward Snowden’s hack of the NSA, which he accomplished by simply calling agents and requesting their login credentials (a combination of “pretexting” and phone phishing). We even examined the notorious agent.btz worm that spread through the entire DoD network when an agent used a USB drive he found in a parking lot.
While all of the abovementioned data breaches were accomplished by different means, they all have one thing in common—all three of them employed some form of human-based tactic. The biggest reason that humans have potential to be a data security factor can be summed up in two words… Social Engineering.
Social engineering, in cybersecurity terms, is defined as an “attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.”
Many people may not be immediately familiar with the term, but social engineering has been around for a very long time… even before the rise of the internet and computers. In fact, con artists have been using these sorts of tactics since who-knows-when. Although the widespread use of social engineering by cybercriminals has only begun in recent years, hackers have been doing it for decades. For example, remember that scene in WarGames (1983) when Matthew Broderick steals a password from his high school’s office to hack the system later (to change his grades, of course). Or how about that scene in Hackers (1995) when he calls the security desk at a TV station to gain their modem access numbers (Please ignore the fact that this movie predicted people would still be using LAN modems and floppy disks in the future). Lastly, there’s the slightly more recent but far lesser known film Takedown (2000), which was based on the life of real-world hacker Kevin Mitnik.
All of these scenes depict hackers using social engineering methods in order to get around a target network’s security measures.
The reason that hackers and cybercriminals choose to employ social engineering tactics is simple—they get a better return with less time and effort. After all, it’s much harder for them to infiltrate systems by creating zero-day exploits or for them to spend days or weeks writing custom exploit code, identifying site/system vulnerabilities, and/or crafting custom data payload droppers.
Why would they spend weeks doing all that when they can just spend a day or two phone phishing by making a bunch of calls to people in their target network until they find someone who is gullible or trusting enough to provide them with the information they need? It is much easier to “hack people” than it is to hack a computer network, it seems.
Or, they could just spend $50 on a bunch of thumb drives, load them up with Remote Access Trojans (RATs), and leave them scattered around the target office building’s parking lot. All it takes is for one employee to find one of these “free USB drives” and insert it into his/her office computer… and presto! Network infiltrated.
Then again, if the cyber group is especially bold, they might just try to access the network from within. For example, they submit a doctored up application that scores one of their members a job interview at the target company. The chosen “plant,” upon arrival, approaches the front desk with a sad look, a coffee soaked resume, and a thumb drive and says (ever so politely), “I am so sorry, ma’am. I spilled coffee all over my resume as I was getting out of my car. Would it be too much trouble for you to print another one out for me? I have a copy on this thumb drive.”
People, for the most part, like to be helpful and are more than likely to insert the thumb drive, print the resume, and unknowingly upload a RAT to the office network.
Scary stuff, huh?
Want to know how you and your practice staff can defend yourselves against social engineering tactics?
Well you’re in luck… I will be discussing how to deal with social engineering during the Reducing Cybersecurity Risks in Your Practice seminar this week at the Nextech EDGE conference.
Since I do not want to be a total spoiler for those who are attending, I will be posting the second half of this blog series once I have returned from EDGE.