Why we are losing the battle in cybersecurity:
Part Two - Social Engineering
Ubiquiti Networks produces enterprise-level security products like firewalls and switches. We can surmise that their own network is strong, complete with Next-Generation firewalls, secure Access Points and solid security gateways. However, all of this did not help them in 2015 when they fell victim to a ‘CEO fraud’ scam to the tune of 46 million dollars (some were later recouped). CEO Fraud, aka Business Email Compromise, is a social engineering scam where someone impersonates a high-level figure in the company, for example the CEO. Usually, an email is sent to an admin person or finance person in the company requesting funds be moved. In this case, a huge amount of money was wired before the company realized what was going on. Talk about a bad day at work when you find out your error cost the company millions of dollars!
In this article series we are looking at why we seem to be losing the war against cybersecurity. In part one we looked at why Russia is a key reason. In this article, we focus on social engineering or… hacking people.
Social engineering is the art of exploiting human psychology to gain access to buildings, systems or data. It is a lucrative business. It turns out that while hacking hardware is complicated and requires great skill... hacking people is oh so easy. The FBI reported that Business Email Compromise (BEC), a popular form of social engineering, caused losses of 1.8 billion US dollars in 2020 (in the US).
Our staff are an imperative part of our cybersecurity defenses… our human firewall. We often think of our staff as our greatest assets. Rightfully so… they are on the front lines, talking to clients, making deals and loyally promoting our brand. They are in the background working hard to fulfil their role and meet their goals in the organization. We invest in them and without them, our business would not be possible. However, as far as cybersecurity goes, they can also be your weakest link.
As long as we allow our staff to use their judgement to make decisions, social engineering will thrive. There is a simple way to prevent the vast majority of social engineering attacks, and we'll look at that later in this article. First, let's take a look at why it's so successful.
One reason social engineering is easy is that we train our employees to be helpful. We love it when our staff provides service that exceeds the clients expectations as it helps our business and our brand. Unfortunately, this kindness is often used against them in a social engineering attack.
Being helpful is one way people are hacked. There are many other reasons that make it easy. Or shall we say, there are many other emotions to hack. Social engineering boils down to manipulating our emotions. Note the following chart and see common types of cons and what emotion they try to hack.
The Emotion | What They Say | The 'People' Hack |
---|---|---|
Fear | If you don't do as I say, something bad will happen. | I better do what they are asking or I will look bad, be embarrassed, or even lose my job. |
Authority | I have more seniority that you. Do as I ask. | This is my supervisor; I better do what they say. |
Greed | Help me out with this. There will be something in it for you. | If I do what they are asking, there will be a reward in it for me! |
Vanity | You are a ‘regular’ worker and I am confiding in you to assist an executive with a task that no one else knows about (common with BEC). | Wow! It’s euphoric to think that I am in cahoots with an exec to accomplish this strategic powerplay for the company. I’m going to look great! |
Urgency | I need your help now as this is a critical issue. | This task is important and needs to be done immediately. |
Curiosity | I'm going to share some information that not many people know about. Don't tell anyone else about it. | If I do this task I will be privy to information that you few know or have access to. How cool! |
Don't Underestimate Them
Humans have emotions and emotions can be manipulated. Often, in retrospect, a victim simply cannot believe that the attacker went through the trouble of carrying out a certain attack. It seemed so improbable and such a lot of work. We cannot underestimate them. In one case, ethical hacker Chris Nickerson people-hacked his way into a client’s network and database in a couple of hours with a $4 Cisco T-shirt he got at a thrift store. He gained access to the office, sat at computers, cracked Windows passwords all while joking around with the people around him.
Another ploy that works well is using information that the victim thinks is private. A recent BEC hack was successful because the impersonator mentioned that ‘she’ was getting on a plane shortly and would not be able to reply. The boss of the company was actually flying that day and had mentioned it in a social media post. So the assistant believed the hacker and proceeded to wire money. That piece of info added a level of legitimacy. Social media is a goldmine of information so we should limit what we put on there and make our profiles as private as possible. But useful tidbits can also be garnered in unsuspected ways.
In another example a hacker gained access to a network by looking at a discarded ‘Print Test Page’. These contain details of a printer in the office. Posing as a tech he went into the office and said he was there to look at this specific printer. The receptionist thinks ‘How would he know this’. And he even has a clipboard which is the international symbol for ‘I’m doing something important’ (successful hacks have been achieved with nothing but a clipboard!).
Another secret to the success of social engineering is pretexting. This is when hackers try to build a level of trust before delivering 'the ask'. It can be as simple as an email that looks to be from your boss that says ‘Are you available?’. Nothing alarming about that (assuming your boss is not in eyesight). There is no request in the email. Completely innocent, no need to even check the ‘reply to’ email address. So you respond – Yes, I’m available. The next email comes but now they’ve established a little trust and when the request to wire money or purchase gift cards comes, it is not as shocking. It works very well.
Let’s talk now about what we can do to prevent people hacking. The good news is that almost all social engineering tactics can be eliminated by one thing… policy. We are going to talk about culture at the same time since you can’t have effective policy without a good security culture.
Policy and Culture
Policy is the single most important thing you can do to prevent social engineering. Policy takes the guess work and emotion out of decision making. Better said, policies allows staff to make decisions that protect the organization and it’s data. For example, think of some of the tactics mentioned previously:
A ‘printer tech’ shows up and says he is there to work on the specific printer you have. Seems legit. But wait… your policy dictates that all visitors must sign in, and show ID if not known at the site. Or perhaps the policy is that an appointment is necessary with the person in charge of IT. And/Or there is a policy that states the tech must be escorted to the printer and a staff must be present with him the whole time. The options are endless and dependent on your situation, but one thing is for sure... you are not going to let some random person into your office without some kind or authentication and verification.
Or, you get an email from an executive requesting purchasing something or moving money. You know it’s fake because there is policy that dictates that these types of requests come from a certain person. The policy also states that requests to move money need to be authenticated by 2 staff. Or perhaps your policy is that internal communications happen on Microsoft Teams, which makes this email an immediate red flag.
We can see how these systems protect the business by ensuring that proper decisions are made. Easily manipulated emotion is removed from the equation. It is good to think of these administrative controls as systems. Policies are a hard sell, so formal and rigid. But systems… well systems are how any good business is run. Presenting policy in a positive light, as checklists or systems, will help with adoption.
Policy is useless if it is not followed. If policy adherence is weak then we might as well not even bother as we are allowing room for undisciplined decisions and therefore easy manipulation.
Good security culture comes from the top down. The old adage ‘secure is everyone’s business’ are words to live by in the workplace. Here some important elements to a great security culture in your organization.
Security Training - Staff need to know how to identify phishing emails. They also need to know who to ask if they are not sure, and how to report one they know for sure is malicious. A training program will include regular messaging – email reminders and tips, even posters/signs on the wall. Security training courses that are tracked to make sure all staff complete them are important. A good training program will include phishing tests, where fake phishing emails (yes, fake fake emails) are delivered to Inboxes to see if staff click them. If they do, they need more training.
Foster Good Communication - Talk about security. Include it as an agenda item in appropriate staff meetings and internal communications. Encourage staff to talk to each other about anything suspicious. The ‘there are no stupid questions’ would be an important component of these interactions. Think about gamifying security awareness to make it fun.
Develop Policy - Work with your vCIO to create checklists, systems and policies that keep the organization and it’s data safe. Follow the policy. Even (especially) bosses and managers. No shortcuts. If the leaders don’t follow the rules, no one will.
Policy Examples
Here are some good policies to start with:
Staff Policies
Acceptable Use Policy – How are computing devices to be used at work. What can staff do on the computer, and what should they not be doing. What expectations of privacy do staff have. What are the consequences for failure to follow rules.
Security Incident Response – short and simple instructions as to what to do with suspicious email or activity. For larger organizations, a more in-depth plan on what to do and who to call in the event of a breach.
Work from Home Policy – what special rules and what additional security is in place for remote workers.
Bring-Your-Own-Device (BYOD) Policy – If the organization does not provide a device, what are the expectations for the use of employee devices? What security must be applied? What data, if any, may be stored on it. Who pays for repairs/upgrades.
Internal Policies
Data Backup Policy – How is data backed up and what needs to happen to restore. How often is it tested. Who is responsible for it happening. This should tie into a broader Business Continuity Plan which would cover serious events such as a disaster or loss of key personnel.
Anti-malware Policy – What protections are installed/configured on computers. How are updates enforced.
Other Policy – How to report computer issues. How are computer support and repair requests handled. How are onsite technicians verified. What remote agents are installed on computers? How do staff communicate internally?
The list could go on ad infinitum. Don’t get overwhelmed but do start developing them and living religiously by them.
Social engineering is not a new danger for businesses; it has been going on for as long as commerce has been around. Good training, comprehensive policy and a strong security culture are the best defenders. There are many avenues that social engineering can take into your organization. The most popular and effective is email. We will look at email and the threats that come therein as the next reason we seem to be losing the war on cybersecurity. Coming soon.
Sources
https://www.csoonline.com/article/2123704/social-engineering--anatomy-of-a-hack.html
https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/
https://gatefy.com/blog/security-statistics-facts-email-main-vector-cyber-threats/
https://gatefy.com/blog/key-points-fbi-internet-crime-report-ic3-2020/
https://www.vadesecure.com/en/blog/pretexting-5-examples-of-social-engineering-tactics