Social Engineering can be summed up as ‘hacking the human’. Traditional malicious hacking attacks a digital instance of an organisation (i.e. website, network or system) and attempts to gain unauthorised access or cause harm by exploiting a vulnerability. Social engineering instead focuses on a person and attempts to exploit human frailties by coercing or tricking the recipient into giving up sensitive information, clicking on a malicious link or allowing unauthorised access to property or IT estate.
In this article, we will articulate the benefits of running simulated social engineering testing, outline the most common forms of attack and explain how you remediate the weaknesses uncovered by running the tests.
With around 60 – 80% of all cyber breaches being apportioned to human failings, a well-executed and remediated social engineering testing exercise can significantly reduce the chance of a successful information or cyber security breach.
What are the most common and dangerous forms of social-engineering?
Social engineering attacks are many and varied, they all share one thing in common however, and that’s the manipulation of a person for nefarious means:
- Phishing – as mentioned in a previous article; Spear Phishing – Why you should ‘Fear the Spear’ the term phishing applies to a mass, multi-recipient, untargeted phishing campaign where the emails are often poorly worded, non-personalised and encourage the recipient to click on a malicious link and give up credentials / sensitive data or download malware. Spear Phishing and its variants are targeted attacks, more sophisticated and will focus on a specific user, often purporting to come from a senior colleague and requesting funds are transferred to a fraudulent account.
- Pretexting – either over the phone or face to face. The attacker will assume a false identity, this could be anything from a helpdesk operator through to an authority figure of some sort. They will use this method to trick the victim into allowing unauthorised access, handover sensitive data or transfer funds.
- Baiting – Using the element of enticement, the victims are tricked into divulging information or allowing access by something that they perceive to be of value. This could be anything from a download link that promises free digital gifts to infected USB drives that have been purposely dropped by attackers, often with fake folders with irresistible titles such as ‘2019 staff salaries’. On opening the file some sort of malware would infect the user system.
- Tailgating – also referred to as piggy-backing. Often armed with say, a coffee in one hand and phone to the ear in the other, attackers will rely on the inherent politeness and courtesy of staff to hold open access-controlled doors. Or more covertly, the intruder simply closely follows the authorised person through the doorway without them being aware.
TALK TO ONE OF OUR EXPERTS ABOUT SOCIAL ENGINEERING TESTING
Let Risk Crew help your organization stay ahead of threats to your systems with effective security and penetration testingGET A FREE CONSULTATION
How does simulating social-engineering testing help prevent attacks?
“Tell me and I forget. Teach me and I remember. Involve me and I learn”
This adage resonates especially with defending against social engineering attacks. Users are often limited by their imagination and a false sense of security of being behind the closed doors of their workplace. Good simulated social-engineering testing not only involves the testing itself but is also evidenced by metrics and where appropriate video & audio artefacts.
Consider a simulated phishing email that is crafted in such a way that its content really sticks in the mind of the recipients. One that will capture their imagination and get them talking. Then when the users are informed that it was a test and shown the evidence that it was not a genuine opportunity to win a free holiday this will really get in their heads. Suddenly they are thinking about how they approach their emails in a different way – a cyber secure way.
The same goes for all examples, imagine a simulated attacker talks his or her way past the reception desk and onwards through to unauthorised access. This is backed up with covert video & audio evidence – again the staff are presented with this evidence, now they are not being asked to imagine an intruder attack, they are seeing with their own eyes one taking place.
What steps to take once the simulated attack exercise is over.
This is a critical element of the undertaking – how you approach this will determine whether you get employees on board, or conversely risk alienating them and pushing them away.
First thing to remember is not to point the finger of blame at any individuals, this is about changing the culture of the whole company and should be approached in that manner. A good way of making this inclusive is to show how a senior board member was targeted and fell foul of the test.
The next step is to make sure that your policies and procedures back up the message and provide support to your employees. If you are going to be asking them to challenge strangers, then give them the back-up of a policy to make it less personal and awkward.
“Sorry, I’d love to hold the door open for you, but as per our security policy I can see you haven’t got the appropriate visitor pass on, I’ll walk you back to reception and you can get things cleared up there”
Similarly, have well-documented and easily accessible procedures in place. Have fail-safes for transferring of funds for example.
To keep the message in their heads, feed them regular, short snappy multi-media messages on the subjects in hand. Make use of posters and other collateral – for example, a poster above an access-controlled door articulating the dangers of tail-gating not only acts as a constant reminder to staff but is also a useful tool to refer to should staff need to confront an unauthorised visitor.
17 years of designing, developing and delivering social engineering engagements
Risk Crew have been at the forefront of running successful, simulated Social Engineering-based testing for over 15 years.