Social engineering is a modern form of confidence trick in which attackers use lies and deception to gain the trust of individual employees and convince them to give them access to the corporate network. The only way to afford your business some kind of protection is by focussing on the weakest link in the chain: people. How does it work?
Fraud 3.0. To protect yourself against falling into a trap, you have to ask the right questions at the right time. That’s exactly what the employee of an American tobacco company didn’t do when he answered a call from the in-house IT department last summer. The alleged colleague asked him about his e-mail program, operating system, and VPN provider amongst other things, saying he needed the information to procure and configure a new computer for him—something he had obviously been longing for a long time! So much so that it didn’t occur to him to ask the caller why he knew so little about the systems he was using when he supposedly worked in the IT department.
Thankfully, this story had a happy ending because the caller was taking part in the Defcon hacker conference in Las Vegas, and far from wanting to inflict damage, the goal was to demonstrate to a live audience how easy it is to build trust and exploit it. The foundation of every social engineering attack is to exploit the same basic human emotion—curiosity. Plus the desire for community and recognition and for someone to take an interest in us and our wishes.
Manipuly – The game of risk.
Social engineering can also be understood as social manipulation and means the influencing of others with the aim of persuading them to divulge confidential information, transfer funds or purchase certain goods.
Christoph Barreith, Bechtle Solution Architect, Security/Network is well aware the businesses tend to spend their time any money focussing on and eliminating their IT systems’ technical vulnerabilities rather than on psychological aspects in order to prevent every conceivable automated attack.
But this strategy can’t offer real security for two reasons. Firstly, employees need to have access to internal data to be able to do their jobs, and secondly, systems are becoming ever more integrated as previously separate infrastructure is linked up and networking increases. Moreover, access cannot be 100% watertight all the time because if a company cannot access its sensitive data, it can’t operate.
Another challenge in the prevention of attacks against in-house systems through spying, lying, manipulating and blackmailing is, according to Christoph Barreith, “the lines between business and private are becoming increasingly blurred in the age of social media as people grow tired of keeping things separate.”
Lots of people are generous with their private details if they get something in return and that’s where the danger lies. If you keep an eye on someone’s social media profile for a period of time, you’ll learn a lot about them making it easy to send them an e-mail direct to their business address playing on their desires and expectations. This e-mail will encourage the recipient to click on a link. Opening the virtual door to the corporate server room.
Here’s an example of how it could work. An employee proudly posts a picture of himself and his new company bike on Facebook and shortly afterwards receives an e-mail about taking part in a survey about whether he is happy with the bike and if he could possibly leave a review by clicking on the following link. It sounds plausible and harmless enough, but it’s a trick to phish data or install malware.
This example demonstrates how crucial general security awareness is along with a healthy dose of scepticism both at work and in our private lives. It’s this scepticism that will mean the right questions being asked such as, how does this person know what they say they know? How do they know that this is a company bike? Why are they interested? If these can’t really be answered, you need to be careful.
Of course, questions or access requests from complete strangers who turn up in person such as a handyman claiming to need to repair something in the server room should rouse even more suspicion. Reports also abound of attacks in which trust is won by sending an e-mail—a form of communication which must always be treated carefully. “Lawyers, the police and the tax office generally don’t send e-mails”, explains Solutions Architect Christoph Barreith. And your own boss won't send instructions, such as to make a specific payment, by e-mail, but if you do receive something like this, it’s advisable to speak to your supervisor about it. USB sticks found in or around the company should be handed in to the IT department without first connecting them to a PC to find out who they belong to—even if it is labelled “X-rated holiday. Corsica. 2019”.
Bechtle’s Security Awareness Training uses different approaches to build awareness of the risks described above. E-learning is a crucial component as it’s impossible for every employee to attend a classroom seminar, even in an SME! Because everybody and everything could potentially be targeted by attackers, “everyone has to be prepared”, says Volker Wörtmann, Head of the Bechtle Training Centre in Neckarsulm.
And this preparation will only be successful if it comes with an element of fun. That’s why Bechtle is working with gamification, giving their employees a chance to compete against their colleagues to achieve a high score for the most questions answered correctly. Another scenario leads participants through a virtual room in which there a lot of causes for concern, such as a USB stick lying around or a list of passwords stuck to the filing cabinet. Another favourite is the list of blacklisted customers and suppliers with phone numbers.
If the training is too “standard” then “at some point, the participants will start reading their e-mails instead of paying attention”, says Volker Wörtmann. They’ll probably even open an attachment they would have been wise to ignore.
Security Awareness Training.
Bechtle’s training concept combines tailored classroom sessions, e-learning and live online courses. A lot of companies are already using these tools in the context of occupational health and safety and therefore know the process. The courses offered can be adapted to relate to the individual needs and circumstances of an affected company thus enabling the employees to quickly identify with the subject. Whether the course has been successful or not can be tested by the company generating phishing e-mails to send to its employees—another area Christoph Barreith, Volker Wörtmann and their teams are happy to support you in.
Bechtle update editorial team
Get the best from the Bechtle update every two months directly into your mailbox. Click here to register:
Published on Apr 21, 2020.