“Manipulation, fuelled with good intent, can be a blessing. But when used wickedly, it is the beginning of a magician's karmic calamity.” This quote, from T.F. Hodge, perfectly describes a tactic that has quickly become one of the primary attack techniques used by hackers to exploit a weakness in organizations across industries.
In fact, social engineering, or an attempt to manipulate human behavior through specific, orchestrated actions to gain access to restricted information or systems without permission, is reportedly being used by 84% of hackers.
The challenge is that humans are hard wired to trust, often willing to accept someone at his or her word, and social engineering attacks are all about taking advantage of that inherent want to trust. Unfortunately, this is not a good mix and often leads to humans becoming the weakest link in the security chain, leaving many individuals and businesses vulnerable to attacks. Even when an individual or business is using all of the latest security technology, they can still be manipulated by a social engineer attack, if it is crafty enough.
Once a cybercriminal manipulates a person to trust them, they can easily trick the user into downloading malware, opening the flood gates to sensitive information and other actions that pave the way for a compromise. Whether it’s through email, the phone or physical break-ins, attackers can develop realistic ploys to achieve their larger objectives.
Security Professionals Need to be on Their A-Game at Home
A security professional recently shared a situation where he was reminded to always be on his toes in his personal affairs and professionally. He had received an email from his financial broker asking for his signature to purchase an expensive item. Confused, he contacted his broker, who informed him that the firm had received an email from him the previous day requesting and approving a withdrawal of $100,000. The broker quickly escalated the issue to the firm's internal security team to take a closer look. While the situation was being investigated, the broker received another similar email from the security professional’s work email address demanding an immediate response.
Because the broker had been in touch with the security professional and knew he didn’t want to withdraw the sum of money, they both realized that the security professional’s email address was likely compromised, and he was in the process of becoming the victim of theft. After enabling text message notifications, the security professional saw that a hacker was attempting to log into his email from South Africa multiple times a day. Fortunately, he caught the attack in time to prevent any further break-ins, but his broker was almost manipulated into making the payment on his behalf.
It is still unknown to the security professional and his broker how the cybercriminal was able to access his email account, but the security professional did realize that he uses the same password for multiple accounts, which he knows is not smart or secure.
While the security professional avoided a catastrophic circumstance this time around, the event made him reflect on his security hygiene at work as well. What if a similar social hack happened in his professional life?
…And at Work
A few years back, there was a four-part social engineering attack that hit the mainframe of a bank with ransomware. The attack mixed phishing and keylogging to steal one mainframe programmer’s credentials. Hackers then submitted job control language (JCL) statements to scan for sensitive datadatasets and encrypt them with custom ransomware.
Like any other system, the mainframe suffers risks within its applications and main operating system (OS). When it comes to cybersecurity, mainframe pros typically jump to popular application scanning tools. While these products do help mitigate vulnerabilities, they miss code-based, OS-level vulnerabilities, which can be ultimately more damaging than attacks on applications alone.
OS-level vulnerabilities can cause greater damage, opening the door to the most sensitive information and control of an entire system. Hackers at the OS-level can reach everything on the mainframe, from sensitive user credentials to application data.
Regardless of how closely organizations lock-down the configuration side of the mainframe, just one code-based vulnerability leaves everything open to attack. Hackers are even capable of completely covering their tracks by disabling common system logging or security controls.
For the bank, this caused extreme damages—both in recovery time and money.
The security professional mentioned above knows that poor practices around simple user credentials can expose a dangerous OS-level vulnerability and cost a business. His run-in with cybercriminals reminded him just how important basic security practices are in both his personal and professional life.
Back to Basics
These stories are not meant for fear mongering, but to remind us all about how important it is follow industry best practices. As the weakest link in the security chain, even just being aware that you play a role can help strengthen you and your company against social engineering attacks.
From a personal perspective, using proper password management and even a password creator to ensure unique, complex passwords for all accounts, as well as always enabling two-factor authentication when it is available, are easy ways to make it harder for a criminal to get a hold of your credentials. Additionally, keep your eye out for phishing scams – if you receive an offer that looks too good to be true, it probably is. It is also important to avoid visiting unknown websites or downloading software or opening attachments from untrusted sources. These are often vehicles for malware that if clicked on, can automatically, and silently, compromise your computer.
For a business, improving internal processes can help mitigate these social engineering risks. It is important to examine internal systems, so individuals don’t have permission to access datadatasets that aren’t critical to their day-to-day roles. For example, developers who once needed to work with sensitive data to build a program could potentially still have this access to sensitive information once it has been wrapped up. This becomes even more dangerous if it is an external contractor that still has valid internal credentials once the project they’re working on has been completed. Businesses need to implement processes to check for these situations on a regular basis.
It is also critical to implement standards for flagging vulnerabilities or threats, whether real or potential, to ensure transparency. Any employee, regardless of their level of authority, needs to be taken seriously when raising the alarm about a possible threat—it’s not worth the risk of ignoring the claim. These concrete steps will establish a culture of cybersecurity awareness and alertness in your organization so that your business is safer, and therefore so are the individuals you employ and the customers you serve.
Social engineers will always have a new trick up their sleeves. The biggest take away from these examples is that it is essential for individuals and organizations alike, regardless of security expertise or size, to follow security best practices, as it’s the only way to ensure they meet the highest security standard and are protected against manipulation.