Why Social Engineering Schemes Target Humans Instead Of Technology

It’s no secret that the weakest link in your cyber defense strategy is not your technology but the humans who use it. Yes, it’s easier to blame technology, and then look to technology to solve the problem.

When it comes to hacking, efficiency is key. I mean, why spend literally hours attempting to break into a particular network when you can convince a user to give you their password?

Penetration Tester Tactics

For ethical hackers or penetration testers, an on-site visit is often used to test whether an organization’s security processes and procedures are sufficient. After obtaining permission, pen testers will try to “tailgate” into a facility – following employees through secure entrances. First, they try to gain access via receptionists and front desk staff, whoever is the first line of defense. With a cover story at the ready, and suited in a hard hat, neon-yellow safety vest hard with a clipboard, they try to gain entry.

More diligent companies will require that the receptionists and/or front-desk security guard record the driver’s license of anyone entering. No problem for a pen tester. Thanks to the Internet and high-quality personal printers, there are plenty of ways to obtain fake IDs.

The quality of counterfeit IDs have improved drastically since your best pal in high school got a fake ID to purchase alcohol underage. More sophisticated versions even show proper markings under a black light. Without proper training, most front desk staff will most likely accept fake IDs, especially those from another state.

Forget the ID, Verify The Story

Your organization is under attack. What can you do? First, provide proper instruction on how to detect fake IDs. But that’s only part of the story. If a visitor doesn’t have an appointment, or their story seems vague, don’t let a valid-looking ID overcome that. They have to take into account the entire situation, and verify the story, not just the ID. That requires checking to see if maintenance really called for someone to come in and help with a malfunctioning HVAC system or smoke alarms. For example, you can ask for the name of the employee or department who contracted the service. Call that person or someone in their department for verification immediately.

Front Desk Line Of Defense

The fake ID example highlights a common target of social engineering – your receptionists. Front desk staff are common targets because they deal with the public directly and may be under-prepared when it comes to dealing with unusual circumstances. They really are like security guards, but few think of themselves that way. They are employed to be polite and helpful, and these are precisely the attributes that can be used against them. The potential hacker needs to either gain access to the building (to plant malware devices) or to get info to be used to mount an external attack.

Hackers often start with a simple phone call. Posing as a friend or business acquaintance to an executive whose name they got from your organization’s website is still very common. The hackers will try to determine when that person is unavailable or out of the office. When they call and the person is out, that’s a green light to begin a spear phishing attack and send a realistic-sounding email to accounting under the name of the absent executive, asking for urgent payment action on an imaginary bill or financial emergency. Since the executive is unavailable and they are important, these are often paid with very little resistance.

You Don’t Even Work Here

In other schemes, hackers will call the front desk posing as an internal IT person, and ask for passwords and PIN numbers. The larger the organization, the more successful these type attempts are at gaining the hacker access. They will attempt to fluster the front desk staff by creating a sense of urgency.

Some hackers, if they look the part of an unknown employee, can often breeze right past a front desk employee without a second thought. And even if they are stopped, the hacker will attempt to bluff their way through by claiming an urgent problem of a mechanical nature. They may name-drop some executive’s name they got from the website. Once inside, the hacker can install keylogger software (or hardware) on computers to capture passwords, a LAN Turtle (which automatically connects back to the attacker off-site), or a rogue-access point to capture network traffic.

How To Catch a Pen Tester

Hands down, the best way to stop penetration testers is to be observant. If someone you’re never seen before comes around, stop them and ask for employee or contractor verification (not just ID). You’re seen that movie before. Visitors to offices should never be left free to roam around un-escorted, and should never be allowed access to a computer and especially not a data center, server room, networking closet, or other equipment room.

If all this concerns you, it should. Cybersecurity is a people problem, not a technology problem. Be aware and stay alert to threats.

Your organization could be vulnerable to multiple cybersecurity risks. To learn more about how to protect your organization, let iT1 perform a Cybersecurity Risk Assessment.

ABOUT THE AUTHOR

Dave Buster is an industry veteran with over 35 years experience in designing, building and operating communications systems and making them secure. Dave spent over 13 years with Cisco Systems in technology planning, rising to the level of Director of Product Management in the Global Government Solutions Group. While there, he spent several years supporting intelligence agencies and the military with data security architectures. Following his experience in government security, Dave was a security architect for a smart-grid company, followed by cybersecurity experience in the financial industry at Fidelity. Dave is now a cybersecurity evangelist, speaking to both technical and non-technical audiences about the types of attackers, their methods, and how to stop them. Dave has a B.S. Engineering and M.B.A. from North Carolina State University. He has a patent on satellite communications architecture and holds CompTIA’s Security+ certification and the (ISC)2 CISSP certification. He is an Amateur Radio operator (KK4ELT) and plays trombone and guitar, but sadly, not at the same time.