Building Awareness Of Social Engineering Threats
It’s mid-day, you’re working diligently on your laptop enjoying your company’s new work-from-anywhere policy and your phone rings. You answer and the caller responds, “Hey, this is Rick from IT. It looks like you’re having some issues today?”
It could be that you did open a ticket with your IT group; or, maybe you didn’t and you assume Rick identified an issue you don’t know about through monitoring software. You could be one of many people in your organization Rick has called this morning using the same opening line as he searches for a victim. Rick is a cybercriminal targeting your company in his latest ransomware attack. All he needs is one trusting employee to follow his directions while believing he is part of the IT group and his ransomware will be installed. Rick will pretend to help fix an issue, install an update, run a test or any number of creative storylines to gain the network access needed for his ransomware. The ransomware will encrypt your company’s data. Rick will demand a large payment in exchange for freeing the data. He will likely succeed in getting paid. This is his job. It’s how he earns a living. And the majority of businesses find it quicker and easier to pay the attacker than try to recover on their own. Rick’s business is a growing success — for him.
Rick used psychological manipulation to release his malware on your corporate network. He didn’t need to breach a firewall and access the network from the outside. He leveraged trust through social engineering to have his virus welcomed into your network using your user permissions.
Social engineering is one of the largest attack threats to computer systems networks today. It is often far easier for an attacker to rely on simple human nature than attempt to gain access through a well-secured network. The attacks are very effective because human nature has us wanting to return a favor, being easily swayed by charisma, obeying authority or simply following the crowd. All of these can lead to the seemingly innocent divulging of personal information or granting of illicit access to a computer system. The attempts are prolific because they work. A 2003 report found that 90% of office workers gave up their passwords in exchange for a cheap pen. Kevin Mitnick, one of the most famous social engineering hackers, gained access to dozens of computer networks without ever using any attack software. His modus operandi was consistently to leverage offline tactics such as dumpster diving, pretexting and quid pro quo techniques just as in the earlier example with Rick.
Even if it would take more than a cheap pen for your employees to divulge information, how about a $1mm bribe for installing the malware themselves? This was recently the case at Tesla’s Gigafactory in Nevada. Fortunately for Tesla, the employee reported the attack instead of taking the bribe.
Today’s threat detection and response systems offer significant protection against such attacks. But as shown through a recent social engineering attack on Twitter, it’s difficult to protect against unauthorized access to admin accounts. In the Twitter attack, the hacker generated over $100,000 in a matter of hours.
Protecting your network from social engineering attacks can be difficult. Implementing threat detection and response to protect against zero-day threats and advanced malware is the first step. But user training such as how to spot phishing emails, not giving out personal information, and not clicking email attachments from unknown sources are great additions to a security mindset. We also believe that sharing the stories of recent hacks such as the Twitter, Garmin, and Tesla attacks as they happen can help to create a culture of security awareness. Ransomware is a real and growing threat. And its primary mode of access to networks is through social engineering. Spreading awareness can be one of your greatest security measures.