Order from us for quality, customized work in due time of your choice.
Introduction
When thinking about the security of information systems, the predominant concern is with digital security. Performing evaluations and assessments to identify risks and vulnerabilities that may comprise the information stored within the system. However, often is the case the largest threat and easily exploitable vulnerability is overlooked, humans. Some of the biggest hacks of all time were made possible by social engineering. These breaches have caused financial, reputational, and social damage to both companies and individuals alike.
Social engineering is a threat that can expose even the most experienced technology user. Malicious intenders utilize the techniques of social engineering as an ingress method to breach, expose or gain desired data and information from their target. This essay will explore what social engineering is defined as and how it has been utilized as a successful exploitation method. Further investigating some historic examples of social engineering techniques and uses. This will lead to discussions of what the vulnerability social engineering targets, providing insight into how the technology continues to be enabled.
With this information, we will look to how to better understand the depth of social engineering and how it is used to achieve the intenders goals. Exploring a greater understanding of the threat and exposure within the techniques. Providing context to classifying different methodologies within the cyber security scope of social engineering. With this established, we will lead into some of the notified breaches that have identified social engineering techniques as the initial point of exposure. Know what social engineering is, how it can and has been used, and where we are exposed, we will discuss methods and strategies for defending against the threat and potential exposure.
Social Engineering
Social Engineering is a concept that is commonly understood; however, continues to be one of the most successful exploit methods within the cyber and computing realm. It has been described as tricking someone into doing something, often detrimental, to themselves or others (Grimes, 2017, p. 27). Hadnagy further defines it as any act that influences a person to take an action that may or may not be in his or her best interests (Hadnagy, 2018, p. 7). Simply described, it is the exploitation of the most common vulnerability, people.
Although the terminology is ingrained into the cyber security arena, the exploitation of people or human nature does not see its origins within the computing environments. Con-artists and fraudulently motivated people have used techniques to persuade other people into action or outcome to the benefit of themselves and their objective. People like Frank Abagnale Jr., from the United States, known for his check forgery and impersonations later becoming FBI consultants, his life was portrayed in the movie Catch Me If You Can (Spielberg, 2002). However, it is or has not simply been used solely for malicious intent. Psychologists and Medical professionals may utilize techniques to obtain further information to assist in diagnosing, or treating, for favorable therapeutic results. Law enforcement leverages social engineer practices and techniques to enable favorable outcomes for their investigation to stimulate the revelation of evidence, although the criminal offenders may not identify the favor of this.
Accounts and evidence of exploiting people and their social trust are documented within history. From the Bible, Genesis, when Jacob disguises himself as his brother Esau, taking on habits and behaviors to trick his father, Isaac, to receive his blessing (Hadnagy, 2018). To Greek mythology with the famous Trojan Horse. The mythic fable depicts a long and unsuccessful siege by the Greeks against the city of Troy. Appearing to finally give up, the Greeks leave behind a giant wooden horse. Watching the Greek’s departure, The Trojans, believing it to be an offering to God for the Greek’s safe passage home, wheel the horse inside the city gates. Little did they know that a small party of Greek soldiers where inside waiting. Night fell and while the Trojans sleep, the Greeks open the city gates and the awaiting Greek army conquer the city (Avecto, 2016). Some may say that these examples are not social engineers, but the explanation is in the social aspect of the understanding. Merriam-Webster defines social as of or relating to human society, the interaction of the individual and the group, or the welfare of human beings as members of society (Merriam-Webster, 2019). The Greeks exploited the social conventions of the Trojan society and their beliefs for sacred offerings to the gods. There is compliance to religious beliefs and directives.
Returning our focus to the cyber security side of social engineering, this non-technical method to obtain information or data from a target group or individual remains as the most successful vector for a malicious intender. This is due to most people being polite and good in nature, for example, holding a door for a colleague or allowing someone with less items to go before you in the Aldi check-out, social engineering exploits this very nature in people (Walker, 2016). Whipple (2016) explains the four emotions exploited by social engineers:
- Helpfulness. People’s willingness and desire to help other people.
- Greed. The intense and selfish desire for something, predominantly wealth or power.
- Obedience. Compliance to an order, directive, or request, is usually posed from authority.
- Fear. Imposing the belief that someone or something is dangerous, with the implication or threat to cause pain or harm.
Understanding the target vulnerability of social engineers, we can investigate the method of how an intended attacker can exploit it. Social engineering attacks are not a spur-of-the-moment, point-and-shoot event, like most things there is a process to enable a successful outcome, obtaining the desired information, data or result. Kevin Mitnick (Mitnick & Simon, 2003) describes this process as a Social Engineering Cycle. This cycle is defined by four distinct stages:
- Research
- developing rapport or trust
- exploiting trust
- utilizing trust
Like initializing and performing a penetration test, the research or reconnaissance that is performed can define and determine the success of the activity. Practices of dumpster diving, coffee shop chatter, and eavesdropping, although remain effective, have been assisted with the continuous growth and use of the World Wide Web.
The Internet has and continues to provide a user of the services a vast and growing source of knowledge, data, and information. Phishing and other web-based techniques continue to become more complex and authentic in content and appearance to increase the likelihood of success. With the evolution in popularity and availability of cloud-based social media services like Twitter, Facebook, and Snapchat. Enabling users at no expense or experience, linked with the growth in accessibility to the information superhighway, with the ability to post, share, tweet, snap, like and provide countless amounts of information on themselves, their friends, families, colleagues, and workplaces.
The term overshare, to share or reveal too much information (Merriam-Webster, 2019), characterizes the growing state of play when it comes to people’s use of social media platforms. Yet despite the convenience to divulge this information to any whom care to indulge it, it is an enablement tool for those with more sinister intent. An Eckstrom Consulting blog articulates, With the right research, a social engineer can compile an unnervingly comprehensive profile of a business, its employees, its operations, and more (2018). Social media platforms are a buffet filled with information to consume. The growth in both use and availability social media enables attacks to gather and digest countless bytes of information on a particular target or subject, without the target’s knowledge, making them powerless to prevent it. Making the advantages of social media also its sin.
Social media does not just provide social engineers a platform for your stored information; but, a mechanism to probe for more. Let us consider, Which Disney Princess Are you?. Brower (2010) highlights the use of What Type of Personality are You? quizzes within social media applications and services as a growing vector for social engineers to gather and profile information based on the response of the target. With this information, an attacker can now have an informed approach to establishing and developing trust with a target, exploit and utilize that trust. Proving Krombholz, Hobel, Huber, & Weippl social engineering is one of the most powerful tools a hacker can utilize as even the most secure systems can be affected (2013, p. 28).
So, where to from here? An individual or organization cannot begin to develop a defense strategy without knowing the attack scope and methodology. Krombholz, Hobel, Huber & Weippl (2013) presented a taxonomy of social engineering, exhibiting threat model tabled with a number of common attack types, the form or channels these attacks can take, as well as the categorized approach they reside. They categorized the attacks into four distinct approaches or types:
- Physical: the attacker performs a physical action or acts to obtain and gather information on an intended target. Methods include:
- Shoulder surfing – direct observation to obtain the information; like looking over the shoulder of a target when entering their pin code.
- Dumpster diving obtaining information from documents in bins, recycling stations, shredders, and perhaps even secure document disposal services.
- Baiting enticing a target with a dropped or lost USB storage device with files embedded with malware or malicious content.
- Social: these attacks drive the sociopsychological techniques with attackers trying to develop a rapport with the target prior.
- Reverse social engineering: attacker flips the approach, trying to make the victim ask the attacker for help. Appearing within a three-phased approach, sabotage, advertising, and assisting.
- Sabotage attacker causes a disruption to the target computing environment
- Adverting attacker promotes their ability to fix the issue
- Assisting the victim asks the attacker to resolve the problem while the victim complies to their information requests.
- Technical: Attackers utilize technology services, mainly the Internet, to gather and capture information on the target or future victims. Examples of these are Search engines (Google, Bing), Social Media (Facebook, Twitter, etc.), and data mining tools (Maltego, Rattle, DataMelt, etc.). Others include:
- Waterholing The attacker compromises a website that the target is likely to engage with and waits for the target to interact.
- Socio-Technical: This approach sees the attacker deploying a combination of techniques and methods to capitalize on their efforts more effectively and efficiently.
Table 1: Classification of Social Engineering attacks Krombholz, Hobel, Huber & Weippl (2013) taxonomy
(Krombholz, Hobel, Huber, & Weippl, 2013, p. 32)
Although each of these approaches and techniques have the ability for an attacker to gain the information or desired outcome, evidence shows that combinations of these can produce a more potent weapon for the attacker (Krombholz, Hobel, Huber, & Weippl, 2013). How effective? A number of recent breaches have confirmed that the vector of ingress were social engineering methods, causing significant impact and exposure.
RSA SecurID Phishing Attack, 2011, four employees within RSAs parent corporation, EMC were sent an email from a spoofed address claiming to be at a job recruitment website. Attached was an Excel document titled 2011 Recruitment Plan. When the employees opened the document, a zero-day Flash exploit buried in the spreadsheet installed backdoor access to their work machines, enabling the attackers to steal the keys to RSAs SecurID services (Zetter, 2011).
Yahoo Customer Account Compromise, 2013, three (3) billion accounts were compromised from a successful spear-phishing message. A semi-privileged engineer fell victim to the campaign enabling the attackers to compromise every customer account. Although the initial breach was disclosed in 2013, approx. 500,000 accounts, the full quantity of the breach was not realized until 2017. (Perlroth, 2017).
Sony Pictures Hack, 2014, a North Korean group of hackers successfully conducted a phishing attack against Sony Pictures. Believed to be politically motivated, due to the coming release of the feature The Interview. Sony suffered considerable financial losses, releasing the film online for free, as well had several other pictures leaked. Along with a significant amount of employee data (Peterson, 2014).
Ubiquiti Networks Scam, 2015, posing as the companys Hong Kong subsidiary, the attackers crafted and sent an email to the accounting department with instructions requesting funds redirection to different accounts they thought belonged to current vendors. Without verification, the instructions were followed and 47 million dollars was transferred. Only 8 million dollars was able to be recovered (Krebs, 2015).
These breaches highlight the devastating results of a well-planned and formulated social engineering attack. Analysis of these or similar breaches identify risks that business, corporation or services encounter and provide information to potential mitigations to prevent or lower the risk. A mitigation and prevention plan (Hadnagy, 2018, p. 257) is a strategy to lower or remediate risk. In the context of social engineering, humans are the vulnerability, this means that the focus of the plan to mitigate and prevent should be targeting people and process more than technology. This is not to say that technology does not have a role to play, this requires a multilayered approach, but addressing and delivering a positive staff development and awareness program is key to successful prevention.
Administrative controls are described as the process of developing and ensuring compliance with policy and procedures (Northcutt, 2009). Developing a well-formed information security policy can be an effective administrative control within a mitigation and prevention plan. Establishing clear and detailed expectations for all staff to follow and understand. The policy should also provide details on if there is a concern or potential issue and how users can report or notify an appropriate officer or person to review, investigate or follow up. A good policy is realistic, giving clear direction on what actions to take and not to take (Hadnagy, 2018).
Education and awareness programs can be a useful and effective tool in preventing, identifying, and combating cyber security risks, threat or attacks. Simply put, the more educated or aware a person is on the subject, the more they are able to identify when something is not right. Similar to structured schooling or educational services, there is a developed curriculum, defined objectives, and milestone expectations for delivery. Security awareness is no different, Spitzner (2018) observes that the number one reason awareness programs fail is due to lack of a plan. Training being delivered in an Adhoc or unstructured format with no clear or defined goal, frameworks, or analysis of topics nor effectiveness on information delivery (Spitzner, 2018). A successful awareness program should be designed around a framework to identify what topics you will communicate and how (Spitzner, 2018). This does not just mean in content and structure but in delivery and method.
Most awareness programs are a mandatory expectation, which can set a tone of a burden or chore for employees or users. It is important to ensure the training is engaging in both content and delivery, enabling great retention and involvement from users and staff, remember, nobody likes death by PowerPoint. The method to assist with this is to have feedback and consultation with staff and users throughout the program’s lifecycle. Identifying likes and dislikes, what worked and what didnt, and having an understanding of current skills or people’s prior knowledge will help tailor the program’s success. It is valuable to have the ability to measure the effectiveness of the training program. Performing regular check-ups and tests of the users provides insight to the effectiveness and retention of the training (Hadnagy, 2018). The analytics for the testing results will assist in directing the focus for the program’s future deliverables.
An awareness and education program mitigates human vulnerability, but there are technical aspects within a social engineering attack that can prevent and assist in the identification and response to potential attacks. Controls such as antivirus, spam filters, proxy ingress/egress whitelisting, etc., when implemented and managed effectively can prevent many security threats and risks including those associated with social engineering. Herley and Pieters accurately highlight though, If resources were unlimited, or countermeasures were costless, then, of course, we could take action against every possible scenario we could think of (2015, p. 113). In reality, there are limits to resources, tools, services, and financial support. Having an understanding of the technical control’s capabilities and the resourcing availability can help prevent planning for the impossible. This does not mean you are hamstrung. Place your focus on how to best utilize what you have, looking to implement a continuous improvement cycle, not configuring for a set and forget attitude.
Finally, it is important to understand that this is a campaign and program to drive change within user bases understanding an ability to identify and notify social engineering attempts. Change, to be successful and lasting needs to be positive. A positive culture lays the foundations for positive practices. This needs to be driven from the CEO down to the frontline user. Security is not solely the responsibility of an individual or security team. In a corporate environment, a positive and supportive security culture will amplify the success of the outcome.
Conclusion
Unless, someone has studied the ways of the Vulcan culture and purged all emotion from themselves (CBS Entertainment, 2019), the hackable vulnerabilities within all humans will continue to enable the success of social engineering in whatever form it comes in. Techniques used to exploit a human vulnerability are not restricted to cyber security, with evidence discovered well before any digital technology. Validating the non-technical emotional exploit of human emotion and the ingrained nature within social behaviors.
Mitnicks social engineering cycle shows that malicious actors follow a strategic approach to ensuring the success of their endeavors. Similar to penetration testing processes, the more and better the information of your target system and potential weaknesses the more effective the results. However, with the internet, combined again with the condition of human nature, social media platforms enable greater ease for malicious actors to discover information to expose their intended targets. Giving a suitable basis to understand the approaches and methods within a social engineering attack.
Reviewing the anatomy and construct of techniques and methods within social engineering, categorizing the taxonomy of social engineering, and establishing a framework and understanding of the threat. Validating that a combination of methods provides greater impact and effectiveness of the attack. The exposure of RSA, Sony, Yahoo, and Ubiquiti validates just how effective social engineering can be. Like a social engineering attack, the defense of it requires research and information, the understanding the vulnerability, how it is exploited, a taxonomy of methods and techniques, along with data from notified breaches, we can build a suitable strategy to defend against potential social engineering attacks. We know that technical controls can enable avenues for defense; however, it is the focus on an interactive security awareness campaign that will provide the best defense approach. As Ford (2018) states, Social engineering attacks exploit misplaced trust, not stupidity, so ensuring a positive security culture is the final key.
There is no fool-proof or one-way approach to security. However, with research into contemporary methods and notified breach data, a suitable defense strategy developed. Focused technical controls and a well-planned security awareness program, coupled with a positive security culture, will make it more difficult for a Social Engineer to successfully exploit an organization or the people within it.
Bibliography
- Avecto. (2016). Know your threats series: Social engineering. United Kingdom: Avecto.
- Brower, J. (2010). Which Disney© Princess are YOU? (Web 2.0) Social Engineering on Social Networks. SANS Institute.
- CBS Entertainment. (2019). Vulcans. Retrieved January 2019, from www.startrek.com: http://www.startrek.com/database_article/vulcans
- Eckstrom Consulting. (2018, February 16). What makes social engineering attacks so effective? Retrieved from www.eckstromconsulting.com: https://www.eckstromconsulting.com/blog/what-makes-social-engineering-attacks-so-effective
- Ford, N. (2018, August 31). 5 ways to mitigate social engineering attacks. Retrieved from www.grcelearning.com: https://www.grcelearning.com/blog/5-ways-to-mitigate-social-engineering-attacks
- Grimes, R. A. (2017). Hacking the Hacker: Learn from the Experts Who Take Down Hackers. Indianapolis, IN: John Wiley & Sons, Inc.
- Hadnagy, C. (2018). Social engineering: the science of human hacking (Second edition.). Indianapolis, IN: John Wiley & Sons, Inc.
- Herley, C., & Pieters, W. (2015). If you were attacked, youd be sorry?: Counterfactuals as security arguments. New Security Paradigm Workshop (NSPW) (pp. 112-123). New York: Association for Computing Machinery (ACM). https://doi.org/10.1145/2841113.2841122.
- Ivaturi, K., & Janczewski, L. (2011). A Taxonomy for Social Engineering attacks. International Conference on Information Resources Management (CONF-IRM) (p. 15). CONF-IRM 2011.
- Krebs, B. (2015, August 07). Tech Firm Ubiquiti Suffers $46M Cyberheist. Retrieved from KerbsonSecurity.com: https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/
- Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2013). Social engineering attacks on the knowledge worker. Proceedings of the 6th International Conference on Security of Information and Networks (pp. 28-35). Vienna, Austria: https://www.researchgate.net/publication/262393147.
- Merriam-Webster. (2019, January 14). Dictionary: Overshare. Retrieved from merriam-webster.com: https://www.merriam-webster.com/dictionary/overshare
- Merriam-Webster. (2019, January 11). Dictionary: Social. Retrieved from merriam-webster.com: https://www.merriam-webster.com/dictionary/
- Mitnick, K. D., & Simon, W. L. (2003). The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons.
- Northcutt, S. (2009, September 1). Security Controls. Retrieved from sans.edu: https://www.sans.edu/cyber-research/security-laboratory/article/security-controls
- Perlroth, N. (2017, October 03). All 3 Billion Yahoo Accounts. Retrieved from www.nytimes.com: https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html
- Peterson, A. (2014, December 18). The Sony Pictures hack explained. Retrieved from www.washingtonpost.com: https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/the-sony-pictures-hack-explained/?noredirect=on&utm_term=.8fb5e2fdc713
- Spielberg, S. (Director). (2002). Catch Me If You Can [Motion Picture].
- Spitzner, L. (2018). Top 3 Reasons Security Awareness Training Fails. Retrieved January 2019, from www.sans.org: https://www.sans.org/security-awareness-training/blog/top-3-reasons-security-awareness-training-fails
- Walker, M. (2016). CEH: Certified Ethical Hacker All-in-One Exam Guide, Third Edition. New York: McGraw-Hill Education.
- Whipple, A. S. (2016, May 13). Hacker psychology: Understanding the 4 emotions of social engineering. Retrieved from NetworkWorld from IDG: https://www.networkworld.com/article/3070455/cloud-security/hacker-psychology-understanding-the-4-emotions-of-social-engineering.html
- Zetter, K. (2011, August 26). Researchers Uncover RSA Phishing Attack, Hiding in Plain Sight. Retrieved from www.wired.com: https://www.wired.com/2011/08/how-rsa-got-hacked/
Order from us for quality, customized work in due time of your choice.