Readers of the Advent IM blog will have encountered our security-based content on the concept of Social Engineering before. This post is a fascinating glimpse from a firsthand user – the pitfalls, the uses and the reactions.
Are your colleagues security aware enough to be able to keep their nerve and stick to policy when faced with challenging and anxiety-raising situations like we see detailed below?
Would you or your colleagues recognise any of the characteristics of a Social Engineering attempt? It’s not just about having a policy but about everyone understanding it and feeling confident enough to apply it…to everyone. Do manners and cultural norms play a part in how the social engineer gets either access to or information on, things that they shouldn’t? Reading this account, undoubtedly. Including a module on Social Engineering would be a very wise idea in any organisations’ Security Awareness Training program.
IT Helpdesk 1 to Helpdesk 2 – “Who was that on the phone? I could hear him shouting and threatening you from here”.
IT Helpdesk 2 to Helpdesk 1 – “The CFO… who’s trying to work on his laptop, from home. He can’t login……again, he said. He wouldn’t let me talk him through anything, said he’d done everything I tried to suggest, he just wouldn’t listen to any of our standard procedures. He just kept shouting and saying, he’d be in here tomorrow to fire me, and have me escorted off the premises. All he wanted was for me to reset his password and check his complete authentication process details, so he could get some work done. He said he didn’t want a confirmation email or a Helpdesk ticket on the system, telling everyone he couldn’t use his laptop, and I wouldn’t want him telling the head of ICT that I couldn’t or wouldn’t, help him out”.
IT Helpdesk 1 to Helpdesk 2 – “What an ar5e!”……..
“A common enough Social Engineering attack, from the perspective of the recipient of the attack, one I’ve used many times myself. The tools of the Social Engineer are Manipulation, Domination, Coercion and then end with the hope of a Carrot, after the Stick, to make them feel lucky to have escaped so lightly. Sometimes flattery and feigned stupidity will work, but the Social Engineer needs to be confident in his/her ability and flexible enough to adapt to the emerging responses they get from the subject of the attack. Confidence in eliciting in-depth information, by pre-loading the recipients mind with information to make your questions more readily accepted by them, is another key skill of the Social Engineer. In the example above the CFO was selected because their personal Facebook page showed he was on holiday with the family somewhere hot and sunny that looked like Mexico. Don’t get me started on Social Media, and the information people just broadcast out there, to the unknown, unrestricted and dark corners of the Internet.
We all want to help – naturally. We also want to make the shouting stop…
It’s in the human makeup to want an unpleasant or embarrassing problem to be someone else’s and not yours. The human mind can be likened to Software we all understand, it is possible to overload the targets mind and insert custom instructions. Just as a Hacker executes code to cause a stack or buffer overflow. A favourite Social Engineering attack to illustrate this is when you need to get buzzed through from reception without being escorted. You rush in trying to explain you’re there to see someone important at the company mentioned by name, you’ve been there many times before and know the way. You rush on to say that you’re terribly late, you’re also trying to sign in and keep the initiative before the receptionist can process this overload of information, or think to do what their procedure says they should do. This is known as ‘Pretexting’, preloading the human mind with information to support your story and persona to make it all more credible. You then receive your pre-planned imaginary phone call, “Sorry, I have to take this” you say, the call quickly escalates and you launch into a blistering verbal assault on the person who isn’t really on the other end. Phone still to your ear, and still giving full vent to your ire, you motion in the direction of the receptionist and towards the controlled door they will have been watching and listening most intently as you start walking towards the door. You’ve overloaded them, you’ve inserted the belief you’re someone important, not to be denied or argued with, especially if you’re off to see one of the senior officers of the organisation, the subject of the attack will want you to say how helpful they were.
I’ve found that 9 times out of 10, to make this horrid person go elsewhere and be someone else’s problem, you’ll get buzzed through usually with a comment from the receptionist that they’ll call ahead to say you’re coming. As that isn’t where in the building you are really heading, that’s not a problem. It’ll take some time for them to realise you haven’t arrived, by which time you will have found your next security obstacle to overcome or target of your next Social Engineering attack and started to penetrate deeper into the building and closer to your final goal.
The key to becoming less susceptible to Social Engineering is to find out more about how the attackers influence and control people. As with software Hackers, the process is not a ‘one time attack’, there will be supporting or enabling attacks, probing enquiries, all building the picture of the target organisation before the ‘Big-One’. Remember credibility during the attack will be enhanced by the use of morsels of the truth, names or organisational details of the target organisation. Social Engineers are hackers of people. You need to start to think of them in that more familiar way and then your perceptions will change and you will tune in to the attack indicators that will allow earlier detection of their activities, as you already do with software hackers and malware writers. Staff awareness of the techniques of Social Engineering can dramatically improve the resistance to Social Engineering attacks, just as the Police try to educate the vulnerable about the local activities of Con Men.”
Senior Advent IM Security Consultant
Photos: Microsoft Office
First published on the Advent IM Security Blog www.adventim.wordpress.com