What do you think when you hear the terms “hacker” or “hacking”? Do you imagine a socially awkward, super smart nerd sitting in his basement using an incredible wealth of computer knowledge to penetrate into networks and high-value computers via the Internet? Maybe your version of hacking is akin to the 1995 Iain Softly film, Hackers, where it is perpetrated by cyber-punks and anarchists crawling around online in some sort of dark-web to find back doors into networks that can only be accessed through the command-line shell interface in UNIX or Linux operating systems.
In reality, hacking is much more closely related to the Miles Goodman’s 1988 file, Dirty Rotten Scoundrels than it is to Hackers. If that assertion shocks you, perhaps you should read Kevin Mitnick’s biographical book, Ghost in the Wire, in which he recounts his time as the FBI’s most wanted hacker. While a hacker who already has access to a system will need some basic level of computer and networking knowledge in order to find anything of value, gaining access very often involves only deceit. Hackers often are simply con-artists.
Recipe for a Hack
One of the simplest defenses against hacking is to simply understand what exactly goes into a cyber-attack. Knowing how an attacker works can help you make informed decisions about your own network security policies and what countermeasures you implement.
Hacking involves five phases:
- Reconnaissance – Simply scouting the target and taking note of things of interest that might help in the attack. This is passive.
- Scanning – Actively searching for vulnerabilities based on what was learned during reconnaissance.
- Gaining access – Targeting vulnerabilities in an attempt to obtain access.
- Maintaining access – After access is gained, establish means to allow re-entry.
- Covering Tracks – Remove or alter evidence of entry. Often establishes a scape-goat.
In over-simplified terms, the first two phases don’t require technical skill at all. They can be technical, but they don’t have to be and often aren’t. Also, gaining access requires only the most basic technical ability using the information gained in the first two phases. Reconnaissance, scanning, and gaining access (at least up to the point of actually accessing a network or computer) can be, and often are, conducted through social engineering.
Social Engineering
Believe it or not, there is an actual framework for social engineering. The non-profit, social-engineer.org, is dedicated to defining social engineering for (they claim) auditing purposes. They define social engineering as “any act that influences a person to take an action that may or may not be in their best interest.” In essence, it is manipulation.
Reconnaissance using social engineering can simply involve dumpster-diving (not very social), perusing websites and social media accounts potential targets, or even making a personal visit under the guise of being a job applicant or vendor who might have a legitimate reason to be at the location. It simply takes advantage of peoples’ trust that their information is safe wherever they put it, whether that means in the garbage can, on their Facebook feed, or pamphlets on the receptionist’s desk.
Scanning, on the other hand, would involve actual probing for attack vectors. Is your company’s phone directory easily guessed? Maybe there are details on social media of a contractor working in the facility on a special project that the attacker could exploit. If the attacker discovers internal email addresses, they can be targeted with a phishing or even spear phishing campaign. Do email addresses suggest what usernames might be for employee computer logins? What would it take to gain physical access?
Gaining access through social engineering could be active attempts to obtain access such as calling or emailing and asking people to give up credentials and then trying to use them to connect. It might also involve sending someone spam that looks legitimate enough but contains malware that would allow the attacker back-door access or, as in ransomware, would simply encrypt network resources until the victim pays a ransom.
In all of these examples, a hacker is simply trying to exploit people being people. Kevin Mitnick said in Ghost in the Wire that he realized at a young age from watching a magician that people want to be deceived. Another way to put it is that people want to believe that what they perceive to be truth is actually truth. A social engineer can claim to be from IT, the police department, management, or some other authoritative position (we call this pretexting), and at least some people will believe him and, being good people, try to help by giving him what he asks for. This is even more successful if the attacker speaks intelligently as if he could actually be who he claims.
Even more simple, cyber-attacks sometimes take the form of theft. An attacker can use the internet, social media, and pretexting to discover that a number of employees telework. The attacker then learns their routine and practices. Do they work on a laptop in public places? Do they travel often? Perhaps they frequently leave their phone or laptop in their car. The attacker simply makes sure to be in the right place at the right time and seizes an opportunity to steal documents, a smart phone, or computer. Examples of this can be read about in this article by Forbes, this article by the Wall Street Journal, and this article by PC World. It is much more common than you may realize.
What Can You Do?
In my article about insider threats, I explained the dangers around one’s own employees. Falling victim to social engineering is simply one of the ways your own people can damage your company. The answer to combatting social engineering is simply training.
Key training for preventing social engineering should include at least the following:
- Trust but verify – Never take people at face value, always verify they are who they claim to be before giving them any information.
- Never provide credentials or details over the phone or email – This should always be done in person or using trusted means after the individual asking is verified.
- Lock down social media – Do not post sensitive information on public websites or social media.
- Never insert unknown disks/drives into your computer – Unless you know for a fact what is on it, assume it has malware and at least scan it before using it.
- How to recognize suspicious email – Know the difference between spam or phishing and legitimate email.
- Enforce and reinforce physical security – Don’t allow people into places they cannot use valid credentials to access on their own.
- Physical security for portable devices – Maintain positive control over phones, tablets, and laptops. Do not leave them unsecured and unattended.
- Use encryption – As a last line of defense, always use whole-disk encryption on portable devices.
The key to preventing social engineering from negatively impacting your organization is to educate every person within the organization about how to recognize a potential social engineer and what actions to take. Teach people to be just a little bit paranoid and report all suspicious activities. It is better to investigate several legitimate emails or phone calls than have to investigate one that resulted in compromise of your company’s data or network.
