Tuesday, September 15, 2015

Social engineering 101: exploiting the human attack surface

Human vulnerabilities exist within every organisation, and social engineering exists to find and exploit them. Understanding both the methodology of the social engineer and the breadth of the human attack surface are key to defending against this threat. Patching vulnerabilities lies at the heart of good security practice; but you cannot patch human trust issues. Which is probably why social engineering has always, and will always, be such a threat to your data. Way back when I took an active interest in exploring networks that should have been closed off to me, the most common tactic I employed was to go in through an open door; both figuratively and literally. Back in the day, a couple of decades ago, social engineering existed but had not been labelled as such. Back then I thought of myself as a cyber-conman, and confidence trickster pretty much sums up what social engineering was all about then and remains so today: manipulating people into doing things they shouldn’t really be doing. Whether I entered an office building through the front door on pretext of being ‘the IT guy’ (armed with a clipboard and home-made ID badge) or simply snuck in the tradesman’s’ entrance (in overalls with a mop and bucket) the key to success was giving the impression I belonged there, and that was all about exuding the right level of confidence. The IT guy got to wander around and play with desktops, make notes of the passwords stuck to monitors or even ask staff for logins. The cleaner is even more successful as nobody ever questions, or speaks to, the cleaner. Yet the cleaner can wander around pretty much anywhere as long as they have a hoover or spray bottle and cloth in hand. Fast forward 20 years or more and there’s no need for the would be hacker to risk getting physically caught, the doors that need opening exist within email and social media, and the keys are links to be clicked. Social engineering today is most commonly seen within the realm of phishing, be that the broad sweep of the scam broom that is swept across as many email addresses as possible in the hope of catching a few recipients off guard, or the more targeted ‘spear phishing’ attacks whereby time is invested in focusing on specific individuals or departments (often through a combination of social media and email accounts) in order to infiltrate the corporate network.