Social Engineering Insights from DefCon

By: Krista M. Cyber Threat Intelligence Analyst, NJCCIC

Last week, I had the opportunity to attend DefCon 23, an annual conference where hackers and cybersecurity professionals from around the world descend on Las Vegas to learn and share information about hacking techniques, system and software vulnerabilities, online privacy, and data protection. Each day of the convention was jam-packed with lectures, presentations, and demonstrations by some of the best and the brightest in the field, a few of whom recently made headlines when they unveiled potentially dangerous and devastating software vulnerabilities. Of all the lectures I attended, some of the most interesting and engaging speakers I saw shared their knowledge and insight at the “Social Engineering Village Talks,” an area of the conference dedicated solely to the topic of social engineering. The main point each of these speakers emphasized was this: human beings are the most vulnerable entry point into a network, a business, or an organization.

According to the IBM 2014 Cyber Security Intelligence Index, 95 percent of all investigated cybersecurity incidents listed human error as a contributing factor. Although this report includes such mistakes as incorrect system configuration, insufficient patch management, lost digital devices, and weak passwords under the “human error” umbrella, IBM couldn’t ignore the role that social engineering also plays in network and data breaches. The company concludes its report by stating, “Even those companies with strong security practices are still vulnerable to acts of social engineering. It’s important to educate employees on an ongoing basis about identifying suspicious communications and potential risks to the organization.”

What is Social Engineering?

Social engineering is an umbrella term encompassing the full range of methods used to manipulate people into divulging sensitive information. There are two main types of social engineering: human-based and computer-based. Human-based methods require the attacker to interact with people in order to obtain information, gain physical access to a location, system, or network. Computer-based methods use technology in an attempt to convince people to take a specific action that will ultimately lead to infected systems, compromised networks, and data theft.

Some examples of human-based social engineering tactics include:

  • Researching the target: attackers will often conduct preliminary reconnaissance on their victims before attempting to make contact in order to craft the most believable scenario possible.

  • Impersonation: an attacker attempts to gain access to an unauthorized location, system, or network by pretending to be someone they’re not (e.g., delivery person, computer technician, repairman, help desk employee, job applicant, new employee, contractor, customer, authority figure, etc.) When this technique is used via the phone, it’s called “vishing” and can be especially effective as there is less of a chance that the attacker will give himself away through body language.

  • Piggybacking and tailgating: an attacker attempts to gain unauthorized access to a location by following behind others to get through locked doors or restricted entryways.

  • Shoulder surfing: an attacker tries to gain login credentials by looking over the shoulder of the victim as they type.

  • Pretexting: an attacker using this method will fabricate a scenario in order to convince the victim to divulge sensitive and personal information (e.g., an attacker may pretend that he needs certain information, like a Social Security number or date of birth, to “verify” the victim’s identity.)

Some examples of computer-based social engineering tactics include:

  • Phishing: this technique involves sending generic spam emails to a large distribution list without targeting anyone specific in the hopes that some recipients will fall for the scam, divulge valuable information, or infect their machines by clicking on embedded malicious links or attachments.

  • Spear phishing: an attacker using this technique will send specially-crafted emails targeting a specific group of people (e.g., an email that appears to originate from a company’s IT department encouraging employees to reset their account passwords by clicking on a malicious link.)

  • Whaling: this phishing technique targets high-level and high-profile end users like corporate executives, politicians, and celebrities and uses very personalized emails designed to elicit an immediate response from the victim.

  • Baiting: this tactic involves enticing victims with something they desire or piquing their curiosity in order to get them to take an action that will result in an infected system or compromised network (e.g., leaving a curiously-labeled malicious USB drive in a high-traveled area, infecting a movie or music file on a peer-to-peer network with a malicious payload.)

  • Website Cloning/Spoofing: an attacker makes a malicious version of a popular website and tries to trick victims into thinking it’s legitimate and visiting it, which could result in a malware infection, stolen account credentials, or a compromised network.

  • Pop-Up Windows: a pop-up window appears on the victim’s screen telling the user an action is needed, like clicking a link or downloading software, in order to continue. Once clicked, the pop-up directs the browser to a malicious site or begins downloading malware to the victim’s machine.

All of the above techniques continue to be successful because, by nature, people fundamentally want to trust each other. In addition, it’s sometimes easier to believe a convenient lie than it is to stop and question the request being made by the attacker. One of the biggest steps that organizations can take in protecting their data and networks is to train and educate their employees on how to prevent, recognize, and handle potential social engineering tactics. Creating a security conscious workforce can be achieved by educating employees on the following:

  • Do not open emails from untrusted sources. If an email looks like it came from a familiar source but seems unusual in any way, speak with the sender on the phone or in person before clicking on any links or downloading any attachments.

  • Ignore any email requests for personal or financial information. In this day and age, no reputable individual or company will ask you to send any kind of sensitive information via email.

  • Beware of any file download you did not initiate.

  • Do not enter sensitive information into a website without making sure the connection is secure and the website is legitimate and not spoofed.

  • Be suspicious of unsolicited phone calls or visits from people asking about internal company information. Report any suspicious behavior to management and security.

  • Do not give strangers online or on premises the benefit of the doubt. Verify all credentials and properly vet all stories. If you’re not sure if someone should be given access to a building or system, consult your organization’s security team.

  • Be skeptical of any request designed to elicit an emotional response. Many times, attackers will play upon a person’s emotions and craft messages that create a sense of urgency, like lying about an emergency to try to get financial assistance from the victim.

  • If an offer seems too good to be true, it probably is. You are not going to win a free tablet, a million dollars, or a trip to Tahiti by clicking on that link. Do not do it.

  • Make sure your email spam filters are set to the highest detection setting available.

  • Use strong passwords on all of your accounts that are a minimum of 8 characters and include a combination of letters (capital and lowercase), numbers, and symbols. Do not use the same password on multiple accounts and don’t leave your password written down somewhere where others can find it.

  • Consult your organization’s security policy.

Following these simple rules will go a long way in helping to protect your networks and keep sensitive information out of the hands of malicious cyber actors.