This is a guest blog post from Jenny Radcliffe, expert in psychology and the tactics behind social engineering attacks.
Privileged Users might be the end game, but it’s the ordinary employee that hackers target to create an insider threat
For a malicious social engineer, turning an employee into an insider threat is a key objective. Once a target organisation has been identified, it is fundamental in many attacks to find someone on the inside who can be contacted and ploughed for information about the company.
Observing the target
Many are surprised by this, as there is a belief that the bulk of attacks can be done without much, or even any, human contact at all. However, the more information that can be gained on a target the more likely it is that an attack will succeed, because it can be specifically tailored to the culture and personality of the target organization. Many staff are often surprised that what they know about a company can be of any use, especially if they don’t work in “key” positions or have what they see as a minor role in a company.
Many people don’t understand just how useful even small operational details can be in facilitating a Social Engineering attack. For example, knowing which suppliers have maintenance contracts or on what day of the week the office waste is collected, can be very useful for pretexting, starting conversations, and even physical site penetrations. It is also key to constructing a believable phishing, or more likely, spear-phishing campaign, that is designed to look natural for the company and not ring any alarm bells.
Everyone could be at risk
Therein lies one of the problems for organisations in terms of defence. If all of the staff can provide information that will help build an attack, then the potential ways in are myriad. Often, companies make the mistake of thinking that only those with “important” data or information, at board level perhaps or with “privileged access”, need to be aware of how their knowledge can be used by social engineers and others who want to attack their organization. Nothing could be further from the truth, and it is important to advise staff at all levels, (preferably including regular site visitors such as contractors and maintenance staff) of the way in which they can provide the “link in the chain” to the target company.
The key goal for a social engineer is to gain trust in some way and then breach it, to gain access of some sort. Familiarity is an important way of doing this and creates a believable story for people to follow. The more is known about the company, who works there, what the politics are, who hates who, who leaves early, where staff celebrate, where they eat lunch, the more likely it is that an attacker can sound friendly, non-threatening and convincing to the person on the end of the phone, reading the email or at the reception desk.
Personal stuff does matter
In pursuit of the familiar, social engineers will not hesitate to plough social media for details about the lives of employees, and use that information to gain trust. Employees need to know that regardless of their position within an organization, and regardless of how fragile their loyalty might be to the company they work for, fraudsters will actively research their details, and those of their families, friends and business contacts, to use as a route to the main target.
Reputational damage, lies and theft are mere collateral damage along the way, and so an awareness of how personal information can be used is critical to help prevent innocent employees becoming insider threats through carelessness, oversharing and misplaced trust. If an outsider knows enough about an individual it is only a question of morals (or the lack thereof) and determination to use that information to “turn” them, through pressure or ignorance, into a genuine insider threat to the company.
Cautious attitude is key for prevention
The solution is monitoring to some degree but also to create an awareness of the risks, rather than a dictatorial social media policy, or restrictive operational rules and barriers. Dictating to people what they can and can’t post online, or heavily restricting what they are able to access in their job, is likely to provoke anger and even a stubbornness about what they post. Moreover, people will always find ways of getting around limitations, rules can be broken; locks, even clever technical locks, can be picked.
Warning people about what can be done with their information, both online and otherwise, promotes a more cautious attitude, which ultimately benefits both the organization and the personal lives of those who work there. From a technical perspective, allowing people to do their job with only the most necessary restrictions in place, means that people are not looking to “hack” the system themselves, out of impatience, mischief or malice. It is far easier to monitor what people are doing IF they are doing it freely, rather than trying to hide it. Give them the access, give them the choice, but then monitor for exceptions, understand and mitigate the risks.
Whilst other sorts of insider threat exist, the willful creation of insider threats by external parties through recklessly shared information is a good start on the path to better security. It is possible to make the lives of the malicious social engineers more difficult, if we help staff to understand the wisdom of discretion, privacy and caution with information. Loose lips sink ships, as they say, and in this digital age the old saying is still as relevant as it ever was.
Jenny is an expert in psychology and the tactics behind social engineering attacks, as well as deception. She has a strong academic and corporate background, and was a senior procurement leader before becoming a consultant and trainer in both negotiation and procurement strategy and skills. She has lectured at several business schools at Masters level in many business topics and is a guest lecturer in both security and procurement disciplines.
Jenny is also a professional speaker, and appears regularly at conferences, webinars and company events (Rant, InfoSec, Disa, NordicIT) where she provides insight into how “people hacking” uses psychological methods and why it can be a huge threat to organisations of all sizes. Her aim is to help security teams and professionals use the tools of human hackers to enhance awareness campaigns, persuade and influence their stakeholders and understand how culture contributes to organisational vulnerability.