social engineering attacks – Part 2 (June 2019)
By Jamil Jaward
In part one I talked about the various categories of attack, the background of social engineering and the four-step approach used by social engineers to gain access to confidential information, which are then used to compromise security. In this final part, I will focus on the psychology of social engineering and how to mitigate it.
Social engineering attacks come in two ways: human-based and technology-based. Human-based attacks are more common by telephone interaction between the attacker and the victim using friendliness, sympathy, intimidation, or authority to establish and exploit the victims’ trust. Whereas, technology-based attacks use computer programs to access confidential information of the victim, again based on the victim’s trust to do an action by a stranger, yet organisations favor the use of technology to prevent these attacks rather than training the humans to recognize and mitigate them.
Although the use of technology has undoubtedly had a huge impact on minimizing security breaches, the human factor must be equally accounted for through continuous security awareness training and education to achieve effective security management.
Regents’ Professor of Psychology at Arizona State University Robert B. Cialdini, claims that social scientists studies of the process of social influence, reveals that generating a positive response to “compliance with request” are down to six “basic tendencies of human behavior,” these six tendencies are, social validation, authority, reciprocation, liking, consistency, and scarcity.
Social validation is the tendency to comply when doing so appears to be in line with what others are doing. The actions of others are accepted as validation that the behavior in question is appropriate.
Authority evokes compliance as people have the tendency to honor requests made by a person in authority. If a fake police officer that appears to have authority, asks citizens to break the law, by driving through red lights, then you bet every single person will.
Reciprocation compels us to comply with a request when we have been given or promised something of value. Give a gift to a friend for Christmas even when they did not ask for it, will compel them to reciprocate.
Liking is the tendency for people to comply with a request when the requestor has established himself as a likeable person who shares similar commonalities.
Consistency is the tendency to comply after publicly promising to do something, as we do not want to appear to be untrustworthy or inconsistent with our promise.
Finally, scarcity triggers compliance when we believe there is competition for the object we are after, is in short supply, and for a limited time only.
Research into these tendencies has been going on for over fifty years, and while technology has changed tremendously over those fifty years, social engineers still rely on these basic tendencies in their attempt to manipulate their victim. Therefore, the key to recognizing and preventing social engineering attacks is to ensure that people are aware of the threats and how to react to them. Security experts note that huge sums of money are spent by organizations on effective security systems to protect valuable assets yet they can be bypassed by a low-cost, low-tech social engineering attack. Mitigating the risks they believe requires effective education and training on how to spot potential attacks, through awareness training.
The fact that human nature has so many tendencies that triggers compliance to requests that are detrimental to them or the organizations they work for, suggests a serious problem that cannot be ignored. While indeed technology has gone a long way to protecting valuable assets of individuals as well as organizations, the fact remains that, if a person is conned into handing over their restricted security pass, then technology has no protection against an authorized entry.
In the above scenario, the human factor will be better placed to detecting and preventing these types of social engineering attacks. A staff member with the appropriate training can spot this imposter and challenges them, resulting in a failed attack, because the main idea behind social engineering is to manipulate authorized people to unwittingly do the attack.
The fact of the matter is that, this is a human element of security problem, and these attacks may come in one of these forms: posing as a fellow employee, employee of a vendor, partner company, or law enforcement. Usually people carrying out such attacks are well versed in the organization lingo; this provides them with some form of legitimacy. There is literally hundreds of different social engineering methods use to launch an attack, and are all directed against the human element, and no technology can prevent it.
While the weakest link in security is the human element, it also the solution to the problem. Awareness is key to mitigating social engineering attacks. For example some warning signs of social engineering attack are: refusal to give call back number (it will not be an outright refusal, but rather a cleverly planned excuse), out-of-ordinary request, claim of authority, shows discomfort when questioned, threatens negative consequences for non compliance, name dropping or downright flattery. Training designed to highlight examples of attacks and even role-playing, is a good way of combating these attacks.
However, no matter how much effort is put into security awareness training or education there are some factors that make organizations more vulnerable to attacks. These include large number of employees, multiple facilities, information on employees’ whereabouts left on their voicemail message, phone directory available publicly, and lack of data classification.
As a final note, verification and data classification are perhaps the key elements in protecting an organization against social engineering attacks. These should include policies and guidelines that map out the procedures of releasing even the simplest of information. First, data should be classified public, internal, private, and confidential. Second, procedures must be put in place on how to release information from each category. Third, there must be owner-ship of the data, a supervisor or manager within a department or section who has the final say on who, when and how to release their data. Finally, verification procedures that clearly outline the steps to follow and authorizations to obtain before release of the information.
The CSI 2007 Survey conducted by Computer Security Institute reveals a shocking trend; 48% of businesses surveyed spent 1% of their total security budget on awareness training. While this is the reality of the issue, Mitnick a former hacker, notes that, “some authorities recommend 40 percent of a company’s overall security budget be targeted to awareness training.” The reason being the “human factor” and not technology is the key to providing the adequate and appropriate level of security to prevent social engineering attacks. Technology is useless without proper training of the user, while a computer system might have the latest encryption software and two-step authentication; it cannot offer protection against a social engineer who has conned a user into giving him or her their username and password by pretending to be IT helpdesk.
Despite overwhelming evidence that social engineering attacks succeed more often than not, because of neglecting the human factor, not enough is done to raise security awareness, train and educate employees at all levels in the detection and prevention of a social engineering attack. This will not only help reduce the number of successful social engineering attacks, but also help combat another rampant problem faced by organizations, “insider abuse.” A survey found that 59% of respondent organizations reported “insider abuse of net access” as the most prevalent security problem.
Regardless of the method of social engineering attack, from dumpster diving to industrial espionage, the human factor is always the common factor as the weakest link. To prevent a social engineer from gaining access to confidential information from an organisation’s trash, humans have to remember to use the technology to render unwanted documents useless by using a paper shredder. Likewise, stealing an organization’s sensitive trade secrets requires human interaction with the organization’s employees and their subsequent deception in gaining the information.
If people are the common factor as the weakest link in security, then it is obvious that organizations must focus on the human element to better complement technology by implementing comprehensive organizational wide security awareness training and education programs that ensure people understand their security responsibilities. The National Institute of Standards and Technology note that “The “people factor” - not technology - is key to providing an adequate and appropriate level of security.”
Technology alone cannot be the solution for effective management of the problem, but rather incorporating technology in a range of approaches such as, security policies and procedures, awareness and incident response trainings. Because access gained by an attacker through legitimate means is difficult to detect by technology, as technology cannot differentiate between an authorized or unauthorised user, as long as the authentication credentials match.
Social Engineering is a serious problem that remains the greatest threat to organizations globally, and cannot be eliminated. The success of social engineering relies predominantly on several facets of the weak human element of security. At the organizational level, while social engineering is a well known phenomenon in the information technology and financial industries, obtaining reliable data on the economic impact of social engineering attacks remains a challenge as victim are either unaware of being a victim or unwilling to publicize it to mitigate embarrassment and loss of consumer confidence.
At the user level, because the attack comes with a stigma of shame; victims see it as an attack on their intelligence and are worried about being considered dumb or ignorant; hence are reluctant to report it. This makes it a key challenge in discussing the issue; the truth is that everyone is susceptible to social engineering attack. This is more reason why organisations should not wait for an attack to happen before they consider counter measures and safeguards.
Avoiding the threat of social engineering requires the implementation of basic principles of security systems to mitigate the risks. This includes security policies, procedures, and guidelines for the correct classification, handling, and release of critical, sensitive, or confidential information. People need to be aware of the threats and how to react to social engineering attacks through the implementation of continuous Security awareness training and education.
Due to human nature, it is far easier to manipulate people to breach security than it is to do the same to a firewall system. However, educating and training people to detect and prevent social engineering attacks requires less effort than it takes to secure and maintain a firewall system. Organisations can no longer afford to have the human element as the weakest link in security.