Imagine, if you will, the following scenario:
Two well-dressed, charming individuals enter the lobby of your organization, each casually holding laptops and carrying carefully prepared thumb drives and cables in various pockets. They walk purposefully across the lobby past the front desk.
A receptionist asks, “Can I help you?” The taller man responds, “Sorry to intrude. I’m here to test some networking equipment. It appears people are having trouble joining meetings. I’m working with John in IT over at the main branch.”
The receptionist responds doubtfully, “We don’t have anyone scheduled to come in today. I’m going to have to call John to verify.” “Of course,” assures the second man. “I have him on the line here for you,” he says, handing the receptionist a cellphone already dialing a contact labeled “John Smith.”
But the man the receptionist speaks to is not John Smith. Instead, he is an associate of the social engineers who have just gained access to sensitive areas of the organization and who will soon be walking out the door with all the information they need to cause a breach.
This social engineering scenario might sound like a concept from a James Bond or Jason Bourne film, but consider some others:
- Trusted, well-meaning employees find a USB drive in a conference room. Curiosity gets the best of them, and they plug the drive into a work laptop, unwittingly infecting their machines with ransomware.
- An unknown individual arrives at your organization in a delivery service uniform, arms laden with heavy packages. Once he gains access, he lingers at an unused workstation for just a moment and is gone before anyone notices.
- An employee receives a call from an employee in IT who requests that the employee finish the migration to the organization’s new email platform by logging in to the new web portal, for which IT provides the link over the phone.
- A well-crafted email with a link to an employee survey or containing a spreadsheet file called “salaries.xls” is sent to your organization’s employees, convincing a few to either click the link and divulge sensitive information or open a malicious file that provides an attacker with remote access.
Exploiting human psychology
Social engineering is an umbrella term for the various malicious activities that exploit human psychology. These activities often succeed because they depend on the good nature of humans to go along with situations even in the presence of red flags.
Social engineering comes in many forms: phishing, impersonation, cold calling, tailgating, and more. In this context, social engineering is the exploitation of human behavior to gain unauthorized access to sensitive areas or information. That last scenario is likely the social engineering ploy with which most are familiar.
According to the Anti-Phishing Working Group (APWG), 239,910 reports of unique phishing campaigns were received in the fourth quarter of 2018. Phishing campaigns are conducted against organizations of all sizes and industries. In 2018, software as a service and email made up nearly 30% of all phishing targets, according to the APWG, while financial institutions and payment systems made up more than 45% of targets. The remaining targets were spread across telecommunications, cloud and storage services, logistics, and other industry sectors.
Meanwhile, the threat of physical intrusion and access weighs on the minds of security professionals. So how can organizations mitigate the threat of a social engineering attack?
Physical controls are a vital part of any effective plan to deal with social engineering. Properly implemented locks, security cameras, and badge readers can keep a would-be attacker out of restricted areas and away from sensitive data. Limiting access to these areas with badges and keys can even protect from threats that might come from inside the organization and provide a trail of evidence should something go awry. Security cameras provide protection in deterrence, and they can also provide evidence for an investigation.
Well-established identity verification procedures constitute an important piece of any defense against social engineering. Customer-facing businesses have new people moving in and out every day, and most physical locations might have to contend with deliveries, maintenance crews, IT support personnel from other locations, and contractors. Any one of these potential reasons for being in a building can be used by a malicious figure as a cover story. Taking proper steps to verify that all people in the building have reason to be there is critical in locations where new people come and go.
Security awareness and training is the human element that ultimately keeps sensitive data protected. All employees should know to ask themselves questions such as, “Does this feel right?” “Is this email asking me to do something that seems out of the ordinary?” “Should I call Mr. Smith on my phone to confirm?” “Is this person tailgating in the doorway behind me?” This mindset might even mean refusing entrance to executives who have forgotten identification until they present appropriate credentials. Savvy executives would likely pale at being shown a copy of the employee handbook security awareness procedures with their own signatures at the bottom.
A level of skepticism is healthy about all things cyber, and such skepticism might come naturally to some. For many, however, it is important to provide training and resources to teach employees to detect these threats. This awareness training can come in many forms, including monthly emails highlighting the most common phishing tactics and signs near doorways reminding employees not to hold the door for those they don’t recognize.
A strong and tested security culture can keep your organization a step ahead of would-be attackers. Phishing emails will come, and someone might attempt to access a physical location and steal sensitive data, so an established set of controls – well-defined procedures, physical barriers, and employee training – can help stop bad actors in their tracks. As with any controls, however, testing should be performed regularly to simulate these threats and track whether your organization responds appropriately.
In the same way fire drills help employees react instinctively to a real fire, so, too, should your employees know how to respond to social engineering. Ultimately, taking the time to build and evaluate your organization’s security program can keep bad actors (and spies!) out of your business.