[TRANSCRIPT]
Hey everyone Mike here with the SysAdmin School. Security is the responsibility of all employees and in this episode, I’m going to go over social engineering and what you need to know.
I have talked about this many times before as sysadmins we sometimes have to wear many different hats especially if you work at a small company. You may be the person who is not only sysadmin but the security admin the help desk technician you may even be a network admin depending on the size of your company. So it’s important for all of us to know and understand security. We have to be able to teach our users how to keep themselves secure and keep the company secure when it comes to different types of info security or infosec.
What I want to talk about today is social engineering and it’s something that we really need to understand because we have to again teach our employees about it. So the definition of social engineering is “The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes”. So that’s a pretty good definition basically we’re going to use it to obtain information which may not even be confidential information. It could just be information we may use later on.
There was a really great Jimmy Kimmel segment where he went out and asked people how they generated their password. Then through just regular talking with the person, he eventually got to asking them the questions that related to how they came up with a password. One example was a girl who said that she used the street she grew up on at her cat’s name and through just a normal conversation he was able to actually get that type of information out of her. Which normally you are not going to think of that as confidential information but knowing that she used that to generate her password now he has a pretty good idea of what her password could be.
Now it really can be more than that definition and it’s also just understanding how people behave and then exploiting that. One other story that I love to tell people is about a pentester. I really wish I could remember the guy’s name but I can’t. It was a course or a seminar that I went to years ago in Vegas probably 10 years or more ago now. But basically this guy was a pentester and he was hired for this company and they were at a retail store. He went and actually purchased a cash drawer so about 25 bucks for the cash drawer. He then took out $200 of different bills and put that into the cash drawer. He prints up a badge, so five bucks to print a little badge that just said, auditor. Walks into a retail store walks up to a cashier shows them this badge just says “We have had some discrepancies with your drawer. I’m an auditor here and I’m going to take your drawer. Here take this drawer which has $200 so you can continue to work your till while I audit this drawer”. And the guy basically walked out with probably two to three thousand dollars which was in that drawer. Now obviously he was a hired pen tester so he walked back in and then he had a nice teaching moment with the person. But he can use a couple of techniques that are very common when you’re dealing with someone who is good at Social Engineering. One of the techniques is acting as if he has authority. He printed up a badge that said auditor and he acted as though he had the authority to audit this person’s drawer and take the cash or out of there till. Another tactic he used was fear and when we’re fearful there’s a lot of things that we don’t really think about. We don’t think straight when we have fear or scared so you know someone comes up who seems like a person of authority and tells us hey I’m going to audit your drawer because we’ve had some discrepancies. You’re now at this point scared that you had problems with the drawer. You are not going to think straight and you’re going to want to do whatever you can to clear your name. Which means I’m going to give you my cash or so you can prove that I’m good and I’m not stealing from the company. The last one he used was urgency. So again when you kind of mix fear and urgency together it’s a bad combination for the victim because not only are they scared but now they’re going to make a quick decision is this legit was happening here and most the time we’re not even thinking that. We’re not even considering that this could be an illegitimate person coming in trying to just take our money. So this is a really good example of showing how a person does some in-person social engineering to really trick somebody into giving up about two to three thousand dollars. Really he was trading you know maybe $250 if that for the cost of cash drawer, the $200 he put in there. He is trading about $250 for about $3000. I would make that trade all day long without even thinking about it and I like to bring up these stories because they show good examples.
Another quick story and this isn’t a really huge social engineering story of how you can expand on that and really understanding and using people’s kindness essentially against them. This guy he does a lot of talks at Defcon and some other security conferences. It is Jason Street many of you may have even heard of him if you haven’t checked out his Talks on YouTube they’re amazing. He really goes above and beyond to gain access to the building and he will tell you he’s not a techie he’s not a hacker. He is just a person who can gain access to pretty much any building he wants or any room and he does this by exploiting a lot of people’s kindness and wanting to help. One of the things he says he does, he is not above you know renting a wheelchair putting boxes in his lap and seeing if he can get someone to hold the door open for him. He has no access to that building he doesn’t have a key card or badge to get in, but because he looks like he needs help someone comes out and typically will help him. So it’s another good one of not only using people to get information but exploiting people’s feelings and kindness to ultimately get the results that you want which is access in that case to a building. So again if you haven’t looked it up lookup Jason Street he’s great at the Social Engineering aspect and has some really good information regarding security and social engineering.
Social Engineering can come in many different types. Typically we see them in the form of a phone call, an email, a huge one is emails, and even some in person. Now with phone calls, we don’t see those all that often anymore. I don’t know of two many people including myself or employees who get phone calls with social engineering tricks. When they do come in they typically come in as someone pretending to be IT and asking for an employee’s password. They are saying hey we need to do some reconfiguration of the matrix and fix all the cookies that have fallen on the floor. Then they say in order to do this we need your password. If you can give me your password I can pick all these cookies up and we will reset the matrix and you will be good to go. I am trying to be funny here but that’s basically the type of call that they will get. Someone calling claiming to be IT trying to get their password and this is really the big one that happens is that what they call and ask for the password. One thing to always remember is never to give your password to someone over the phone. Even if it really does sound like someone from IT pushback don’t give them your password over the phone. One thing that people need to understand about IT is that your IT department really can just go and reset your password. So if I being IT need access to your account I’m going to go in and reset your password to something I know. Do what I need to do on your account then I’m going to set that password again and set it to expire and give you the new password. So you can log in and change it to whatever you want that is the proper way IT should be accessing your account if they need to. IT should never be asking for your password or any other confidential type of information.
The huge one we see here with regards to social engineering is emails as we all get these emails asking us to click here or send his information here or something been compromised and we need to send in our bank account numbers and pin numbers and all this stuff so they can fix it. So our Wells Fargo bank account is fixed when we don’t even have a Wells Fargo bank account. We’re all very familiar with these most the time what we are familiar with is the fact they’re actually called phishing or phishing schemes because people are actually there phishing. They’re literally doing a shotgun approach in there throwing out thousands of emails hoping one of them will stick or one person will bite the hook and give them the information that they need. Hence why it is called fishing. Now there’s a different type of attack is very similar and it’s called spear phishing if you’re not familiar with spear-phishing it is when the social engineering email is incredibly targeted. So it may even include maybe your CIO’s name your CIO’s email address. It may include very specific information about the company. That just adds to the credibility of the email itself and these types of emails only happen when someone is directly targeting the company. If you get something that looks a little fishy but it looks like it’s coming from your CIO or your CEO or your owner, again pushback. Question it and confirm that email is it is intended for you and is actually coming from your CIO your CEO or whoever it looks like it’s coming from. If it’s not then this could be a spear-phishing attempt to gather information from you. So what do we do when we see these types of spear phishing or phishing emails? Well, the first and easiest thing is just to delete emails just delete the emails you weren’t expecting and that are asking you to click a link or download a file. Pretty much that’s just a no-brainer and pretty simple thing to do you see any mail come from somebody that you don’t know just deleted it. You don’t even need to spend your time worrying about whether it’s legit or not just delete it. And if you have a mechanism in place report it to the IT security team if they get in those mechanisms are in place. Now email compromise is pretty rapid so it’s not uncommon for someone’s email to be compromised and you to actually get a phishing email from somebody you know. So what you want to do is if that happens to confirm the email that you’d get from the person. So you got an email from Bob and HR call Bob talked to Bob ask him hey did you actually send me this email. It looks a little fishy and I don’t want to click anything or download any files that may not have actually been from you. So confirm say yes or yes or no those are the new regulations that you need to download and read perfect I’ll go do that. So confirm emails are from the people you know, especially if they contain links or other files that you need to download or look at. And especially if you end up getting to a link that asks you for a username or a password. Those are definitely ones that you want to confirm before you attempt to put in that information.
And remember never send confidential information over email, especially stuff like your social security number, your credit card number or your password. Any of that stuff should never go across email. Email inherently is not encrypted and is not by any means a secure means of sending data to people. It is a great way to communicate back and forth but when you actually talking about confidential data you need to use some other mechanism to send that information, not across email or your standard email.
Again another type of social engineering that we don’t see all that often is the in-person type and this is pretty much what I spoke about with Jason Street and some of the other pen testers out there. It’s typically done by pen testers. But there’s no reason that a person couldn’t try social engineering in person. I have found that places that this works the best are in different places of hospitality. So you’re Resorts, hotels, restaurants any place where the customer is King is where these types of social engineering are pretty successful. They don’t need any elaborate really thing to work. They just show up in person you act like you’re supposed to be there and no one’s going to question you. Typically no one will question you being there.
Another quick story by Jason Street was just in different places he has the little rubber ducky if you’re not familiar with that, that’s one of the ways he confirms that he’s compromised the computer. So basically he will just walk behind you know that hotel, for example, most hotels you can walk behind the front desk and if you act like you’re supposed to be there you may not be questioned about what you’re doing. That’s what he’ll do, he will walk in somewhere go in and plug his little USB into a computer, a screen will pop-up. He’ll take a picture and that’s how he confirms that he’s compromised that computer and you know he’ll just walk into places and just plug this USB drive in and never get questioned. He even one time walked in and one of his stories and had a badge that “your it guy” on it and actually got somebody to escort him around to every computer in the office. So he could plug this USB drive into it. Absolutely hilarious they are the people in that office were just so willing to help him that really made his job super simple. But at the same time they didn’t question him they didn’t question whether he was supposed to be there or not.
So what do we do about the type of situations? One of the keys is you need to not hesitate to question people who you don’t think should be there. So you work at the front desk of a hotel, for example, you know your employees you know people who you work with day in and day out. If you see something behind that desk that doesn’t look like they belong there or you have never seen there before. Ask them, ask them and see if their story checks out. If their story sounds legit call your manager call the supervisor call somebody who may know more and confirm their story. Don’t start letting someone who said “I am with your IT department” just walk behind the front desk staff on your computers the same thing in restaurants the same thing it with the same thing in any company. Another good one is to make sure your company institutes some sort of badge type of requirement. Again hotels restaurants are typically pretty simple because most people wear some form of a name badge and if they’re not wearing name badge question them. If you work in an office building try to implement an ID system where every employee has an ID that they have to wear while they’re on-premises. And make sure your employees check. If employees see somebody that doesn’t have an ID they question them. They ask they say “Hey where’s your ID” and make sure they do not open doors for people who don’t have IDs who shouldn’t be in that area.
These are just some of the little things that really help with the social engineering attacks. Whether they are in person on the phone or through email the employee is really the person who is the first line of defense for these types of attacks. So we need to make sure we train our employees and I like to use the word empower because really what we need to not do is the typical PowerPoint train our users this is how you need to behave at work this is how you need to secure our data at work. We need to teach better security practices overall to our employees. We need to empower employees not only to secure the data at work but to secure the data at home. Secure their home we need to teach them to be safe in their own life their own digital life at home. When we can do that successfully and let them think about it and understand it that is going to transition over into the workplace. In some other podcasts I have mentioned this before and I think it really is kind of a great way to look at teaching security to our employees.
Again if employees are the first line of defense for a lot of our physical and social engineering type security attacks. So we need to teach them how to be secure not just on the job. Do you really think an employee who you know is using the same password for every account they have at home has an open Wi-Fi doesn’t really give any consideration to Security in their home and at work? Do you really think that now when they come into the office they’re going to be completely security-minded and protect your company’s data? I don’t think so it’s a mind shift that we have to get into our employee that again Empower. I like that word to Empower those employees to protect themselves at home know what to look out for at home and that will, in turn, teach them and help them to protect the data at work.
That’s my Spiel on social engineering. I went over that pretty quickly. I guess we’re kind of you know about 20 minutes into this podcast now but I think that was a good overview of social engineering. So I’d love to hear what you think I feel free if you’re looking this on my website to put any comments or anything you have in the comments down below. I’ll try to answer them as quickly and efficiently as I can if you listen to this on Spotify or anchor I’d love for you to check out my site TheSysAdminSchool.com. Great place for you to really find information about being a sysadmin. That’s really my goal for you is to teach you to become a systems administrator and to help further your systems administrator career. So if you have any questions check out my site feel free to contact me. All of my contact information should be on the site you can always find me on Twitter and on LinkedIn.
One other thing I did was create an ebook called the $400 lab or 400dollarlab.com from there you can get download my ebook and get your own lab set up in your home for you to do sysadmin stuff. The kind of stuff that I do Exchange Labs, learning active directory, learning Linux, learning Windows all that kind of stuff for less than $400. I walk you through the entire thing everything you need you can get for under four hundred bucks. So with that guy’s I hope you enjoy this podcast and I will talk to you again very soon
