Mike here with the SysAdmin school and today I want to talk about Social Engineering. I think this is a great topic to discuss and anyone who has been in IT for any length of time is most likely familiar with Social Engineering. But I don’t want to make assumptions so we are going to go through social engineering as a whole and the different forms that social engineering can take on. Then I want to go over one big thing we can do to fight back against social engineering

What is Social Engineering?

By definition, Social Engineering is the physiological manipulation of people into performing an action or divulging confidential information. There are many different ways you can do this. One of the most common use is exploiting the inherent good nature of people. People automatically want to help other people and this can be used to a malicious person’s advantage. It could be part of your job to help people and you go over and above your duty to help people to a fault.

I used to work for a company that was very customer service oriented as they should be, but it was to a fault. Employees of this company would allow customers to use their computer. They wouldn’t close any of the applications but is a customer need to use a computer the employee would leave their computer to allow the customer to use it with no supervision. Most of you I am use see the problems with that. They would also allow customers to plug their computers into company network jacks. Now I didn’t allow unused jacks to just be connected but employees would unplug their computer so a customer could plug their computer into that jack. Ultimately this forced me to implement MAC filtering.

Image result for plugging in network cable

Non-Technical Social Engineering

There was this great story that was told at a security conference I went to many years ago about how non-technical social engineering can really be.

So the story is this… A security consultant was hired to test a retail establishment’s physical security and knowledge of the staff. So this consultant created a badge that had a picture of himself and it just said auditor and nothing else. He also purchased a standard cash drawer and put $100 in it split in normal denominations. He then walked into the retail establishment and went to a random, young looking, teller and said.

“Hi I am Mr. So and So and there have been some discrepancies with your drawer here recently. So I am going to take and audit your drawer, you can use this one for now so you can keep helping customers.”

He took the tellers drawer and walked out of the store with over $2000. All for the cost of a cheaply made badge, cash drawer, and $100 cash. Of course, he was hired by the company so he immediately came back in and explained to the teller the error of their ways.

I find this a great story I always tell when I talk about Social Engineering because it really shows how low tech you can be to pull it off. It also shows some different tactics that can be used to Social Engineer someone. The first tactic is fear, now this was a young employee who was being told that there were problems with their drawer. I am sure there was some fear going through the employee thinking they did something wrong or they were going to get in trouble. The other tactic that he used was perceived authority. The auditor walked in with a badge that said auditor and acted like he was supposed to be there. Why would the employee question him?

One other common form of social engineering that plays on people’s want to help others. This is used often to gain access to a location that the person is not authorized to be in. It is as simple as acting like you are carrying some boxes and someone will hold the door open for you. Again if you act as you belong somewhere and you can manipulate someone into performing an action such as holding a door open for you. Then you will most likely be able to gain access to quite a few places you shouldn’t.

Image result for carrying boxes

Now I am certainly not telling you to be a jerk and for security reasons don’t hold a door open for anyone. Just be aware of what you are doing. If you are about to hold a door open for someone you have never seen before and it is into a place that requires a badge. Then maybe try and confirm that they are supposed to be there before you just let them in.

Technical Social Engineering

Now, of course, this is a technical website so I can’t have this post go on here without at least mentioning some technical forms of social engineering. But even technical social engineering is very simple and isn’t incredibly technical.

Phishing

Phishing is a huge form of technical social engineering. I have gone over this in another post (Phishing and what you should know) but phishing is when you receive an email that attempts to fool you by looking like it is from a legitimate source such as your bank or your company helpdesk. These emails will typically the try to get you to click a link to take you to a site that will install malware or more likely attempt to get you to enter in credentials.

Phishing will typically work on the shotgun approach where a very large number of emails will be sent with the hopes that at least one or two people will provide credentials. This is mainly used because of the incredibly little to no cost of sending emails. We can send hundreds of emails and the only cost is your internet connection unless you are on a free wireless network.

How do we protect ourselves and our company?

I won’t lie, protecting ourselves from this type of threat is hard to do. Because it targets the human aspect which is much harder to protect against. We can configure firewalls and ACL’s and IPS sensors to protect against a lot. That is actually the easy part, the hard part is securing the human aspect.

I spoke about this in my previous post (Why Security is So Important) and you will see this theme in multiple posts I am sure. But we to create a culture of security to teach and empower our users and employees. It really starts at home and with better habits. If an employee uses “Password123” as the password for their banking account then what motivation do they have to be any better at work. We need to teach our users and help them to understand and secure what is important to them, not us. By doing that we get our employees into a different mindset, into that mindset of security. They will start thinking about what other personal assets do they have they want to protect. Once we have helped shift the employee’s mindset to a security-centric one I will see them bring that over into the workplace. Now that they have a security-centric mindset they will start choosing good passphrases and won’t push back when you implement MFA.

I would love to hear your thoughts on this topic so please leave them in the comments section below and consider subscribing.

Thanks for reading,
Mike