"Social Engineering Attack: Because there is no patch to human stupidity " -(www.GreenHackerz.com).
Sun Tzu wrote in The Art of War :
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle” (TZU).
That is why over the past several months I have been listening to a lot of audio. Frankly, I am not a big reader so I love audio books. I spend a considerable amount of time in the car going between clients. Sports talk radio is old, music gets boring and I would rather take advantage of the time learning new things about security.
I have gone through Kevin Mitnick's book Ghost in the Wires (Kevin was a master at social engineering. Well worth a listen or read.) and I have listened to others on the subject as well. We hear every day about breaches, hacks and threats on the Cyber landscape. Most of the breaches out there are caused by.... you guessed it. Some sort of social engineering.
There are many definitions of social engineering. In its broadest terms the definition from is "A practice used by crackers and black hats in order to gain sensitive information needed in order to compromise security by using techniques such as eavesdropping on conversations or posing as tech support" (www. urbandictionary.com). This is only one example.
Remote attacks on networks have declined because it is time consuming and defenses are getting better. Actually to my surprise I found out that social engineering is on the rise. One of the latest scams is the one described above where the bad guy calls a company and talks to an employee convincing them to give them remote access to a computer because they are tech support. The attacker gets in, plants a virus and there you go. Instant inside access to the network. In the mean time the perimeter is being carefully watched by the IT department. Defenses in place. Feeling secure.
Another type of attack is through a phishing attack. That is when you get one of those emails that is so enticing that you click on the link and bingo. Code in the background loads those nasty bugs on your machine. You have pop ups. You sl....ooooowwww down and your calling the IT guy in to clean the machine up.
A recent event happened to one of my clients. It was a receptionist at a company. It just so happened that people around the office were talking about what to get for lunch. Timing would have it a Pizza Hut coupon phishing email shows up in her email. You know what happens next. No coupon. Plenty of malware and some money spent cleaning it up.
There are many examples of social engineering and you face them without realizing it every day. Here is another example. Company A was a competitor to Company B. They need some information on an upcoming product release. A new hire in Company A happens to know the lead engineer of Company B.We will call him Bill. Bill really likes happy hour on Friday night at a local bar.
One Friday night Bill is at his favorite place. Company A sends in Bev (pun intended) to sit down next to Bill. They conversation goes on about small stuff. Where are you from, where do you work etc... etc... Bill is feeling more comfortable with Bev and after a while is talking about this big project he is working on. Slowly Bev is bringing out the information. They agree to see each other a few more times. Bev gets enough information to have someone call into the company and obtain Bill's password and login credentials (dropping the name of Bill's fellow workers and bosses obtained through the process).
Literally Bill hands over the keys to new product without even realizing it. Bev suddenly can not be reached (assumed name, phone that was one of those temp phones you buy at Walmart, fake address etc). Bill starts to wonder. 3 weeks before the launch of the new product from Company A, Company B puts the exact product on the market.
It was all about information gathering. Bill liked Bev (the drink and the Lady). That was leveraged to obtain information bit by bit. Piece by piece until the time was right and the keys were ready to pick. Could it have been avoided? Yes. Typically, even with all of the information there still has to be someone else on the inside that doesn't follow protocol and gives out a password or gives access when it should not be given.
I will write many more true life examples of social engineering in coming blogs. There are plenty to choose from. The more I listen to the experts the more I am understanding that this is that weak link you hear about. All of the hardware and software in the world can not prevent a leak of information from a human. I can put every defense up known to mankind but if someone decides to click on that link... well there just isn't a lot I can do about it other than clean it up.
If I define social engineering it is truly about gathering information from one or multiple sources and the exploiting human vulnerability. Having someone tell you what you need to know without them knowing that is what you are doing. When you think of it humans are the weakest link when it comes to technology. They have been for many years. That is why its isn't just technology. It's psychology! My new term is techsychology! Maybe it will wind up in the Urban Dictionary someday.
No comments:
Post a Comment