Social Engineering may be the greatest cybersecurity risk

Social Engineering may be the greatest cybersecurity risk

Written by Mints Insurance and DFDR Consulting

The single most effective weapon the modern hacker has in their toolkit is your users.

That is the reality of the world today.

Whether it is delivery of ransomware through email, stealing credentials or breaching your physical perimeter and planting a device for remote access, the common denominator is your users. Their ignorance, negligence or malicious intentions are used every day to provide unauthorized parties access to your business.

The modern cyberthreat doesn’t aim at compromising your servers directly as a “first strike” target. Technical exploitation is a major threat, but why would an attacker waste 20 hours attempting to obtain a shell on your webserver when a few emails from a phishing domain can do so with minimal effort?

Ransomware is here to stay and it’s incredibly easy to deploy. If an attacker does their homework, particularly on a company’s public profile (ex. LinkedIn), finding the  “right users” to maximize their efforts is simple.

I know this because I do this every day.

As a penetration tester, my job is to compromise companies every day and assist them in hardening their security perimeter. I use the same tools, attacks and methods as the bad guys.

Your users can be easily fooled by social engineering because of a few factors

They are the first line of defense.  – While most organizations won’t give you access to their server room, they encourage their users to be publicly facing. Email addresses are published, phone numbers listed and LinkedIn or Twitter are used for professional networking. The ability to direct files, communications and links to users is facilitated and encouraged. Companies invite the threats in and give them face time with the user.

The users are rarely trained appropriately. – User training is the most overlooked facet to a cybersecurity strategy. Organizations scoff at losing productivity, particularly as a compensating control. One hour of training per user yearly can significantly reduce, if not eliminate, this threat.

Public Information – Publishing your portal for file transfers, posting of job titles and roles, helpdesk information and other metadata enables an attacker to easily build credibility. Whether it’s an email that appears to come from their superiors or phone calls to a large company’s helpdesk staff posing as a remote user, organizations are often distributing information publicly that enables a remote attacker to quickly target and refine their strategies.

Human Nature – Humans are trusting, particularly when interactions are controlled. I always say “people take what you give them.” If I can control the conversation, direct people where I want them to go and present credibility, most users never realize what is happening.

Ransomware and Identity Theft are incredibly effective because I don’t need to beat an enterprise firewall, antivirus or the security guards. Your users and their behavior does all of the hard work for me.

There are a few measures your organization can implement. Most do not impact your budget, current strategies or workflow.

  1. Provide yearly security training to your users. Focusing on social engineering, ransomware, phishing, open source intelligence and proper social media policies should be the primary goal.
  2. Spam filtering. Effective, off-site filtering that uses SPF, graylisting, metadata analysis and other controls can make a dramatic impact on these types of attacks. Do not accept certain file types through email and ensure they are being scanned.
  3. Curate the public profile and websites of the organization – Remove all metadata from publicly posted materials (ex. PDF, DOCX, Media Files) Metadata in documents allows a remote attacker to obtain targets, determining infrastructure and applications in use and build a profile on your organization.
  4. Have a social media policy – Carefully control the information your users post publicly. Do not allow company emails to be used for social media sites or online transactions.
  5. Confirm the identity of all visitors, require a guest badge – It is incredibly easy to obtain physical access to an organization. I have “talked” my way into sensitive, secure areas or simply walked in through a loading dock, planted a device and left. Tightly securing physical access and visitors is paramount. Humans, by nature, stay to themselves and are not likely to disturb a stranger… particularly if they “look like they’re supposed to be there.”

Social Engineering is here to stay. The success of it depends on lax controls, undertrained staff and effective intelligence. Organizations need to account for these attacks and commit resources to controls which effectively reduce the risk.