Malicious social-engineering attacks are on the rise and branching out far beyond simply targeting the financial sector. While some organizations develop employee-awareness training or solicit pen testing, or use some combination of the two, these preventive tactics can only go so far.
Adopting a "know thy data" approach -- in terms of what it is, how valuable it is and where it is -- and then focusing on securing it may be the key to surviving the relentless onslaught of attacks.
It's nearly impossible to detect you've been socially engineered.
Daniel Cohen, RSA FraudAction group
Remember the ancient Greeks' "gift" horse to the city of Troy? While a social-engineering attack is by no means new, today this highly effective tool snares its victims through phishing, elicitation and impersonation.
"We freely give out information on the Web in the form of social media, over the phone or just to strangers -- often without realizing we've just handed an attacker tiny bits of info that can wreak havoc," said Chris Hadnagy, chief human hacker, president and CEO of Social-Engineer Inc., a firm specializing in social-engineering services and training.
Anyone -- even pros -- can become a victim of a social-engineering attack. "It's nearly impossible to detect you've been socially engineered," said Daniel Cohen, head of knowledge delivery and business development for RSA's FraudAction group, who says malicious social engineering is one of the biggest problems for security. "As long as there's a conscious interface between man and machine, social engineering will always exist."
Money is the main reason malicious social engineering is so pervasive. In October 2013, RSA identified more than 62,000 phishing attacks, which raised the bar in terms of number of attacks carried out within a single month. The median takedown time for attacks is 12 hours -- worth roughly $300 each hour. During October 2013 alone, phishing attacks netted $233 million.
And it's easy money. On the underground market, you can buy a spam service to blast out 500,000 emails for a mere $75. "Of those 500,000 recipients, some people will inevitably send Bitcoins or whatever you're asking for," said Cohen. "It's why we're seeing mind-blowing losses on the order of hundreds of millions globally to phishing."
New targets emerging
While phishing has traditionally plagued the financial sector because it's easy to commercialize and sell financial credentials, attackers are now branching out to target mobile and gaming platforms, as well as airlines' frequent flier mile programs.
Perhaps most disturbing of all, healthcare is emerging as a target because the value of medical data is slowly increasing on the underground market. "The vast majority of attacks, however, still target financial institutions," Cohen said.
One factor behind the expansion of phishing attacks is that, thanks to underground sites on the dark Web, fraudsters from all over the globe have a way to connect and collaborate anonymously. They frequently solicit partners with social-engineering skills, as shown in the figure below, to help fill in the missing pieces of identities, which they can then turn around and either use or sell.
Art and science of manipulation
Educating employees about the dangers of a social-engineering attack is important, and companies should provide active awareness training. "Simply having staff sign a social-media policy or code of conduct doesn't mitigate the risks or create adequate awareness," said Nejolla Korris, CEO of InterVeritas International, which specializes in social-engineering awareness and lie-detection training.
What should employee training impart? For starters, awareness of what phishing, elicitation and impersonation look like and how they're used.
It's important for employees to understand how a social-engineering attack is tied to psychology and human nature. "The ability to discover what individuals' sensitive spots are and target them by tapping into the good nature of human beings makes the work of social engineers much more effective," Korris said.
Another aspect of employee training is learning how to mitigate problems when they occur, according to Social-Engineer's Hadnagy. Many companies still lack a person or department to route any suspicious email or phone calls to.
"It's critical to have a place to report these events, before it turns into a mess," said Hadnagy. "It's also important to remove the fear of being fired. When employees feel good about reporting incidents, companies can mitigate the effects of social engineering much faster."
Social-engineering pen tests can also reveal surprising vulnerabilities as well as provide awareness on a more personal level.
"The biggest portion of any social-engineering pen test we do is information gathering; more than 50% of our time goes into it. And we gather everything," said Hadnagy. "Social media makes it easy. We go to LinkedIn, Myspace, Facebook, Twitter or the hundreds of other social-media sites to see what they've put out on the Web publicly."
LinkedIn is "a dream tool for social engineers, because many people post their entire professional histories and rarely use any privacy settings," said Korris. "It has very few filters, and unless you've made a conscious effort to hide it, your information is there for anyone to see."
What, specifically, are social engineers looking for? "How people use their corporate email addresses, how they spread the message about their likes, dislikes, favorite restaurants, kids, all those things," explained Hadnagy. "A malicious attacker will search for weaknesses, which generally involve something you like or enjoy because you're more prone to click a link or allow a person access to you if it's something you're in tune with."
One bank manager had a Facebook profile with 796 photos of herself with a drink in her hand, and another 398 photos of herself in a bikini. That's a "weakness" that can be easily exploited, according to Korris. "This bank manager also posted her birthdate, photos of her Escalade, and her driver's license," she said. "For someone required to maintain the privacy of her clients, she showed no discretion on Facebook." And it gets worse: The bank's corporate logo appears next to her Facebook profile, along with photos of the bank staff, all tagged of course.
Information that may seem benign can literally open the door to social engineers. "We were able to infiltrate a company because we called up and someone told us who their waste disposal vendor was," said Hadnagy. "A few days later, after we had a couple of hats and shirts made with that vendor's name, they let us right in," he added. "All from a one simple piece of information given out over the phone -- no verification that we were who we said we were."
Hadnagy and his colleagues use their audit findings to help educate companies. "Having a third party come in and ‘go to town' on your people and network to see where the vulnerabilities exist is a huge benefit," he said. "At the end of our pen tests, we'll show you the spear-phishing emails and the phone calls we used, as well as the impersonations. We teach what worked and why, what failed and, especially, what to do when they fail."
Not everyone agrees about the extent to which training can help fight social engineering, because at some levels you're dealing with highly motivated pros. "At the corporate level, user awareness and training about social engineering won't have the same impact," said RSA's Cohen. "Pro attackers use incredible strategic detail, and attack statistics reveal that many companies only discover they've been attacked after a third party warns them they're seeing odd things."
Look beyond the front door
While it's helpful to understand that social engineering is one of the key techniques attackers use, what's the commonality of all attacks? Data theft.
A "know thy data" approach to dealing with social engineering presumes that a talented social engineer can get past whatever controls you put in place -- so why not model these threats against your data? It's not easy to do, but it's becoming necessary.
"The thing you're not watching is what gets you into trouble. In this case, data," said John Kindervag, Forrester Research vice president and principal analyst serving security and risk professionals. "We don't know what or where our data is, so we wander around the edges of our networks putting in random protection."
One bank manager had a Facebook profile with 796 photos of herself with a drink in her hand, and another 398 photos of herself in a bikini.
Knowing how many digital intrusions you've had and whether you've lost data is critical, yet many companies "simply can't answer that question because they've been staring at the front door -- social engineering -- for so long that they haven't looked to see if anyone's ripped the big screen TV off the wall," he said.
The question we should be asking is: Is my data being breached right now?
Security teams should understand their data well enough to know how it should flow, and then look to see if it's moving outside of that pattern. "The answer to social engineering is to change the focus from trying to prevent social engineering to ensuring you have a way to validate that your data isn't being exfiltrated to a malicious actor right now," Kindervag said. Ultimately, teams should watch every data egress point and constantly monitor all of them for the exfiltration of proprietary and toxic data. "If you don't know where your data can egress, then you're in trouble," he warned.
Don't concentrate your security efforts solely on the Internet; also focus on wireless networks, which tend to be poorly secured. Traditional wide-area networks are also at risk. "WANs are considered to be secure private networks," said Kindervag, "so attackers will hit the places you consider to be secure."
Companies also need to look closely at internal users, he added. "A certain percentage of them are likely malicious actors who've been bribed to provide toxic data to a competitor or are moles sent in to do cyberespionage."
To cope with social engineering, network security will eventually need to become less reliant on human behavior -- delinking users from any conscious authentication.
"Analytics are helping us look at behavior in the background to try to understand the context of movements within the network," said Cohen. "But big data and analytics can help us delink the human conscious behavior. By looking at the behavior, where the data is traveling and who's talking to whom, we can use that behavior to know if we've been targeted or attacked."
It's also time to move beyond passwords, which can be socially engineered with the simplest phishing attack. Even using two-factor authentication with an ID token is not enough. "If someone's infected your machine with malware, they can request your token code with a screen that looks completely legit," noted Cohen. "This is an important piece of the puzzle; we can't base two-factor authentication on conscious human behavior."
Apple has already ventured into biometric authentication via fingerprinting for the iPhone, but by combining it with other authentication parameters, in the future it may become possible to form an authenticated identity that can't be socially engineered.
Another big frontier to watch is the Internet of Things as it rolls out in cities. Keep in mind that as soon as your light bulb, or for that matter anything inside your house, has an IP address, it automatically becomes part of an attack surface. "The Internet of Things is really more the ‘Internet of IP addresses,'" Kindervag noted.
The bottom line is that you can fight against a social-engineering attack, but social engineering isn't going away. As Michele Fincher, chief influencing agent at Social-Engineer, sums it up: "Many of the decisions we make come from basic human nature and behavior, and we're reacting as humans react. Good social engineers really understand how to work with that, and it's something technology can't keep you safe from."
About the author:
Sally Johnson is a technology and science journalist. Previously, she was the features writer for TechTarget's networking media and security media groups.
Send comments on this article to firstname.lastname@example.org.