Social Engineering: Easier Than Ever Thanks to Social Media

Social engineering continues to be a popular tool for hackers with a thirst for exploitable information

Human nature being what it is, social engineering is here to stay. It’s too effective a tool for hackers in their ongoing quest for exploitable information.The DEF CON 18 conference in Las Vegas last month featured a live demonstration of a social engineering scheme that provided some useful insights. Among them:

1. How easy it is for strangers to obtain sensitive information over the phone, if they have a good story and ask for help with a problem,

2. How even high-tech employees can fall prey to social engineering schemes,

3. How human beings are still the weakest link in the security chain, primarily due to their inherent sense of trust and desire to be helpful to someone in need, and

4. How few employers recognize that fact, in order to take appropriate security actions to protect their companies.

According to Chris Hadnagy, operations manager at Offensive Security, which organized the demonstration, social engineering is "any act where you try to manipulate a person to accomplish a goal" where the goal "may or may not be in the target's interest."  Wikipedia describes social engineering as "the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases the attacker never comes face-to-face with the victim."

In describing the amazing scope of personal vulnerability today, in an interview with CNET Hadnagy explained that “People use social media to such an extent that their whole lives are on the Web. With sites like Blippy, which people can tie into their Twitter and Facebook accounts, and it in essence tweets every time you use a credit card or bank account, and it tweets what you've purchased and the amount. So you can go to these sites, find someone on Twitter, link them to a Blippy account and to Facebook and now you have their pictures, what they like to buy, what restaurants they go to, when they leave the house, when they work. And within an hour you can have a very detailed profile of a company or an individual based on the amount of social media they use.”

Asked if most social engineering exploits are conducted online today rather than over the phone, Hadnagy replied that the majority of known attacks are online, as well as large phishing scams, but he cautioned that “every day people are stealing corporate secrets through dumpster diving and other more direct methods."

Don't Get Caught in the Net

Keeping software patches up-to-date and browser versions current are important safeguards against social engineering schemes, but the best defense is user education—as any security expert will tell you.  Every employer should incorporate effective social engineering awareness training into their security training program and security policies. Live role-playing can be highly effective in demonstrating how easy it is for an employee to become an unwitting victim. Reviewing a broad range of examples can help employees really understand how social engineering works. Conducting a staged social engineering scheme within the organization can drive the point home.

SECNAP can help design social engineering training, as well as conduct social engineering assessments to help employers understand the scope of the vulnerability at their organizations and recommended remediation measures.