Social Engineering Q&A: How to Strengthen Your Network Security
According to IBM research, in 2016 about 71 percent of reported cyberattacks in the healthcare industry and 57 percent of cyberattacks in the financial services industry depended on the actions of employees who had unintentionally compromised the network security of their organizations.
Ben Goodman, an offensive security certified professional with Sword & Shield, helps assess the vulnerability of our clients through our social engineering services. We sat down with Ben to talk about the most important lessons he has learned during these assessments to give you insights to help you strengthen your network security.
What are some social engineering techniques that tend to be successful?
I’ve been most successful with email phishing and telephone pretexting. I’ve also had success with USB drops, although not as often.
The type of phishing we use most frequently would technically be identified as spear phishing, as we target the specific organization in our engagements. I like to do a lot of research of the target organization and get as much information as I can on the most trusted individuals such as HR, procurement, or IT personnel. A lot of this information is readily available on social media sites, such as LinkedIn or Facebook.
I also try to get as much information as I can on any third-party vendors that an organization uses such as benefit providers or office supply companies. From there I will craft a message, posing as one of the trusted individuals, to specific employees with the organization. The message will state that unless action is taken, such as clicking a link or filling out a form online, the recipient would lose out on payroll, benefits, or recently ordered supplies. The sense of urgency coupled with the spoofed identity of the trusted individual usually leads to a lot of clicked links. This is a valuable exercise since this type of phishing is how most ransomware is spread.
Telephone pretexting engagements typically start out the same way. I try to get as much information as I can on the target organization, but this time I also need to do more intensive research on the target individuals and departments. Social media is also a big help here because I can get an idea of a target’s hobbies and interests to drum up small talk and build trust. I used to work in helpdesk/IT support so it’s easy for me to pose as a member of an IT team and get that person to visit a fake web page and enter login information.
One engagement comes to mind where I posed as an outsourced web developer testing a new webmail portal. I informed the IT employee that the IT director wanted me to call and have the login form tested. The login form was a website I created that captured the person’s username and password. When questioned, I pressured the employee by saying I would report directly to the director (I had the director’s name from LinkedIn). The employee quickly asked for the URL of the web site and provided network credentials.
What is the best way to defend the enterprise against social engineering?
Developing a better security culture through user awareness and training is the most critical factor in defending against social engineering. If you receive a suspicious email from a trusted individual, contact this person to verify. The same verification is needed with pretexting: Phone numbers are often spoofed, so one thing you can do to verify is to terminate the call and call the number back before giving any information or following any instructions.
Another thing to consider when trying to strengthen your network security is being mindful of your organization’s presence on the Internet and how much information is out there for the public to see. During one of my pretexting engagements, I was tasked with making calls to a call center trying to elicit customer data. This organization had public reviews enabled on its Facebook page.
This allowed me to grab a handful of customer names and, after a little research, gather additional public info on these customers such as mailing addresses and phone numbers. With this information, I was able to bypass the call centers customer verification process and get more sensitive information like social security numbers and dates of birth.
Do you think there will ever be better technical defenses against social engineering attacks?
The technology can always improve as time goes on, but I really think social engineering will always work because the weakest link—the human— is being hacked, not the technology.