Petya Petrova - Fotolia
Social engineering attacks are more complex than ever before as security technologies improve, according to Jenny Radcliffe, director and head of training and consultancy at Jenny Radcliffe Training.
Social engineering aimed at exploiting people as the weakest link in the information security chain takes many forms including physical access to buildings, email phishing and telephone calls.
This approach is increasingly common as organisations deploy a wider range of effective information security systems and controls, particularly as a way of getting inside an organisation’s network.
“But we are also beginning to see a new breed of attackers who appear to be trained in psychology, and are using that in new and effective ways to get people in organisations to help them circumvent security controls,” Radcliffe told Computer Weekly.
“Attackers are no longer concerned with the technical controls, but instead get insiders to help by engaging with them and building trust relationships,” she said.
Although still relatively simple in conception, Radcliffe said these attacks are beginning to be more informed and backed by a level of complexity and planning that has not been seen before.
This planning typically involves building a profile of the target organisation and its employees using sources such as corporate websites, industry forums and social media sites, including Facebook, Twitter and LinkedIn.
“Attackers will then seek to build a trust relationship with an individual or individuals within the organisation over a long time, using the principles of influence and other academic ways of building trust,” said Radcliffe.
This makes it possible for attackers to identify the easiest way in and to manipulate employees of an organisation to help them gain access to the information they seek.
New style of attacks difficult to detect
According to Radcliffe, the easiest way into an organisation can often be simply by making an appointment to see someone on a business-related pretext and then use the opportunity to gain more intelligence about the organisation or to secure another way in by dropping malware on the network.
“There is a move away from the standard, textbook-style social engineering attacks to a greater reliance on things like linguistics, psychology and personal motivation, which makes this new style of attacks more difficult to detect and defend against,” she said.
Read more about social engineering
The best defence against this more sophisticated approach, said Radcliffe, is to recognise that this is how attackers are operating and to ensure employees are wary of any new acquaintances who are instantly likeable.
“There are very few people who can build trust and rapport very rapidly, so any new acquaintances who appears to be doing that should be regarded with a healthy degree of suspicion,” she said.
“Employees should be trained to be wary of anyone who seems particularly easy to talk to and who seems particularly interested in them, their jobs and their organisation.”
Radcliffe said that everyone who does that is not necessarily an attacker, but it is unusual and employees should be trained to recognise unusual behaviour, and to be careful about what they disclose and how they co-operate with outsiders.
Employees should also be wary of things like job offers from unknown people who are keen to discuss their current role, experience and areas of expertise, said Radcliffe.
“People seldom say no to opportunities, but this is one way attackers can use to engage employees of an organisation to find out what kinds of information security systems are deployed,” she said.
Examining culture and psychology of organisations
According to Radcliffe, serious attackers are also now looking at organisations as if they were people and examining their culture or psychology to determine what weaknesses can be exploited.
“For example, many large enterprises tend to bully smaller businesses in their supply chains and make the mistake of assuming smaller organisations will want to do business with them.
“Arrogance like that makes organisations predictable, which means that social engineers can behave as expected, and if an attacker can be the person they expect, they tend to trust that familiar persona the attacker is presenting without question, and therein lies the vulnerability,” she said.
Big enterprises that assume that everyone wants to do business with them typically do not court suppliers, said Radcliffe.
“They just talk about what suppliers can do for them, so if anyone were to present falsely as someone who is ready to do things for them, they would see that as normal, so that psychological profile of an organisations can be dangerous, because it means they are less likely to suspect anything” she said.
According to Radcliffe, even though most people in organisations are aware of the corporate culture, they typically do not take that into account when planning a security strategy.
“It is glib to say that you need to think like an attacker, but you really do, and the way to do that is to think of the culture of the company and what it is about that culture that could make the organisation vulnerable to social engineering attacks,” she said.
Information security professionals should therefore identify what people in the organisation are likely to expect and least likely to question, said Radcliffe, and realise that is exactly the type of thing attackers are likely to exploit.
Employee skills only differentiator in blocking attacks
As more and more avenues of attack are blocked by information security systems, she said, the only differentiator organisations are going to be left with is the skills of their employees to detect and block social engineering attacks.
“Information security professionals must not fall into the trap of seeing themselves as someone who works only with data and computers. Anything they design has to bear people in mind. Machines are not attacking organisations, it is the people behind the machines,” said Radcliffe.
This means that it is essential for information security professionals to understand the nature of the attackers and that the way that attackers will attempt to get past defences is likely to be intimately connected to the “personality” of the business.
“That will inform the type of attack that faces an organisation. A small business that is really friendly will be attacked on that front, and if you are a large business with lots of suppliers and customers, then that is the way they will attack,” said Radcliffe.
“Information security professionals need to understand how things are changing, that they need to stop thinking along tramlines, and that technology and people are connected all the way through, and that everything they do must take that human element into account,” she added.
According to Radcliffe, social engineering is not simply about phishing emails anymore; it is about attackers knowing organisations and people so well that they can get people to help compromise their own organisations.
“The best chance at defence, then, is for organisations to recognise that they cannot protect against everything because every attack is different, and to make employees aware of the new kinds of sophisticated social engineering attacks that are taking place and what to look out for,” she said.