Let’s analyze an example from Kevin Mitnick’s book, ‘The Art of Deception’ and find together the techniques that are used. Our example is a phone call between an accountant called Mary and the hacker who plays the role of a helpdesk employee.
Mary: Thanks God! My computer is running, and everything seems to be working normally.
The Hacker: I’m glad I could make sure you’ll be able to use your computer okay. And listen, we just installed an update that allow people to change their passwords. Would you be willing to take a couple of minutes with me so I can see if we got it working right?
Mary: Yes sure!
The Hacker: Now go ahead and enter your password. But remember not to say it out loud.
Just for this quick test, when it asks for your new password, enter ‘test123.’ Then type it again in the Verification box and click Enter.
The hacker then quickly logged onto the system with the same temporary password that Mary used, test123 and installed a small program that made him access the company’s computer system whenever he wanted, using a secret password of his own.
One of the most important steps in social engineering is to be seen trustworthy, because this what makes the victim give the social engineer much valuable information for the hacking process. There are many ways to gain credibility one of them is here in our example. It’s simply advising the target with something even if it’s against the social engineer himself:
The hacker tells Mary, “Now, go ahead and type your password but don’t tell me what it is. You should never tell anybody your password, not even tech support”. He just wants to build trust. Actually, checking the computer doesn’t mean anything to him. He just uses it to build trust to prepare the victim for the hacking step. It’s because when someone gives us advice that might be against them, we feel that they are good people who want only to help us for nothing.
It means that we as human beings feel that we can’t refuse to help someone because they help us before. This is exactly what the hacker does with Mary who would be in trouble if her computer stopped working and she couldn’t do her tasks.
He puts her in this situation when he checks the computer for her to find out any troubles, as he says, to make her feel grateful to him. She then can’t refuse his request for trying the program that change passwords.
All of us are likely to take actions without thinking, when we feel some trouble is about to happen. We think only about solving the problem, so we just do what we are asking to do without arguing.
In the previous example, the hacker tells Mary that some employees complained about troubles in their computer and so he should check whether her computer works or not. Thinking about her tasks and what may happen if her computer turned off all day, Mary accepts immediately!
It’s simply to obey instructions just because you are ignorant of the situation and what to do. And with the image of an expert that you’re drawing for the attacker (the human weakness of Trapping the Role), it’s more likely to obey the instructions. Mary, in the example, is ignorant of what she could do if her computer turned off, and with imaging herself staying without work because she isn’t able to solve the problem, she immediately agreed on what the hacker told her.
Unfortunately, the solution of social engineering attacks is more complex than the technical attacks because it depends on man himself. It depends on our nature that we cannot always change.
However, there are some solutions managers can do to mitigate such attacks, and don’t be shocked when I tell you that they will not be applied in just two weeks or even a month. They are long-term solutions which means that you permanently need to use those solutions and test them again and again to ensure that they are applied well enough to protect you company’s data.
Can we fight something we don’t know? Never! So, employees should know how to identify social engineering attacks to be able to apply your policy. The training program should begin with teaching them the different forms of social engineering attacks, phishing, smishing, and vishing.
Some employees and even you as a manager may say, “No! I think it’s far away from me.”
Sometimes we have a strange feeling that some danger is far away from us. So, to get rid of such feeling, give employees real cases of social engineering attacks to be convinced that they really exist and already attacked big companies.
If you just take the human weaknesses mentioned above and tell your employees don’t trust in people, don’t like them, and so on, it will not make any change. Because it’s not easy to change our human nature and we surely don’t have to change our good qualities to protect ourselves.
Instead,
Christopher Hadnagy in his book ‘The Science of Human Hacking’ mentions a case study for a financial institution that applied a wonderful policy to protect employees from social engineers.
They made a real, actionable policy: “You are not allowed to give any information out to unauthenticated users.” And they didn’t stop there. They defined both what is valued information and how to authenticate users properly. Then they did one more thing that made a huge difference: They disabled the employees’ ability to move past this first stage if the questions were not answered properly.
You can contract with a pen test agency to conduct regular social engineering attacks to employees including IT ones.
The benefits of testing are: