Social engineering
There was once an infamous computer related ‘inconvenience’ known as the Millennium Bug. This bug (a.k.a the Y2K or Year 2000 Bug) caused many to live in dread of what, looking back, was no more than a supremely hyped matter about an existing programming “bug” residing on the older populace of computers and network equipment at the time. At the stroke of midnight, while the world celebrated their next step from day 30/12/99, an ‘earthabolishing-computer- basedasteroid’ was to reset (short year) dates from 99 to 00 and bring the entire computer driven world to a grinding halt.
A confounding $300-$600 billion is said to have been spent worldwide in the years preceding 2000 on various upgrades and patch fixes. Unlike the dinosaurs however, mankind-kind was spared their imminent abolishment and went on to prosper for days and decades ahead.
For the world to have by and large spent so much on what turned out to be mostly ‘hype’ is what I see as an extortionately expensive story of hope. To me, it meant that spending nothing to protect oneself is still possible in today’s world, at least when it comes to circumventing us becoming the next victim(s) of social engineering orchestrations.
Defined independently, my definition of ‘social’ is the interactions and connections built throughout life with which humans form bonds that keep them feeling safe with a sense of belonging. ‘Engineering’, on the other hand, is the science behind the practical application of knowledge and principles from various disciplines used to create, construct, and/or achieve particular objectives.
Therefore, social engineering can be defined as the process with which a connection is sought with an individual or subject with the resolve to construct an outcome which may or may not be beneficial to the subject. The reason I say ‘may or may not’ is that Social Engineering in itself is not a bad thing. Like a weapon however, it can be used for achieving wicked objectives.
Social engineering is part of a science about how humans live their lives. From a very young age, children use social engineering techniques to convince their parents to say ‘yes’ to their desired outcomes. Medical doctors use social engineering techniques to persuade their patients to follow their advice for what they - as professionals - feel is for the wellbeing of their subjects (patients). Similarly, teachers, lawyers, and counsellors apply social engineering techniques to manipulate the mind-set of their subjects (clients) to follow a particular course of action(s) which will be beneficial to them in the long run.
Unfortunately for the good guys, the bad guys are progressively sharpening their social engineering techniques and are improving their ability to manipulate people to their benefit. Their cyber threat is to individuals and organisations alike and no longer resides in the form of man’s silhouette, sitting in the corner of a dark room on the other side of the planet, behind a screen and wearing a hoodie. The threat is an actual person, you can hear or see, with enough confidence to pick up the phone (or be seen in public) advo- cating to perfect strangers in order to influence the way in which they act and react.
For example, earlier this year, the Federal Bureau of Investigation (better known by its acronym – FBI) was itself victim to a targeted social engineering attack which resulted in thousands of names, surnames, phone numbers, email addresses and job descriptions of some 20,000 FBI agents and 9,000 Homeland Security employees being leaked. It seems that, after compromising a single email address, the attacker made a single phone call to the Department of Justice customer desk itself pretending to be a new employee who was clueless about how to get around the huge web portal. The person on the other end of the line allegedly asked whether they had been assigned a token for portal access. The attacker admitted he hadn’t. The person at the other end (the subject) was quoted by the hacker to have replied, “That’s ok, you can just use mine”. The token provided the attacker with full access to the entire Department of Justice’s intranet which hosted over 1024 GB of data. Due to time constraints, the hacker only managed to set off with a measly 200 GB of data about FBI and Homeland Security subjects.
The exploit here is simple. One must assume that hundreds of similar calls are possibly received on those numbers on a monthly basis. Being suspicious about each or any would be a productivity blaster in itself. However, it turns out that this was the one call they should have been suspicious about because it was the one which endangered close to 30,000 subjects and their families. This cannot but make you question why such an event played out the way it did, in the end, on such a respected institution.
The data leaked was not about financial gain. It was mostly a reputational attack. The data was later released (leaked) free of charge on the ‘Dark Web’. The archive password was “LOL” (laugh out loud)! Social engineering is a technique many hackers are now progressing to because software is becoming more ‘hardened’ (secure) out of the box. Remote hacking is also becoming more difficult and therefore more time consuming with slower returns. Social engineering is an acquired skill by means of which identity theft, data leaks, and scam manipulations are becoming more frequent.
From a physiological perspective, the solution to this phenomenon is education. In terms of an organisation’s approach, education should be given to employees to protect the organisation and themselves for free. From a controls perceptive, one can apply remote authentication procedures, two-factored authentication policies, data isolation, data classification, least-privilege principles, rigid access controls, rolebased access controls and enterprise identity management system. However, the bare bone certainty about social engineering is that that there exists no single technological implementation which can be installed to prevent it. It’s all about defence in depth, risk management and mitigation, controls, verified trust, operational processes and the people who operate them.