Mike Winslow, Senior IAM Consultant, SecureITsource, Inc.
In today’s world of technology, Social Engineering is a common topic. Many articles and websites are devoted to the subject and include tips on how to avoid becoming a victim. But is knowledge of the topic enough to protect you from becoming a victim? The truth is that you may be more susceptible than you think. Hopefully this article will give you a few things to think about and prompt you to search out more information on your own. There is no way that I can cover all the important topics of Social Engineering within the scope of this article but I can give you some lesser known or thought about ideas to better protect you from becoming a victim.
Social Engineering isn’t something new. In fact, it could be said that it is the very first type of deception created. If you have read the Old Testament you know all about Adam and Eve and their adventures in the Garden of Eden. They had the run of the place with no responsibilities other than the one rule they had to keep. Do not eat the fruit of the Tree of Knowledge. All went well for a while until Eve befriended a talking snake. The snake wanted to disrupt God’s plan by causing Adam and Eve to fail. (Social Hacktivism?) After a series of conversations with the snake, Eve was convinced that nothing bad would happen if she ate the fruit. In fact, the snake promised her she would become as knowledgeable as God himself. Well we all know what happens next. Eve eats the fruit and convinces Adam to do the same which brings down God to see what they have done. As punishment, Adam and Ever are kicked out of the garden to live in the mean, cruel world where they are forced to provide for themselves by the sweat of their brows.
A more recent example of a Social Engineer is Thomas Blood. When talking about Social Engineers it is often said that they are trying to gain the keys to the kingdom and steal the Crown Jewels. Well in the 17th century, Thomas Blood actually did use Social Engineering to steal the actual Crown Jewels. At the time, the jewels were stored in the basement of the Tower of London behind a metal grille. By paying the custodian you could go down to the basement and view the jewels. Blood, dressed as a parson, and his wife paid to view the jewels and while doing so, his wife pretended to become sick and asked for some “spirits”. Because the custodian lived in the tower, he invited the Blood’s to his apartment so she could recover. Over the next few weeks the Bloods returned numerous times and became friends with the custodian and his wife. The Bloods even made an offer for a fictitious nephew of Blood’s to marry the custodian’s daughter.
On the day of the theft, Blood and his accomplices came for a dinner with the custodian and Blood convinced him to show his friends the jewels while they were waiting for dinner to get ready. Once in the basement they bound and beat the custodian, took the keys, and stole the Crown Jewels. They used a mallet to flatten the crown so they could conceal it while another conspirator filed the Scepter with the Cross into two pieces. The custodian was more resilient than they thought and he fought back and sounded the alarm. As they made their escape, they lost the jewels which were recovered although badly damaged. Blood was captured immediately and his co-conspirators were captured a short time later. It is interesting to note however that none of the conspirators were punished and in fact Blood was pardoned by King Charles and became a friend.
In today’s world of Social Engineering things don’t get quite so physical but the goal is the same. The Social Engineer wants something that you have that they feel is of value. Company secrets, access to financial accounts, making social statements, or damaging someone’s reputation as an act of revenge. Whatever the reason, the Social Engineer is going to try and manipulate, influence, or deceive you in order to gain control over your computer or company network. Pretexting, Phishing, and Spear Phishing are three common methods used to accomplish their goal.
Pretexting is the use of an invented scenario to engage the victim and increase the odds that the victim will bite. It depends on the engineer to have some piece of accurate data regarding the user such as date of birth, Social Security number, even former passwords and email addresses. By providing something accurate it helps convince the target that the request is legitimate.
Phishing is the use of email to try and steal passwords, usernames, credit card numbers, etc. It is usually done via bulk emails with the hope of snaring as many targets as possible. It isn’t targeted to any one person, company, or group. It is known as Spray and pray and does not require the engineer to have sophisticated hacking skills.
Spear Phishing is similar to phishing except that it is a smaller, focused attack that is carried out with the intent to penetrate a specific person or organization. This type of attack requires the engineer to do a large amount of research on the target to gather as much information as they can to help with the attack.
Both phishing and spear phishing use emails with some kind of fraudulent link or payload that when clicked, can download malware or gather information such as password hashes. Some even embed a UNC that uses open ports like 139 and 445 via NetBIOS to send information back to the engineer. This can be accomplished by merely opening the email. You don’t need to click on a thing if the email is sophisticated enough.
All of these methods require some sort of research in order to successfully implement the attack. And most of the research can be done via legal open source intelligence gathering. (Osint) For example the website https://pipl.com is a site where you can enter a person’s email address and get all kinds of information regarding that person that is public information. I put in my personal email address and it returned my current job, Education, username, age, known associates, and some other information that requires payment to access. More than enough to start a target attack against me.
Another source of information are sites that contain breached data and shows current or previous usernames and passwords. If I was able to get your previous password and then called you, identifying myself as calling from the IT help-desk with concerns about the security of your account you may be suspicious. But when I next tell you what your previous password was and how it wasn’t strong enough, you may be more willing to believe me and provide me with the information I’m looking for.
LinkedIn is another good source of research that the engineer will use. It is easy to go to LinkedIn and search for all the employees of the target company. Many of the people listed will have specific information about their current job, role, or company email. It may seem harmless to you to list that information. After all you’re on LinkedIn to network with others in your industry and career field. The more information you provide the better contacts you will create. But when in the hands of an engineer, all of that information becomes information to be exploited by the engineer.
A study by Trend Micro back in November 2012 found that 91% of cyberattacks begin with a “spear phishing” email. No matter what kinds of security you or your company have in place, it all comes back to the end user being smart, aware, and educated regarding Social Engineering. You have to know what a phishing email looks like. They are becoming more and more sophisticated everyday so never think that you know it all and are fully aware of all of their tricks. The website KnowBe4, which lists Kevin Mitnick as their Chief Hacking Officer, (If you don’t know who Kevin is, I would highly recommend you google his name!) has a good info-graphic on their website that provides detailed information about all the red flags you need to be aware of in determining the validity of an email. I would suggest you review it as it provides some valuable information. 
Going back to the end game of the Social Engineer, remember that they are going through all of this research and engineering in order to find a way into your network. They’re looking for the keys to the kingdom. Because the human factor is difficult to control, it is important for you to mitigate the human factor by implementing other forms of cyber-security. If they are trying to obtain usernames and passwords then it is obvious that you need a way to protect them that bypasses human error. There are a number of products in the Privileged Access Management sector that do a good job in doing just that. Thycotic, BeyondTrust, Centrify, and CyberArk are a few of the products currently in the market. A recent report by Forrester listed CyberArk as the market leader.  Since CyberArk is the product I work with in my role as an IAM Consultant I am obviously biased. But I also believe that CyberArk is the market leader and that it has a number of tools that can prevent human error and lapse of judgement from allowing the keys to your kingdom being compromised. By controlling access to passwords where the password is never revealed to the user, to privileged session management that directly connects the end-user to the target system via a sand boxed server, thus preventing keylogging, screen logging, and other malware from secretly gathering data and infecting the target, CyberArk stands as a strong defense in protecting your network environment and company information from modern day snakes.