Fish tempted by fishing hookAs technical security improves, human security vulnerabilities are increasingly in the bulls-eye.  For a fresh look at social engineering, and how best to defend against it, there’s no better source than a hacker.  So, I reached out to Cliff Smith, Ethical Hacker & CISSP at Parameter Security, for his take on the current social engineering battleground.  Here’s what he shared:

Confidence games have been around forever.  Is there anything fundamentally different about social engineering practiced by hackers?

Modern social engineering is no different than the classic con games.  They all run on information, trust, and emotions.  The biggest change in the past 20 years or so is that technology makes the attacker’s job much easier, for several reasons.  First, a skilled practitioner can use countless tactics to make their first contact appear more legitimate, such as spoofing a message’s source or creating a legitimate-looking website.  Second, the average user operates on autopilot much of the time when using their phones or computers.  It’s so easy, for example, to click on a link without stopping to think about the danger, which makes phishing attacks much more likely to succeed.  Third, technology makes the consequences of social engineering much more dire.  In just a few clicks, you can accidentally ruin your financial life, or someone else’s.

It’s commonly understood that phishing is a problem, and that phishing is a deceptive email with a malicious link.  Is it that simple, or are there other social engineering attacks to be concerned about?

Social engineering is a very broad topic, and it includes all hacking that relies on deception and manipulation to gain something of value from the target.  “Hacking the human” is another way to describe it.  Although the phrase “social engineering” didn’t exist back in the ‘30s, each of the con games you see portrayed in the movie The Sting are a form of social engineering.  Phishing through deceptive emails is indeed one of the most common forms today, but there are lots of different social engineering tricks in use.  Many of them happen in person, such as tailgating behind an employee or impersonating a janitor to gain access to a secure office.  Others are used remotely, but through other modes of communication, such as a telephone call or text message.

With phishing, we see a lot of messages asking the recipient to initiate a wire transfer or email the attacker sensitive documents.  Readers are probably familiar with the so-called “419 scams” where the attacker claims to be a Nigerian prince who needs assistance transferring a large fortune into a United States bank.  Those are still quite common.

Phishing, vishing, smishing … why all the acronyms, and what do they mean?

The names are a bit cutesy, but they just refer to different modes of communication in social engineering.  Phishing usually refers to social engineering over email.  Vishing is social engineering over telephone – the “V” stands for “voice.”  Smishing is social engineering over text messages – or SMS, hence the name.  Interestingly, according to recent research from Citizen Lab, a research lab at the University of Toronto, SMS-based phishing has played a prominent role in government surveillance of civil society groups around the world.

It’s worth bearing in mind that, although the essence of social engineering is the same for any type of communication, employees may need different training to resist each type of attack.  For example, the procedures your call center staff use to verify a caller’s identity are probably very different from the ones your front desk staff use to verify an in-person visitor’s identity.

A smart fellow, Dave Chronister, once told me there are two kinds of hackers – those with a target in search of vulnerabilities, and those with a vulnerability in search of targets.  Does this apply to spear phishing v. phishing?

Yes, the same distinction applies to social engineering.  Garden-variety phishing is often done with little information about the target, which is why the tactics are designed to work on a high percentage of people.  Who wouldn’t want to win a $100 Amazon gift card, or receive five percent of an exiled Nigerian prince’s $5 billion estate?  Spear phishing messages, on the other hand, are carefully designed to target a specific individual or organization, and extensive research often goes into them.  For example, an attacker might know the target’s name, title and job duties, their boss’s name, their boss’s schedule, and other non-public information about the target’s organization.  With all of this information in hand, the attacker could write, as the company’s CFO Alice, “Bob, I need you to email me all of this month’s payroll records from our R&D department so I can review them during my Vancouver flight.  I’m about to board, so you have to send them in the next ten minutes.  Also, tell Cindy that Acme Co. is sending their check to our accounts receivable department today.”  That’s a lot more effective than, “Bob, this is Alice.  Please send me all of our payroll records.  Thanks.”

Why are phishing simulations important for a company’s security posture – why isn’t traditional security training effective in improving anti-social engineering behavior?

Social engineering manipulates a target’s emotions and inclinations in ways that other hacking doesn’t.  People who are generous and empathetic often go out of their way to help strangers.  Others shy away from conflict and sometimes have trouble saying “no” or questioning someone’s honesty.  Some have trusting personalities and can’t imagine that the nice, friendly visitor is lying through their teeth.  Curiosity also plays a big factor in employees clicking on phishing links.  Any of these traits can be exploited, and it can be very difficult for an employee to figure out the best way to respond to an unexpected situation on the fly.  That’s why it’s critical to train employees on the correct procedures for identifying visitors and validating requests from vendors, partners, and other third parties.  If you think through your response in advance, it’s much easier to take the correct action in the moment, and stand your ground if you need to.

What are some of the best ways for companies to deploy phishing simulations, in a way that actually improves human security?

It’s important to make your social engineering tests effective and realistic.  At Parameter, we always have a long discussion with each client about the client’s culture and day-to-day operations so that we can design an attack that is likely to work on the recipients.  We also make sure to set up each test so that each message is weaponized to the point where a real attacker using the same tactic would have gained access to sensitive information or systems.

Perhaps more importantly, a test should be followed by training, preferably for the entire organization, not just the employees who clicked on the link or gave up their passwords.  Use the test as a case study and train employees on what they should do if, or when, a similar situation comes up in the future.

Study after study seems to confirm that a certain percentage of folks will click on malicious links, apparently no matter what.  Why is that, and do you think that companies can do anything else meaningful to reduce that percentage?  

We can never train curiosity or helpfulness out of humanity, nor would we want to.  So phishing attacks will always have at least a puncher’s chance.  In my opinion, the best approach is to create a security-conscious culture at your organization.  Each employee should see themselves as an agent responsible for protecting the organization’s security.  In addition to holding security awareness training, discuss information security topics at regular staff meetings so it stays at the forefront of everyone’s minds.  Timothy DeBlock, host of the Exploring Information Security podcast and a speaker at our yearly conference, Showmecon, has a suggestion that I really like: emphasize security “wins.”  Share stories of employees spotting and reporting phishing emails or correcting problems that put the organization at risk.  In addition to making your organization more resistant to phishing, these cultural changes can help your employees make better security decisions on a day-to-day basis.