The Threat

With the introduction of the general data protection regulations (2018) it has never been more important for businesses and companies to protect their valuable data. According to the Cyber Security Breaches Survey 2019 conducted by the UK government, 30% of businesses and 36% of charities made changes because of GDPR. An understandable reaction, as the maximum fine for breaking GDPR can be €20 million or 4% annual global turnover – whichever is higher.

That said, breaches and attacks still occur. In the last 12 months, 32% of business and 22% of charities identified a cyber security breach or attack – leading to thousands of pounds worth of costs through lost data and assets. The use of words such as cyber security breach and attack can be slightly misleading as to the causes of them. The thought would be it is singular, elite hackers targeting businesses and overcoming security systems through skill alone. The truth is much simpler – 80% of security breaches are due to staff.

 

Any Team Member Can Be Targeted

The rise of social media have led to people sharing their lives with the world. This opening up to the world also allows for people to become targets, especially if they work for a business that might draw the attention of hackers. McAfee has stated that over half of organizations reported potential security breaches due to social media use. However, social media use is more about unforced errors from staff – social engineering aims to use targeted techniques to leverage information.

Social engineering can be defined as using psychological and social techniques to gain information and exploit relationships, for an end objective. The end objectives could be to compromise security, or gaining entry to a facility. More importantly, social engineering can target any level of staff in any organisation, not just high-level management or IT staff. By targeting lower level staff, and potentially less security aware staff, an entry to a system can be gained. A brief example of this could be a hacker getting access to an employee email, and then using that to target higher management for a greater success chance.

The general social engineering cycle is: information gathering > development of a relationship > exploitation of relationship > execution to achieve objective. Along with this cycle, various social engineering techniques are employed, such as: phishing, pre-texting, baiting, quid pro quo, and tailgating.

Phishing, baiting and quid pro quo all work on a similar basis, but have distinct differences. Phishing tends to work on a sense of urgency – “It is vital this is done immediately” or “This is running late, do it now” – this is done to get targets to panic and act without thought. Baiting and quid pro quo usually work on a basis of trust, but more importantly a reward. Baiting will offer a target a material good in exchange for information, such as login details. Whereas quid pro quo will offer a service, for example an ‘IT company’ offering a free security upgrade to an outdated system. All 3 of these examples will usually direct a target to a malicious website that looks legitimate but is run by a potential hacker.

Pre-texting and tailgating are social engineering techniques that can be done in person. Tailgating is simple – “please hold the door, I’ve got my hands full and can’t reach my key card”. A gesture that exploits human kindness to gain entry to restricted areas, and once entry is gained internal vulnerabilities can be easily reached. Pre-texting is slightly different. Imagine the scenario of a delivery driver dropping off a package to the CEO of a businesses. The package could be left with the front desk of the building, but it is insisted that the package MUST be hand delivered to the CEO, on his strict orders. This creation of a scenario is exactly what pre-texting works on to gain entry to restricted areas of an organisation.

 

Daisy Chained Attacks

These five examples of social engineering are not mutually exclusive in that several could be used together. What’s more is that the examples given only target one individual, when in fact employees of organisations can be ‘daisy-chained’ together for greater success. Take the baiting example. A lower level, less security conscious employee of a large firm has an open social media page that outlines where they work, but that they also like all things to do with baby llamas. An email could be crafted from this information to be sent to their work email, offering a free llama picture and fact pact if they create an account using their work email (and usually password). This is engineered in such a way to gain access to their work email account. A seemingly low-level security risk? Wrong. An official work email can be used to send further phishing emails or malicious links to higher level IT staff, who are a higher value target. This is because an official work email holds great trust due to having a known person attached to it.

 

Conclusion

Social engineering demonstrates one core value; a password is only as strong as the person who holds it. What is meant by this is that cyber security relies on the people that use/implement it. As a general rule of thumb, if a hacker is good enough to break through various security systems without using social engineering then there is little to stop them. However, a vast majority of hackers are not this good, so they use any means necessary to give themselves an advantage. Additionally, security breaches done in this way are not always obvious in that it could be months AFTER a breach or attack before anyone realises.