Social engineering attacks are what every organisation is usually let down by, so how can they mitigate the risks it stands for?
According to Kieren Lovell, Head of Computer Emergency Response Team at the University of Cambridge, it is all about understanding how threat actors compose intelligence profiles.
“The interesting point to note here is that no matter what tools, firewalls and level of encryption you have, the weak point in most intrusions is the human. One of the things employees and individuals should do is to learn how to effectively search for their own footprint to see what comes up on the internet. To drill down and find what's out there about you… There is an awful lot of information about all of us on social media and on search engines.
“We need to remember that a 30-year-old today was 16 around the time that MySpace was popular. We know that MySpace profiles are notoriously difficult to delete as well as the ones on AOL and MSN, if someone gains access to this information, then they can really start to develop a profile.
“Once they have the basic information, they can go on sites and although the password would have been a strong one, a person could just click on the ‘Forgot password’ link and because most people use their mum’s maiden name, cross-pollinate information from Facebook and just reset your password. It can be that easy.
“When it comes to businesses, people should be made more aware of the security of the transmission mode. What people don’t know is that email is as secure as sending a postcard via snailmail. While gmail to gmail is secure, gmail to University of Cambridge email is transmitted along in plain language. So it is very easy for email to be intercepted along the way. We see a lot of instances where, a copy of a PDF has been tampered with and malicious actors have changed the details on it, if they change the bank details and send it through, there is a serious possibility that money will end up in incorrect accounts.
“To get to this stage, it would have taken months earlier but these days, 2-3 hours of hard work should reap results.
“The worst thing for organisations to do is to make things so secure that nobody can work. It is a happy medium that you need. There is a growing need to be aware of what’s going on- check against your own company and also with PR, it is interesting that most people don't realise these things. The easiest example is metadata on photos that you upload to the internet. While social media channels usually wipe this data, blogs and websites don't, so you can just download someone’s photo off Google and run an image search for the picture to see a list of everyone they have ever interacted with online.
“This gets interesting because if I go to an event and use public wifi, people will immediately know that I was at a particular conference and get all the details associated with it. This kind of data can be used for business espionage.
“Conferences are interesting because you can find out where people are going, including key contacts, then use those details to hack into the conference wifi. This is why we always stress that free wifi should never be used. You can buy a device called a pineapple on the internet and configure it to say, for instance, ‘free conference wifi for R3’, when people connect to the network, all their data that is being transmitted will get saved onto the hard drive on the pineapple.
“In fact, to those from our university who work away from the office and go to conferences often, we give three pieces of advice:
- Use 4G
- Use company VPN
- If it is not your home/work connection, don’t trust it
Exploring cases where social engineering has compromised processes
“In places like Cambridge, a lot of HR is quite open because you want people to see different things. Not all information is siloed to specific departments. It is this open source intelligence that leads to process hacking. In an organisation with more than 3000 members of staff where numbers can go over 40,000 if you include researchers and students, the situation gets very tricky. It is not unusual to have instances of process hacking where people are sent spurious payment details by changing sort code and account number.
“We have also had instances where people have pretended to be students, writing in to seek advice. However, when the link to download their CV/file is clicked, it has turned out to be malware. These people are using nothing but trust to get into your system. If you give keys to the system, you can't do anything about how they use it and you are immediately on the back foot.
The only workable solution in these instances is 2 factor authentication. Personal details can be easily phished so the need for an extra layer is acute.
“The University cannot use smartphones for authentication because researchers frequently go to places without mobile or data signal and network. We have issued RSA tokens but the best system, in my opinion, is a model used by the Estonian Digital Identity. Plug into your computer to authenticate yourself, or use a mobile – The choice is up to you.
Examining how good PR can be ideal for threat actors
“Active PR without doing some basic “cyber hygiene” can have terrible consequences for businesses from the cyber security point of view. High quality photos with zoomable details in the background are a major worry. Photos taken in hospitals with medical details in the background, board room selfies with zoomable wifi passwords are all examples of bad cyber security hygiene. Businesses need to take a step back and ask themselves and their PR teams- do we really need to put these photos up? Have we scrubbed the metadata off these images?
What can you do to stop social engineering attacks?
Before publishing anything online, businesses should always remember that Google doesn't forget. Even if files and PDFs are removed from websites, there will always be a Google cache of it available for all the world to see.
2 factor authentication is a very good step forward by it is also about working out what does and doesn't work out for the company concerned. It is amazing what's on the internet but more amazing is what information is published by companies, unknowingly.