In the mid-eighties, before social engineering got its name, I experienced my first and only (known) SE attack.
I had just started in my first security post, a job in UK government. I was cautious, not wanting to do the wrong thing. That was just as well, because my reflex human instinct would have allowed the following ruse to succeed.
I was alone in the office when I took a call on my desk phone. Ms. Doe, an anxious-sounding school secretary told me how my predecessor’s daughter was in some urgent trouble, so the school really needed to contact her father without delay. I was sympathetic, but anxious not to make a career-limiting blunder. With some effort I persuaded Ms. Doe to give me her number so I could pass it to the child’s father. I couldn’t find him so I called the school back myself. The number was correct, but the (real) school secretary assured me Ms. Doe did not exist.
This attempted fraud felt very personal: it was based on an appeal to my willingness to help a child in distress. My new colleagues told me how my predecessor had been something of a ladies’ man. Ms. Doe was likely a discarded girlfriend who had been unable to get his new office number. Maybe that is what prompted his transfer…
Thirty years ago, there was much more emphasis in government security on the countering state espionage, the most extreme end of which involved the creation by foreign agents of fake identities so they could operate under the radar of the target country’s security authorities.
Now we see a much more open use of fake identity, typically for identity theft-type offences rather than the stealing of state secrets. Fortunately for security professionals the principle of social engineering is now better known. The new frontier of cybercrime includes the use of bogus emails and websites to harvest personal information. These are well publicized in online media and underpinned by key recognizer words such as phishing and identity theft. Because of the commonplace use of online banking services most retail banks now have a stake in ensuring that their customers are aware of the risks of this type of fraud.
The increased threat of social engineering has been underpinned by some sensational news headlines e.g. “How a lying ‘social engineer’ hacked Wal-Mart”. Security officers do not have to reach far for some good, recent examples of the black art, the relevance of which can be quickly grasped by journey level recruits as well as seasoned professionals.
As the threats of social engineering widen it has also become better recognized by more people and there are real examples we can use to emphasize its dangers. But there are increasingly convincing tools and techniques available to fraudsters for convincing people that their pitch is genuine. Perhaps the best countermeasure to the danger of developing threats is to instill caution when dealing with those who claim to have authority. This questioning is easier to do through text and email exchanges, but requires more skill face-to-face and in real time. Sometimes it was embarrassing for my managers when security guards challenged well-known lawmakers who failed to display an identity pass. But on the whole it is easier to deal with the occasional fallout from overzealous security staff than clean up the mess left by those who have been cowed by (fake) authority to give away an asset. Perhaps some assertiveness training for the more timid could, when taken alongside the great media resources we have now, strengthen an organization’s natural defenses against this not-so-new phenomena.
Some tips for blunting the advance of social engineering:-
- Have a well-trained security expert on staff who can adequately handle an incident if one should arise. They should be up to date on the latest hacking techniques and countermeasures.
- Have staff awareness programs include commentary on real identity theft incidents, e.g. news headlines, incidents of banking fraud
- Let staff know they won’t be punished for question the authority of anyone who does not present the correct credentials for obtaining a privilege, whether that is data or entry to a building or area.
- Check out and reference the helpful US Government ‘United States Computer Emergency Readiness Team’ – US-CERT webpage about identity theft