Combat Social Engineering: Don’t Be the Weakest Link

Smart criminals go after the 'lowest hanging fruit.'

September 16, 2010

Smart criminals understand their success hinges on choosing the right opportunity to exploit a specific weakness. That’s why burglars avoid homes with alarm systems, car thieves look for unlocked vehicles, and muggers don’t attack those wearing a white robe and a black belt.

In other words, they go after the “lowest hanging fruit.”

Similarly, criminals who use social engineering tactics seek opportunities to employ their unique methods of manipulation and deception to exploit the weakest link of the security chain. For the social engineer, that weak link usually is the organization’s own people and procedures.

Unlike traditional security threats that can be thwarted with physical or electronic security precautions, social engineering tactics exploit the fundamentals of human nature: Our natural tendency to help others, our desire to avoid conflict, our fear of making mistakes, and our fear of getting ourselves or others in trouble.

In fact, professional social engineers are literally betting that their natural ability to manipulate basic human traits will create opportunities to turn targets into unwitting accomplices.

Seasoned social engineers know exactly whom to target. Although top executives may have direct access to the most valuable information within the organization, social engineers realize it’s much more complex and time-consuming to directly compromise executives.

Instead, they set their sites on low- and mid-level employees. Receptionists, cleaning crews, tellers, and even managers of remote locations are all attractive targets to a smart social engineer. After all, these employees typically have limited security awareness training and might be more susceptible to manipulation and deception.

These staff positions also could provide criminals with access to sensitive areas during off-peak hours, when the chance of being exposed is significantly lower.

Next: Characteristics of a weak security chain

Characteristics of a weak security chain

Industry experts and government regulators agree that institutions most at risk of succumbing to social engineering tactics tend to lack:

  • Adequate policies and procedures pertaining to physical security;
  • A security awareness program that allows for training of employees at all levels; or
  • An established system of vendor and visitor tracking.

These three elements are dependent on each other to properly defend against the threat of social engineering schemes.

A deficiency in one area creates significant vulnerabilities in the others, allowing easy entry points for savvy criminals to exploit.

Of course, professional social engineers know this information, too. That’s why tactics like the “trusted vendor” scenario—which can exploit numerous vulnerabilities simultaneously—tend to be highly successful at organizations that have inadequate polices and procedures, limited security awareness training, and no formal system of tracking authorized vendors.

Next: A ‘trusted vendor’ scenario

A ‘trusted vendor’ scenario

Using only basic information-gathering techniques, it’s not difficult to devise a plausible “trusted vendor” scenario that seems completely believable to an unsuspecting target.

For example, if a criminal’s intent was to covertly gain access to sensitive areas inside a financial institution, he might choose to pose as a pest inspector.

First, the social engineer would need to find out which pest control company the institution currently uses. Setting up surveillance outside a location waiting for the pest control technician to show up would take way too long. However, contacting the institution under the guise of a new pest control company looking to submit a competing bid might reveal the name of the current service provider.

If so, the next step would be to get the actual pest control company’s logo off the Internet to create a believable uniform using a “do-it-yourself” iron-on kit.

The social engineer could then use various social networks to find the names of some of the organization’s managers and, if lucky, the days those managers will be out on vacation. The criminal could then call the branch receptionist late in the day under the guise that the manager requested he come treat the office immediately.

The criminal could probably weave a convincing tale creating a sense of urgency, plus generate a reason for keeping staff members away while he’s “working.” One believable reason: Claim that management reported a rat infestation but wants to keep it secret to avoid alarming the rest of the staff.

Upon hearing that type of disturbing news, any possible suspicions about the pest control technician are probably replaced with anxiety over the nearby rat infestation. The criminal could further increase his chances of avoiding exposure by scheduling an after-hours appointment when he’d be free of prying eyes and have more time to snoop for sensitive information.

This scenario also offers a perfect opportunity to perform another favorite social engineering technique, dumpster diving, without raising suspicions. After all, who’s going to suspect a uniformed pest control technician is doing anything other than killing rats inside a dumpster?

You may think this is only a worst-case scenario, but companies that specialize in social engineering testing can attest that this type of situation happens with alarming frequency.

This example illustrates that, lacking adequate safeguards to combat social engineering threats, several weak links can exist along the security chain. It also demonstrates that strong policies and procedures, along with adequate training, can thwart the social engineer’s efforts.

Next: Reinforce the chain

Reinforce the chain

Employees are the first line of defense against social engineering schemes. It’s imperative that management provide them adequate tools to combat would-be scammers, including:

  • Comprehensive policies and procedures that go beyond the obvious threats and address scenarios unique to the organization;
  • Security awareness training that includes custom role-based training for positions most vulnerable to social engineering tactics;
  • Systematic controls like a shared vendor/visitor tracking system that accounts for local vendors at remote branches; and
  • Frequent reminders (e-mails, posters, tips of the week) to staff about the organization’s commitment to security.

The most advanced firewalls, intrusion detection systems, and video surveillance can’t offer much protection against social engineers who use unsuspecting employees to breach security and access sensitive information.

The best defense is well-trained and well-equipped employees who understand their role in protecting the interests of the organization.

Management must provide staff with the training, guidance, and tools to effectively combat this growing threat.

DAVID BLAZIER is marketing manager for TraceSecurity, a CUNA strategic alliance provider. Contact him at 225-612-2121, ext. 31062.