Social Engineering Targets Weakest Security Link: Employees
Without ongoing employee training, an enterprise's expensive security infrastructure investment means little. But very few corporations protect themselves from the growing threat of social engineering.
Today only 7 percent of American organizations do phishing education, said Chris Hadnagy, CEO of security consulting and training firm Social-Engineer, and co-author with colleague Michele Fincher of the newly published book, Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails. As the Internet of Things (IoT), mobility, and ever-expanding reliance on networked computers increase, the threat of social engineering – of hackers using employees' and partners' willingness to help and information they share – expands exponentially, he said. And as companies invest in more advanced security technologies, hackers will resort to the simplest path: People.
"The attacker doesn’t want to take the sexiest route. They want to take the easiest route. They don't care if it's a zero day exploit or some really sexy code. Back when software was much more vulnerable we saw a lot more attacks that involved hacking into software. Now software is more hardened, now the network is better protected, we see phone calls as the main vector for getting through," Hadnagy told Enterprise Technology.
Hackers are increasingly sophisticated and adept at social engineering, able to piece together data from social media, corporate blogs, and data painstakingly pulled from well-meaning employees which cyber-criminals then use to attack networks and steal invaluable data, hold corporations hostage, or otherwise damage their targets, security experts said.
"[Hackers] use social engineering to gain more information or look at information that's leaked out on the web and they then use that information to make more targeted attacks," said Colin McKinty, vice president of cyber security strategy, Americas, for BAE Systems, in an interview.
Using this data, hackers can carefully tailor phishing expeditions to closely mirror an organization's legitimate partners, hoping to fool employees into opening a malware-laden email and click on a poisoned link, he said.
"End-users are typically not aware and not only are they not aware – most are aware they shouldn't give out their password over the telephone and that’s not always a blanket statement – but the most interesting and scary aspect of user knowledge is most users are not aware of how valuable and how important the information they have is," said Michele Fincher, chief influencing agent at Social-Engineer. "It's not even a matter of how important you think you are. It's how important attackers think you are."
Whereas phishing emails once stood out due to their poor grammar and pigeon English, today's most determined hackers hire proofreaders and copy editors, cautioned Hadnagy. Indeed, the Dark Web features at least one ad that guarantees an increased open rate for customers of its editorial services, complete with 24/7 customer support, he told Enterprise Tech.
"We're at a different level of war on the Internet," Hadnagy said. "The emails are getting smarter. They're getting much more difficult to discern. Phishing is not just a foreign attack anymore. We're going to see more intelligent attacks and a harder methodology for people to recognize those attacks."
Today, 23 percent of recipients open phishing emails and 11 percent click on attachments, according to Verizon's 2015 Data Breach Investigations Report. The sheer number of phishing emails is surging: In 2014, there was a 233 percent increase in phishing emails, and the number of daily emails containing malware grew 50 percent to 2.5 billion from 1.69 billion, Cyren's Global Threat Monitor reported.
Social engineering often entails using phishing to try to trick employees to share information – such as passwords; vendor partners; distributors, or suppliers – or to download malicious code onto their computers and network. This tool may be behind ransomware attacks, experts said. Some social engineering scams involve old-fashioned telephone calls – dubbed vishing – or impersonation, often as a janitor or other often overlooked office visitor who rummages through paper or eavesdrops to find invaluable information.
"Be on the lookout for more effective social engineering scams as cyber criminals find more innovative payloads," cautioned security developer Sophos in its Security Threat Trends 2015 report.
To fight these attacks, organizations should first determine what data is readily available about them, said BAE's McKinty.
"If you think about what people are trying to do with social engineering and open source information that's leaking out on the web, you first want to do a reconnaissance," he said. "The key is to establish a baseline."
This includes information reaped from social media like Twitter and Facebook, as well as Dark Web searches, said McKinty. In addition, organizations must locate all systems – including HPC, rogue cloud, and departmental installations – that connect to the Internet in order to understand the entire enterprise's vulnerabilities, he said.
"The discovery phase is really, really important – whether it's HPC, a lab system or research and development. The next stage is what information is on them," said McKinty. "Not all information is as important and security budgets are only so big. Whether that's because of compliance or company needs or customers you need to protect, [consider]: If this information got out into the general public or the New York Times, would this matter to you? Then it's back to exposure. Then we can apply pieces of security where appropriate. The key thing is to make sensible use of your budget."
Part of that budget also must go to ongoing employee training, security advocates agreed. It's vital to measure this training to ensure it's working, said Hadnagy.
"Companies need to stress how important it is that each person know how important this is. Each company needs to make education better," he said. "Companies buy computer-based training and they push out these 30-, 40-, 60-minute videos that nobody finishes watching, that nobody pays attention to. Then they're like, 'Oh, training doesn't work so we'll push more money into firewalls.' By blending realistic auditing – by actually phishing employees, vishing your employees and following that with very short, succinct training that takes no more than 60 to 90 seconds for an employee to get through has greater effect."
To ensure testing works – and measure their social-engineering ROI – organizations then should phish employees. While some businesses are sometimes slow to embrace social engineering countermeasures, the results of these investments should change minds, experts said. In addition to greatly improving the odds of preventing an attack (and the high costs associated with repairing post-hacking damages), employee productivity improves, IT spends less time on help desk calls, and risk drops.
"One thing we've done that helps, is if they've got a little money in their budget we'll do a CEO deep-dive and write a spear fish for them. Once they see how well it works for them, they'll say, 'Yes, we need the education.' The people with the checkbook have to see there's value," said Hadnagy. One client, for example, saw a 72 percent reduction in malware-related incidents directly related to phishing education; within three months of training, another client saw employees' ability to recognize and report phishing emails increase 384 percent, he added.
"We're always going to have to worry about this. We're dealing with human beings. We don’t want to deal with a culture where people are paranoid to click on a link or open an email. The last thing you want is a culture of overly paranoid people who won't communicate. That is not enjoyable and it's not a way to create a profitable business," Hadnagy said. "If we can change the culture and the way corporate America acts about phishing and vishing, then maybe we can create a shift in the way corporate America responds to these attacks."
Managing editor of Enterprise Technology. I've been covering tech and business for many years, for publications such as InformationWeek, Baseline Magazine, and Florida Today. A native Brit and longtime Yankees fan, I live with my husband, daughter, and two cats on the Space Coast in Florida.