Have you been socially engineered recently?

Highlighted in a recent case study, business executives of small to medium sized firms all over Australia are being successfully targeted by social engineers that attempt to defraud them with fake invoices. The group compromises email servers of the businesses they are targeting to send emails to Chief Financial Officers (CFOs). After an exchange of emails they successfully deceive the CFO into wiring money to their accounts.

Social engineering tactics like this have been observed in New Zealand too, with the New Zealand Nurses Organisation sending tens of thousands of member details to a malicious individual. In this case, there was no compromise of an email server, the hacker used a fake yahoo email address with the Chief Executive’s name.

Social engineering can vary in sophistication. However, by itself, basic training and awareness for employees is unlikely to deliver the desired security results. Organisations must additionally consider the role their own security hygiene plays in minimising the impact and likelihood of successful a social engineering attack. This was highlighted by Thycotic’s Black Hat Hacker survey of 2017 where 32 percent of hackers said accessing privileged accounts was their preferred choice of easy and fast access to sensitive data.

Poor maintenance and processing of user roles and access profiles can leave staff with greater access rights to data than they need. An attacker can create a hit list of potential targets who may have privileged accounts via social media such as LinkedIn and Facebook. Long serving employees and individuals who have had a range of varied roles within one organisation quickly rise to the top.

To counter this, security teams need to make sure that the catalogue of user roles and access profiles are appropriate for the employees and their existing responsibilities, and prevent unwanted accumulation of access rights. This involves an adequate process for requests to add, change, or revoke access rights to ensure that only authorised users can grant access to specific information. It also requires a review when an employee changes roles, alongside regular reviews or audits.

Why phishing continues to be successful

The success of phishing extends beyond social engineering aspects and organisational security hygiene, as highlighted by Karla Burnett at Black Hat 2017, and into psychological roots. The terms “System 1” and “System 2”, were presented by Daniel Kahneman, a renowned psychologist, in his 2011 book: Thinking, Fast and Slow.

These systems relate to the way the human brain operates. System 1 operates automatically and quickly, with little or no effort and no sense of voluntary control. System 2 allocates attention to the mental activities that demand effort. Examples of automatic System 1 activities are:

•Detect that one object is more distant than another.
• Orient to the source of a sudden sound.
• Complete the phrase “bread and . . .”
• Make a “disgust face” when shown a horrible picture.
• Detect hostility in a voice.
• Answer to 2 + 2 = ?
• Read words on large billboards.
• Drive a car on an empty road.

Examples of more diverse and attentive System 2 activities are:

• Brace for the starter gun in a race.
• Focus on the voice of a particular person in a crowded and noisy room.
• Look for a woman with white hair.
• Maintain a faster walking speed than is natural for you.
• Monitor the appropriateness of your behaviour in a social situation.
• Count the occurrences of the letter a in a page of text.
• Compare two washing machines for overall value.
• Check the validity of a complex logical argument.

For many employees, reading and responding to emails is a mundane task, often undertaken first thing in their working day to clear a backlog and identify any immediate issues. This approach can continue throughout the day as employees check emails between meetings. Clearing emails has become for many a ‘System 1’ activity: open, read, flag as important — or delete. Then repeat.

How organisation’s should reduce the risk of social engineering

Organisation’s need a multi-layered approach. Combining awareness and training for phishing, managing privileged accounts and user access rights, and a sensible password policy will significantly reduce the likelihood and impact of a successful social engineering attack.

Having a password policy forcing employees to use numbers, upper and lower case letters, and special characters encourages a pattern in password creation. This means historical stolen credentials can still offer clues as to an individual’s current password construct. New password policy guidance from the U.S. National Institute of Standards and Technology (NIST) provides a good framework and recommends more user friendly policies to help employees comply.

Like many cyber risks, social engineering requires a balance of trying to minimise cyber/security fatigue for employees, identify negligent insider threats, and create a digital environment that is easier to protect.