Social engineering doesn’t have to be just a supporting process to obtain system access; it is could be even more dangerous when it is used as the main attack. We, information security defenders, rarely consider that risk.
If you think Social Engineering is an effective way to obtain access to systems by exploiting the weakest link – people – you are correct.
But not completely correct. Social engineering could be much more than what is being discussed in the media or on social engineering awareness sessions.
Social Engineering is the most effective way to: obtain information. It’s a subtle difference, but one with huge implications.
If the attacker’s goal is to obtain human-manageable information such as certain types of intellectual property, information about R&D projects, business strategies, etc. the attacker might be able to complete their goals through social engineering without ever attempting to access your systems.
To give you an example:
Disruptive innovation, first-mover advantage, new market creation… are the hot topics. The holy grail of company growth. Every executive dreams about disrupting their industry and transforming their company into the next Apple. So they invest millions in R&D.
Because they understand the importance of keeping their R&D projects under wraps, they also invest in security. They set up separate networks and implement careful separation of duties. Nobody on the team knows the whole project. They introduce cutting-edge, mission-impossible-like physical security controls – exploding project initiation documents; back-scatter x-rays at the exits; etc.
Most likely, their Information Security lead will organize a social engineering awareness session with the team and instruct them not to share passwords, even when asked by system admins.
Seems pretty comprehensive, doesn’t it?
More than once I was in a position to test the security of a similar R&D project (bar exploding PIDs). Each time I managed to learn everything I needed about the project. Not by hacking into systems while suspended from a ceiling. I did it by boozing it up in the nearby watering hole. (On a side note: if you are looking for a career in which you get paid to sit in pubs for days, you should consider red teaming / penetration testing)
It’s embarrassingly simple. All I needed to do is use open source info, (legal) dumpster diving, and/or some basic surveillance to identify a few project team members, catch them in a casual social setting and spark a conversation. Using some of the techniques described in the presentation below, facilitated by copious amounts of alcohol, I was able to build the whole story by piecing together tidbits of information obtained from various project team members. No need for fancy systems hacking or physical penetration.
Social engineering is not just a supporting process to obtain system access; it could be the main attack. When talking about information protection, as opposed to cyber protection, for some types of information social engineering is the greatest risk. Organizations that focus only on a narrow definition of social engineering as an attack vector to obtain system access will fail to create awareness of all other possible social engineering attack methods.
Social engineering attacks are often performed as part of industrial espionage (which happens at vast majority of Global 1000) and often there is no need to obtain passwords or break into systems. Capable operators might be able to elicit all the information they need and significantly hurt the organization just by using a few social engineering tricks.
Broader, and in my opinion, the correct definition of social engineering is: “Any kind of psychological manipulation used to obtain private or sensitive information or to force target to perform some action in target’s disadvantage.”
People are the weakest link in security. We in InfoSec community focus a lot on IT controls. We rarely adequately align physical controls to information risks. And we almost never properly consider HUMINT aspects. We should consider social engineering in its extended definition and start creating broader awareness of various social engineering attacks.
In regard to social engineering, we should also realize that it’s not a new thing. The InfoSec community (or some ex-hackers) did not invent social engineering. Human intelligence attacks were the core of intelligence practices for thousands of years. Intelligence, social services, medical professionals, psychologists, marketing, sales, magicians, fortune tellers, etc. have all developed numerous techniques to elicit information or manipulate people. We should learn from them…. but this is a rant for another post.
For more info, have a look at the presentation below which I presented few times since 1999.
For over 30 years, Marin Ivezic has been protecting people, critical infrastructure, enterprises, and the environment against cyber-caused physical damage. He brings together cybersecurity, cyber-physical systems security, operational resilience, and safety approaches to comprehensively address such cyber-kinetic risk.
Marin leads Industrial and IoT Security and 5G Security at PwC. Previously he held multiple interim CISO and technology leadership roles in Global 2000 companies. He advised over a dozen countries on national-level cybersecurity strategies.