34: How to Protect Yourself (and Your Business) Against Social EngineeringPublished April 14, 2020
Run time: 00:20:43
Tim talks about the most common types of social engineering attacks and some tactics to implement to ensure you stand the best chance of protecting yourself from yourself (and from your employees accidentally making a mistake).
In this episode, you will learn:
- How cognitive biases make social engineering so effective
- How 8 common social engineering attacks work
- Why it's important to not only have processes for your employees to follow, but for them to understand why the processes exist
- What you can learn from attacks on other businesses
This episode is brought to you by The Jed Mahonis Group, where we make sense of mobile app development with our non-technical approach to building custom mobile software solutions. Learn more at https://jmg.mn.
Recorded April 13, 2020 | Edited by Jordan Daoust
Welcome to Constant Variables, a podcast where we take a non-technical look at mobile app development. I'm Tim Bornholdt. Let's get nerdy.
Today on the podcast, we are chatting all about social engineering. You know, we as developers have to do a lot to secure your app. We do things like encryption, we set up firewalls, maybe we do some obfuscation. We'll prevent SQL injections, CSRF attacks. There's so many things we have to do as developers, and that we have to worry about to make sure that your app is secure. But at the end of the day, people can't stop people from being people. We can't force you to do all the right things all the time. And that is exactly where social engineering comes into play.
So what is social engineering? It's a phrase that's used to describe the ways criminals trick you into giving them sensitive information or just access to your system in general. So here's a basic example of a social engineering attack. So let's say, I'm a bad guy, and I want to get into your system somehow. I might walk into your business with a sign, and the sign is printed on official looking company letterhead, and it has an updated help desk number. So I post that around the building and people start seeing it. And so they write down the new numbers, and then eventually, you know, maybe this is a few weeks down the road or whatever, but somebody needs help with their computer. So they find that number, they call it up and me on the other end as a bad actor, I ask them for their login information. And because the number was in the building, it's the helpdesk, you know, why would the person question it? So they give me their information. Boom, now I'm into that system. That's a basic example of a social engineering attack.
Now, why is social engineering so effective? Well, humans have a bug in their operating system, if we can get a little nerdy for a second. That bug is something that we call cognitive bias. And cognitive bias is something that people can exploit. They're things that are just baked into our DNA as humans; we can't help it. Robert Cialdini, who's a psychology and a marketing professor, developed a theory that says influence over others, which again, that's basically what social engineering is, is based on six key principles. So I want to give you the six principles and then we'll come back and go over each of them really quickly. So number one, reciprocity, number two, commitment and consistency. Number three, social proof number, four, authority, number five, liking and number six, scarcity. So let's take all those individually real quick.
So number one, reciprocity, so if I do something for you, you're gonna return a favor. If i help you move, you know, when I move to a new house, you're gonna tend to help me out, I guess unless you're a jerk. But again, this is generally speaking.
Number two, commitment and consistency. If somebody commits to an idea or a goal, they're likely to honor that commitment, even if the original incentive for agreeing to it is removed.
Number three, social proof. People do things that they see other people doing. So this is why when you're outside, on a nice day, in the summertime, everybody's out mowing their lawn. Why? Because one person at a time decided to mow their lawn. Somebody drives by, sees they're mowing their lawn, then they say, "Oh, I should go mow my lawn," and then somebody else comes by and it's just kind of a vicious cycle of lawn mowing.
Number four, authority. People like to obey authority figures. And this goes even if they're asked to perform objectionable acts. There's so many atrocities that have occurred throughout human history that happened because whoever was in charge was somebody that issued an order. They're gonna follow that order, even if they have a problem with it. You even look at things like the Stanford Prison Experiment as another example of, here's something that was clearly wrong, but people just follow it anyway because they see other people doing it. And they're the authority.
Number five, liking. People are easily persuaded by people they like. I fall victim to this one all the time. Here's an example. So I like listening to the Tim Ferriss Show. And my wife, for years, you know, everybody goes on those kind of diets. And they think, you know, I want to lose a few pounds. And for years, you know, my wife would tell me, it's not so much about how much you exercise, it's all about how much you eat and controlling, you know, calories in calories out and, you know, yeah, I understand honey. And it's, this is an example where I hope you don't take away that I don't like my wife. But it goes to show how easily you can be persuaded by somebody. So on the Tim Ferriss Show, he's written a book called The Four Hour Body and I've read it and in there it talks about calories in calories out. And, you know, the other day I was talking to my wife about these things and she comes back and says, "I've been telling you this for years, so you're just now listening to this guy." That's an example of me getting persuaded by somebody that I like listening to.
Finally, number six, scarcity. Perceived scarcity generates demand. We're all sitting through the middle of the Coronavirus scare of 2020. And just look at toilet paper at the beginning of this lockdown. People went out in droves and bought years' supplies of toilet paper, because they perceive that, you know, that you hear these stories that toilet paper is running out. So people have to run out and buy as much toilet paper as they can.
Social engineering attacks and good social engineering attacks will take several of those six key principles and combine them together to trick you into giving them access to your system. So what are some common attacks for social engineering? Well, the first attack we'll talk about is kind of the O.G., the "Mack Daddy" of social engineering attacks and that's phishing, phishing spelt with a p-h at the beginning. Phishing is when an attacker disguises themselves as a trustworthy source to trick you into giving them information. So here's the most common phishing attack of all time, your bank sends you an email that says you had a $1,000 charge on your credit card. You open that email, and you're like, I've never spent $1,000. And the email has a nice link that says, "Click here to sign in and verify the account." So you click on that link. You start typing in your username and password and it tells you "Invalid username and password." You keep trying it, you know, eventually, you give up. You go figure out something else. Well, in that meantime, you've just typed in every single username and password that you could think of to give to an attacker. Now they've got it. They can go to your actual bank, sign in, view your account, take out all your money, whatever. These attacks, phishing attacks, they're broad in scope. So the trick is you're going to send a million emails, just blindly shoot out a million emails with the hopes that you get one or two victims. That's all you really need. And that's what makes phishing attacks so effective for potential bad guys is because it's pretty low effort. You just set up a fake Wells Fargo website, and you shoot out a million emails and hopefully you find one or two suckers that click on it.
Drilling a little bit further into the phishing world are a couple more examples here. First, we'll talk about spear phishing. So spear phishing is phishing, but you're going after a specific person or an organization. So probably the best example I can give you here is we all remember, if we're all listening in the United States, in 201, the Democratic Party had their emails hacked. And that was done through a spear phishing attack by a Russian cyber espionage group. They created a fake Google security alert and sent it to a couple people specifically in the DNC, and one of them clicked on that link. And again, typed in their email password and that was it. Now the hackers have everything that they could possibly want.
Another type of phishing attack would be vishing. So this is voice phishing. Man, these portmanteaus are getting terrible. But voice phishing is where you use the telephone in your attack in order to gain access into the system. So one example that I'll also touch base on a little bit later is an attack that was done on a reporter a few years back named Matt Honan. So what happened to Matt Honan was someone called Apple pretending to be Matt saying that he couldn't get into his email. And despite the hacker not knowing any of the answers to security questions, Apple still issued a temporary password which gave them access to his me.com account, the iCloud account, and things just escalated from there. Eventually, the hacker was able to pinball his way through all the different you know, Gmail and Amazon and Twitter and all the different services that Matt was using and effectively deleted everything, reset all the passwords and just torched his entire digital life. It was a horrible attack. And you should look up the story in great detail if you want a scary example of how vishing can be used still to this day in order to completely ruin someone's digital life.
Next, we will talk about the watering hole attack. So this is an attack on a particular group of people, where the attacker is going to figure out the websites that are most frequently used by members of that group, and then infect one of those sites with malware. So here's an example. Let's say that I'm an attacker and I want to get access into movie studios, any movie studio. I don't really care which one but I just I know I want to attack any movie studio. So I know that frequently, editors are going to need to get access to old equipment, right? So they're going to need to download drivers that are going to allow old equipment to work with their new equipment. Well I might create a fake website with a ton of malware for all the different brands of cameras I can think of. So when a person goes and googles, you know, "driver for this Canon camera to my Windows computer." They will come across my website and download my driver. And now I have, as soon as they install it, now I've got access to their system. And I can go through and work my way around the movie studios systems to figure out everything that I want to figure out. That is a watering hole attack.
Next we'll talk about baiting. So baiting is an attack where you promise a reward for having the victim perform an action that they otherwise wouldn't normally perform. An easy example since we just were talking about movies would be, let's say that you want to download the latest movie that is still in theaters. So you might go to Google and type in, you know, latest movie, download or stream now. When you click on that link, you know, you're enticed. You're baited by somebody that has this video, right? Well, you're going to click that link, you're going to open up their video, and that video is actually going to be some malware. And now you've just fallen victim to a baiting social engineering attack.
Here's a business example that happens really more frequently than you would think. Let's say that you're driving into work, and you park in the company parking ramp, you get out of your car, and you look down on the ground, and there's a flash drive laying there. I mean, anyone that sees a flash drive on the ground, the first thought is, "Oh, man, I wonder what's on that flash drive." So of course, you pick it up, you walk into work, plug it into your computer and start to go see what's on there. Well, the second you plug that flash drive into your computer, all of a sudden, now you've launched a virus and it starts spreading through your company. This is a perfect example of a baiting attack. That really again happens pretty frequently.
Next we'll talk about pretexting. So pretexting is where a attacker invents a scenario which convinces victims again to give up information they wouldn't normally give up. So pretexting, we've kind of covered that before, again in the Matt Honan example that I mentioned above, they call Apple and trick them into divulging information that they wouldn't normally have given up. Another example of pretexting is, let's say that I am an attacker again, and I want to get someone to transfer large amounts of money to me. Well, what I might do is, go on LinkedIn, find somebody that just got hired at a really big company as an accountant. And I then do a little more research to figure out who some of the C level executives are. And I go ahead and I call this low level person at work, and I pretend to be the CEO. And I say, "I need you to transfer $3 million into this account right now. You have to do it. It's a life or death critical situation." So the low level employees thinks that I'm the CEO. So he says, "Okay, yeah, there we go, done. Thank you Goodbye." And now that person just transferred $3 million into my Cayman Islands account and I vanished in the wind. That's happened more frequently than you would think. And that's an example of using pretexting in order to, you know, contrive an example that's going to trick a victim into giving things out that they shouldn't.
Next we will talk about quid pro quo. So we all learned about quid pro quo again in the later end of 2019. But for those of you who weren't paying attention, a quid pro quo is Latin for "something for something." So here's an example. Let's say that I am an attacker again, and I get access to a company directory, every single phone number that belongs to a business, and I start calling every single number and I say, "Hey, this is the help desk. I'm just returning your call. What can I help you with?" 99% of the time, people are going to say, "I never called the help desk," and I'm, as the attacker, I say, "Oh, okay, sorry, I misread the ticket here. Thank you for your time, goodbye." But 1% of the people are going to say, "Oh my god, the help desk called me back." They're going to be so blown away by this customer service that they're going to do whatever they can to help me out. So, you know, normally that might be policy not to give out your passwords over the phone. But because I called you back, you're so excited, you're going to reciprocate and give me back your login information because I need that to get into your computer, right? That is an example of a quid pro quo.
Finally, the last example of a social engineering attack we will discuss today is tailgating. This is just an unauthorized person following an authorized person into a restricted area. So if you have keycard access into your building, this would be, again me being the hacker, I'm going to dress up as a delivery person or a waiter or something. And I have all my hands full. And I'm going to follow you as you walk into the building, and I'm going to have my hands full and say, "Hey, can you can you get the door for me?" And you're gonna say, "Oh, yeah, of course," because you're a decent person, why wouldn't you? Then I'm just going to follow you right into the building, and you're going to go your way, I'm going to go my way and do whatever nefarious things I want to do.
So we just covered a ton of different examples of social engineering attacks. Now that I've got you good and scared, how can you prevent social engineering attacks from affecting your business? First of all, get processes in place and don't deviate from the process. This is easily the most important thing you can do, especially, you know, not just your support people but all your employees. We talked about a lot of examples involving the help desk. You have to have everybody on board. Understanding that, you know, these are the processes; you don't trust a random phone number posted on a bulletin board. There'll be an official way that we distribute information through the company, through an authorized person. You follow that process. And that's going to help alleviate a lot of those problems.
Once you put a process into place, that doesn't necessarily mean people are going to follow it. A lot of times people think processes are there just to, you know, protect the company or, you know, kind of chain you from doing what you want to do and give you autonomy as a human to make good decisions. But sometimes processes are super important. And I think in my experience, I've found that the more I explain why a process exists, it's more likely that people are going to follow it. So if you tell people, you know, the processes, "We don't issue password resets over the phone. You have to use the self help tool." When an angry customer calls up, and they say why, you're not so tempted to just reset the password for them, you know, or if somebody has a really sad persuasive story. You know, if you follow the process, then you're not so likely to fall victim to a charming person on the other end. You can say, "I'm sorry, it's not me. It's to protect you as the user, it's to protect us as the company. You have to follow our automated tool. That's the best I can help you with. I'm sorry." That's going to help people do their jobs, as opposed to not having that understanding of why they're following a process in the first place.
Next, frequently test your team. So nothing is more effective at teaching someone a lesson than failure. And it would be so much preferable to fail by somebody testing them than it is to actually fail in real life. There are a lot of companies that you can go to and pay a few thousand dollars and have them try to do a spear phishing attack or have them try to do some pretexting. You can set up all these different scenarios to try to test your team to make sure that they are following the proper procedures. And it would be so much better for them to fail by being caught in a test than it would be in a real live scenario, so frequently test them to make sure that they are following your process and that they're not falling victim to a really well crafted social engineering attack.
And finally, stay up to date with the latest social engineering attacks. I'm not saying you need to become a security expert by any stretch. But if you're reading the news, and you see an article about a company that got hacked, take time to read it and figure out how that organization got hacked. That's the perfect time, once you see a new attack, to look at your own process and try to determine "Hey, would we have fallen victim to that same attack?" Test your team again, take that scenario and play it out with your actual team. Make sure you have procedures in place that will safeguard yourself going forward against similar attacks.
So we talked a lot about social engineering in this episode. Here's my final takeaways. Social engineering attacks can be pretty hard to spot. Make sure you're staying vigilant. Keep discussing social engineering with everyone in your company. Just keep it top of mind, make sure that you are doing your part as the non-technical people to ensure the security and safety of your company systems. We're doing everything we can on the technical side, all that nerdy stuff I mentioned before about SQL injections and all that stuff. That's us. That's our job. You don't need to worry about that. What you can do is make sure that you're not leaving a door open that's going to let someone walk in. We can build the Fort Knox of mobile apps for you. But if you leave the gate open and fire all the guards from the front door, then there's nothing we can do to prevent an attack from happening. So do your part and make protecting yourself against social engineering attacks a priority in your company.
Well, that's it for today's show. Show notes for this episode can be found at constantvariables.co. You can get in touch with us by emailing Hello@constant variables.co. I'm @TimBornholdt on Twitter and the show is @CV_podcast. Today's episode was edited by the balsamic Jordan Daoust.
One quick favor. If you have two minutes, please head over to the Apple podcast app and leave us a review. You hear that all the time on podcasts. You've probably heard me say it before in the past, but it really does help our show rate higher in the charts. So head over to constantvariables.co/review, and we'll take you right into the app, right to our page. This episode was brought to you by The Jed Mahonis Group. If you're looking for a technical team who can help you make sense of mobile software development, give us a shout at JMG.mn.