More than a connected nation, we are now a connected world. Data in one corner of the planet can easily be accessed by someone halfway around the globe in a matter of seconds with just a few simple keystrokes. The ongoing evolution of computers, digital systems, and of course the Internet, has made this all possible. This technology has given us great convenience, but to attain it we have had to sacrifice security. There was a time when our digital systems were relatively secure and isolated from the outside world; now they are often connected to the Internet either directly or through the complexity of the digital system in which they are an integral part. This connection has required the creation of cybersecurity to protect the sensitive data stored within our digital systems. This security often comes in the form of hardware and software that, properly configured, can create a formidable barrier against unwanted intrusions.
While much attention goes to creating and maintaining those defenses, far too often overlooked are the human beings who work in our organizations and use our digital systems. While hardware and software will always do exactly as programmed (without emotion), human beings make mistakes..."human performance errors." People with malicious intent — hackers, cybercriminals, hacktivists, cyberterrorists, or those employed by nation states — take advantage of human nature and manipulate people into doing things. The process used is "social engineering."
Social Engineering Defined
"Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter."
Following are a few examples of social engineering:
- Example 1: Karen, a newly hired employee at the XYZ organization, gets a call from "Bob" in the IT department. He politely asks how her day is going, and has she settled into her new job OK. He mentions that he is the soccer coach for the company team, heard she was interested in the sport, and suggests she consider joining the team. After more small talk he then tells her the reason he is calling is to establish her password for the digital system. If she says she has one, he tells her that was only a temporary one and she needs a new one immediately. He asks for the temporary one so he can enter the permanent one.....and she gives it to him. Bob now has a password into the company system that, with skill, he can leverage to a higher level. "Bob" is a hacker using social engineering techniques.
- Example 2: Frank, also an employee at the XYZ organization, gets an e-mail from "William Bayer," who he knows runs the finance department for the company. In the e-mail, William informs Frank that the new healthcare policy requires all employees to view and accept the terms before it takes effect. If they fail to do so, penalties will be deducted from their next paycheck. William attaches a link for Frank to click on to access the form. Frank innocently clicks on the link...and is directed to a bogus site where his machine downloads a virus. Likewise, "William" is a hacker using social engineering techniques.
- Example 3: Beth, a receptionist at the XYZ organization, sees a delivery person enter her office with a huge bouquet of Valentine flowers that he says is for a "Ms. Adams." He asks where her office is, and Beth directs him to it. While in the office, the delivery person quickly installs a keylogger into the back of Ms. Adams's computer. The "flower deliveryman" is in fact a hacker using social engineering techniques.
While these three examples seem different, they share several commonalities, including trust, respect for authority, and courtesy. Social engineers prey on these human attributes.
In the first case, Karen is fooled by a social engineer who preplanned his call to her by checking on the company website for the names of IT personnel and welcome notices to new employees, and then scanned social media to determine the likes and dislikes of the employees at XYZ. In the second case, Frank was tricked into linking to a site he probably knew he shouldn't because of the threat of loss of money, the power of the finance officer, confusion over healthcare issues — and because the social engineer had located the name of the finance officer on the corporate website. In the third case, Beth is courteous to the delivery person (who exhibits power with an official uniform) and to Ms. Adams so that she can get her flowers.
Who Are Social Engineers, and What Do They Seek?
Social engineers are people seeking sensitive information or access to sensitive areas from an organization for several reasons, including financial gain, terrorism, or as the representative of a rogue nation seeking advantage over another state. They are skilled professionals who have honed their abilities at acting, persuasion, coercion, and the manipulation of human nature.
How Common Is Social Engineering?
By some estimates, 80 percent of all cyber breaches begin with a nontechnical reconnaissance by bad actors. They seek small bits of information obtained via social media, company websites and bulletin boards, random phone calls, newspaper articles, and even rummaging through trash bins. Once they have that small bit of information, they will leverage it upward, gaining more and more information that allows them access to a system or to a restricted area, and eventually complete access to the data stored within.
Combatting Social Engineers
First and foremost, the best way to counter breaches of a digital system by social engineering techniques is through extensive awareness training of the employees in an organization. Education is without a doubt the most effective way to detour bad actors using social engineering. Such employee training should focus on making employees aware of social engineering, teaching them how to identify social engineering attempts and what they should do preemptively to forestall such attempts.
- E-mails: Employees should beware of any e-mails they are not familiar with. One of the primary methods for social engineers to gain entry to a digital system is for an employee to help them in by simply opening an e-mail that contains malicious code.
- Think before acting: Social engineers will often attempt to contact an employee at an inopportune moment and try to rush them to do something before they have time to think. Pressure is one of their important tools. Employees should never rush to take an action before they ponder the consequences of that action.
- Giving out passwords: Employees should reject any request for passwords or personal information. Acting as a company figure with authority, a social engineer will attempt to coerce a lower level employee into providing information such as a password that can be leveraged to higher access.
- Downloading: Employees should not download a file unless they are sure it is legitimate and positive it is from someone they know and trust.
- Spam: Set spam filters on high. E-mail program settings should be set to reject as much junk mail as possible.
- Strengthen your defenses: Fortify cyber defenses with well-configured firewalls and up-to-date antivirus software. While people make mistakes, a properly configured firewall and up-to-date software generally do not.
- Create a cybersecurity culture: Some industries have a well-known culture of safety that is second nature to employees. In such organizations, every member from the lowest to the highest on the corporate ladder is immersed in the culture. They live and breathe the culture, and every action is intertwined with safety. Emulate that culture, replacing safety with cybersecurity.
The attacks on our cyber systems will only grow more sophisticated in the years ahead as those with malicious intent seek new paths to our sensitive data. We can expect the attacks to target businesses large and small, educational institutions, government agencies, and critical infrastructure. We can also expect that social engineers — little more than old-fashioned con men wrapped in technology — will continue their efforts to gain entry by exploiting human nature. The most effective way to thwart them is through ongoing training and creating a culture in the workplace that recognizes and embraces cybersecurity.
Jane LeClair, EdD, is currently the chief operating officer for the National Cybersecurity Institute at Excelsior College, an academic and research center, and previously served as the dean of Excelsior’s School of Business and Technology. In 2015 she published Volume II of Protecting Our Future: Educating a Cybersecurity Workforce and Cybersecurity in Our Digital Lives. An advocate for attracting women to cybersecurity, she is a thought leader who regularly speaks with the media and has testified before Congress on cybersecurity in small business. Dr. LeClair holds an MS in Cybersecurity and a doctorate in Adult Education.
© 2015 Jane LeClair. This EDUCAUSE Review article is licensed under the Creative Commons BY-NC-SA 4.0 International license.