Are you prepared for social engineering and the Next Big Corporate hack?

07-03-2018

Have you opened the front door for anyone who came knocking or made way for an unknown contractor? If so, you might have been victim of social manipulation-based hacking. Training, exercise and countermeasures can help, and this also applies to the Next Big Corporate hack which surely can strike even you.

Two factor authentication, different usernames and passwords for different services, patching of web systems, firewalls, control with IoT units, and avoidance of attachments and links in emails from unknown senders work well against hacking.

All of these methods are IT based and quite common, and here you can read what we in Basefarm have written earlier about this. Analysis of actual data interruption shows that these simple measures prevent most attacks.

Social engineering
But, back to where we started. Have you seen a contractor walking in the corridors without knowing where they came from, where they are going or what they shall do? Is it common to have new people in your surroundings, as temporary workers and consultants? Or have you driven into a garage facility and simply nodded friendly to the well-dressed pedestrian who walked in while you kept the gate open? Or mounted an unknown USB stick into your computer to see what was on it?

Many of us have done things like this. In the field of information security this may have been about psychological manipulation, which is called “social engineering” in professional terms.

Beware these techniques

Social engineering is about acquiring information through social skills. Wikipedia describes many techniques. These are the ones you most likely can be affected by:

Pretexting – the hacker will obtain some personal information to establish legitimacy in the mind of the victim and use this to increase the chances the victim will divulge more information or perform actions that would be unlikely in ordinary circumstances.

Baiting – someone leaves a malware-infected USB flash drive in locations where people will find them, and give them legitimate labels which pique curiosity.

Tailgating – an attacker walks in behind you. You feel it is hard to ask the welldressed man or woman to identify themselves, as you do not want to be exposed to negative reactions. And, after all, it is not your job, right?

Phishing – the phisher sends an email that appears to come from a legitimate business, requesting verification of information and linking to a fraudulent web page.

Spear phishing – while phishing emails are sent in large numbers speculating that a few will take the bait, spear phising are highly customized emails to few end users. This is naturally much more work for the hacker, but probably has a hit rate ten times higher.

Confidence tricksters – can also be considered social engineers. They gain confidence by manipulating people into giving access to offices or confidential information.

When we read about these techniques, we might think: This is strange, This happens rarely, It is very unlikely that we will be struck.

Unlikely might become likely

Or, is it really? Since it is unlikely, the methods might work nicely if someone tries them out.

Therefore, you should look to preventive measures like:

  • Include social engineering in the company information security program.
  • Regularly teach and facilitate self-studies. One way is to make e-learning programs including exams (tip: see survey tools) employees must pass.
  • Practice. For most of us, it is really hard to stop someone and ask why they are there. Practice will help to overcome such barriers. If there is one thing which builds awareness and organizations drop to do for some obscure reason, it is emergency practice

Protect and prevent

Many want your vulnerable personal or company data, including credit card information. While we can protect ourselves, we can hardly protect us from attacks as the infamous Yahoo breach which hit half a billion users. This writer has been involved in no less than four such breaches including Adobe in October 2013, Disqus in October 2017, Dropbox in mid-2012 and LinkedIn in May 2016, where 164 million email addresses and passwords were exposed.

How can I know? Well, you can check with the service Have I Been Pwned brought to us by security researcher Troy Hunt.

When any of these Big Corporates are hacked, you are too. New hacks are likely and if you are a heavy net services and social media user the probability that you can be hit is surely there.

So, what to do? Either you are hit through phishing, spear phishing or indirectly through a Big Corporate Hack, so you should never reuse passwords. Instead, get a password manager as that allows you to create unique usernames and passwords for each service you sign up to by using a single master password that can, for example, be a long sentence. A master password such as “I like trains, would you like to fly with me to Canada next year?” is both easier to remember and harder to break by brute force methods, compared to “u(!3%N,#”. Depending on the password manager, it can also automatically sign you in to the websites if you have authenticated in the password manager, thus saving you time.

One last thing. If your credit card might have been involved, block the card through the issuers service. They will be more than happy to replace it.