26 July 2017 by Rob Shapland
Rob Shapland argues that the focus when defending against cyber attacks should be educating staff.
Most companies have no idea how vulnerable they are to cyber attacks.
Unless they regularly test their defences, it is likely that a skilled hacker could penetrate their network quickly. Even those with a cyber security budget and with tested defences in place are still sitting ducks in most cases.
Most companies focus on defending their external perimeter, spending vast sums on advanced firewalls and worrying about compliance with various industry regulations. However, the easiest way into a company is to take advantage of its people, and to do that hackers turn to social engineering.
At its heart, social engineering exploits the fact that most people are friendly and helpful. It involves basic psychological techniques and tricks to convince people to act in a way that bypasses the defences in place, such as holding a door open for someone following them into their building, or opening an email attachment that looks like it is from a friend.
When we talk about using social engineering to attack companies, we can broadly split it into three main types: email phishing, physical intrusion and vishing. All three rely on social engineering to bypass defences, but do so in different ways.
Email phishing is the biggest risk to any company and if I were to go to the dark side of hacking it is how I would choose to break in. Two relatively simple methods are used: either tricking someone into opening an attachment or convincing them to visit a link and then enter a username and password into a fake website.
The social engineering element is the content of the email, which makes people want to interact with the attachment or link. The key is to make people curious about what the content of the attachment might be, perhaps with an Excel spreadsheet purporting to show the salary increases for all staff, or a PDF file showing an Amazon parcel delivery you have missed.
As soon as you open the attachment, a vulnerability is exploited that grants the hacker access to your computer using a remote access trojan.
A phishing email that uses links will likely trick you into thinking it is from an organisation of which you are a customer, perhaps Apple or PayPal. The email will usually emphasise urgency and may threaten you with losing access to your account if you ignore it.
“The key to a phishing email is to make people curious about what the content of the attachment might be”
An effective method for targeting companies is to copy their Outlook Web App (OWA) page and send staff a phishing email convincing them to enter their username and password.
Not only does this mean the hacker can access the real email account of the victim, but also OWA uses your Windows username and password. If this account can be stolen it can therefore be used to login to the company network if building access is achieved.
These types of attacks, though quite successful, are relatively low skilled. More worrying is spear phishing, which uses information gathered from social media and other sources to create customised emails targeted at specific individuals.
Most people using social media do not understand privacy settings, or do not understand the risk of failing to use them. This means that hackers can gather information through a technique known as open-source intelligence gathering and use this to build up a profile about the individual.
An example of a useful piece of information would be where you went on holiday last year, as the hacker can then find that hotel’s website, copy its logo and send you an email as if it has come from that hotel. In the email would be an attachment, perhaps a special offer or details of an item of lost property.
If opened, the hacker has access to your computer. By customising the email in this manner it significantly increases the odds of the email being interacted with, and access being gained to the victim’s computer.
The key point here is that hackers only need access to one computer on your network. There are many techniques to spread this access and gain complete control of every computer.
Gaining access to the office building of a company makes it much simpler to break into the network. Most companies focus their defensive efforts externally, and do relatively little to protect their internal network. Gaining physical access to the building can often be simpler than trying to break in to the network from the outside.
Physical intrusion typically consists of three phases: planning, reconnaissance and execution. The planning is the most important stage, and involves research on the company and its employees. Combined with the results of reconnaissance, it allows the criminals to devise a valid pretext for entering the building.
The reconnaissance phase is used to determine key information about the target office: how many entrances and exits there are and of what type, what time people come and go from the building, what they wear, and whether they have company ID badges.
One possible pretext could be to pretend to be a valid employee, which requires dressing and acting in the correct manner. If ID badges are worn, a hacker could attempt to take a photograph of one and create a copy.
“Armed with the correct dress code, a fake ID pass and some information about the company, passing off as an employee can be easy”
Armed with the correct dress code, a fake ID pass and some information about the company, passing off as an employee in a large office can be relatively straightforward.
The simplest way to gain access is tailgating – following people through doors. For offices without security barriers this is easy. Even those with security barriers can be tailgated as there is usually a barrier for deliveries and disabled staff that opens for longer.
Once inside the building, the main aim is to install a remote access device onto the network. This is a small box that plugs into any network point – on the floors in meeting rooms there are usually good targets. This device can be connected to remotely over 3G or 4G.
The hacker then has access as though he or she is on the internal network, therefore completely bypassing all the company’s perimeter defences. Breaking into the office and planting the device can be accomplished in minutes.
One of the most dangerous ways that companies are targeted is by vishing [voice phishing] calls pretending to be from the service desk, requesting key information from staff.
By researching through social media before the call, hackers can collect personal data such as date of birth, mobile number and address, which they can use to convince the victim that they have access to this information because they are calling from the service desk. Using this technique it can be relatively simple to convince people to hand over their password or other personal details.
The reverse attack is effective too. Hackers will target a company’s service desk, pretending to be an employee working outside the office and unable to access his or her email.
Most service desks do not have a robust process for checking the authenticity of a given caller, and will reset the password over the phone. As callers state that they cannot access their email, they can legitimately claim that they cannot reset their password via email and need to be given it over the phone.
Defending against social engineering attacks is almost entirely down to education and awareness. Training staff in an engaging way with people knowledgeable about the subject is the most effective way to limit the risk of these kind of attacks.
Combining this training with active testing of your defences is even better – being able to show a video of social engineers breaking into your building as part of the training has a real-world impact that really increases staff buy-in. You want to create a security-aware culture that is demonstrably effective at reducing the risk of social engineering attacks.
“Defending against social engineering attacks is almost entirely down to education and awareness”
Try not to fall into the trap of buying off-the-shelf computer-based training that merely ticks compliance boxes – defending against social engineering should never be a mere compliance exercise.
Relying on physical security defences, such as security barriers, guards and CCTV is insufficient to protect against physical-intrusion attacks. Creating the security-aware culture among staff is key, and then backing it up with policies that support this culture.
All visitors should be accompanied, even if they are just using the toilet facilities. Staff should be encouraged to challenge people they do not recognise, and to check when entering secure areas that they are not being tailgated.
The reason most companies are so susceptible to cyber attacks is a lack of real understanding of how hackers operate.
It is easy to become fixated on the latest buzzword vulnerability, but hackers are always going to go for the easiest route in – if there are no obvious holes in your external perimeter, social engineering, and especially email phishing, is the obvious choice as it is so successful.
The primary focus should be on educating staff. Create a security-aware culture and hackers will find it significantly more difficult to breach your defences.
Rob has nine years’ experience conducting penetration tests for hundreds of organisations, from small businesses to major international organisations.
He specialises in simulating advanced cyber attacks against corporate networks, combining technical attacks with his other hobby of dressing up and tricking his way into company headquarters using social engineering techniques.