Want to listen instead?
On a recent podcast, we continued our conversation with Chester Wisniewski, the principal research scientist at next-generation security leader Sophos, about cybersecurity and social engineering as he recovered from not attending Defcon. Below are his thoughts on the conference and the much larger issue of how cybercriminals use social engineering to prey on their victims.
According to Chet, Defcon is the world’s largest hacker conference that’s not corporately sponsored or commercial. To attend, you have to pay cash for your tickets. You cannot use a credit card because no one is identified. It’s typically a weekend in Las Vegas in the middle of August because it’s the most unpleasant week to be in Las Vegas, making it cheap. From a few hacker friends getting together for a pool party and a bit of drinking and hacking, it’s grown into an enormous event where everybody who is somebody in cybersecurity is there.
There are 10 talks a day in 5 tracks on different topics and new vulnerabilities and 24-hour parties for just about everything, and hacking villages. In the airplane hacking village, they had a full airplane simulator in cooperation with Boeing and other manufacturers to allow people to try to hack into the aircraft systems. There was a voting village where they attacked electronic voting machines to find vulnerabilities and report them to the vendors. You name it. There’s somebody there. Almost every major community in the U.S. has a local grassroots hacker event, but nothing will approach Defcon, and one of the things they talked about was social engineering.
As Chet explains it, social engineering is what our moms used to call fibbing. At its best, it’s good lying.
At Defcon, they have a social engineering contest. They put contenders in a soundproof booth and get them to call random companies to see if they can convince victims to let them social engineer their way into their networks.
“In essence, it’s someone convincing you to help them do something that’s against your interest,” he notes. “There was one woman making the calls with an audio tape of a crying baby in the background to add stress to the call, and that’s the kind of thing hackers will do.”
One convention had somebody go around with a camera and a microphone asking questions, but the questions were all security questions.
- Where did you grow up?
- What kind of dog did you have?
- What was his name?
The number of people who would answer those questions enthusiastically and with a smile was insane. “It’s all psychology, right? I’m sure if you talk to the sofa sales rep at the end of the quarter, you are going to get a discount to close that deal before his quota has got to be met. Cybercriminals use those same tactics through social engineering to convince us to do things, but those things are bad for us.”
Relying on our Better Selves
Think about what happens with ransomware. There’s a clock on your screen counting down that your data will be deleted in 12 hours, 3 minutes, and 19 seconds. Cybercriminals are using social pressure. Social engineering counts on the fact that most of us like other human beings and want to help them. They’re just asking us nicely to do something for them. Essentially, we’re saying, “Sure, I’ll hold the door for you.”
“The classic physical penetration test where you’re social engineering is you get a brown outfit to look like the UPS guy, and you stack packages in your arms,” Chet notes. “You shadow somebody going into the building because they’ll hold the door open for you. Of course, they’ll hold the door open. What kind of jerk closes the door and makes you badge In?” These criminals are using our innate sense of goodwill toward others to get to us.
Preying on Authority
Social engineering relies on things like Robert Cialdini’s 6 Principles of Influence. Urgency is one example, with the ransomware countdown timer on your screen. Authority is another.
“Everybody I’ve talked to about the authority principle likes to think they wouldn’t fall for it. All of us are wrong,” Derik contends. “Even if you’re aware of the scam, it can still get you if the timing and the placing are right.”
“One of my favorite stories on the mindset of Authority was about a British soldier in World War II. With just a saber, he got 42 German soldiers with rifles to surrender to him. Just him. His superiors asked him how. He said if you walk up to any German and tell them to surrender with enough authority, they’ll put their guns down and listen.”
The evolving capability of deep fakes allows that authority to be borrowed more easily. IT professionals are starting to see thread hijacking happening in real conversations. Cybercriminals will compromise an email account and hijack an existing conversation between you and your boss. They respond as your boss with a malicious attachment, saying something like, “There’s been a change of plans. We’ve had to update the budget. Check the spreadsheet.” “It’s almost impossible to detect,” Chet notes. “If it were a random email from somebody in finance I’d never heard of, I’d probably be suspicious. When it’s somebody in a position of authority that I’m familiar with, I’d trust that. “
Latest Social Engineering Threats
Because of the sophistication of these attacks, standard phishing training won’t work. New emails and text schemes say there’s a billing issue and ask you to call a toll-free number. There’s no malicious attachment. It’s just a phone number that connects to a call center. When you call that toll-free number, you get a human being who says we need you to fill out a form to cancel your subscription and they give you a website to go to where the malicious thing is.
“The tipoff that it is a scam is that you’ve called a phone number at a major American tech company and reached a human,” Chet says. “Try talking to any human being at Amazon or Google or Facebook or any of these companies that are being impersonated. But if it’s a scam, you always get a human right away, and that’s your tip-off.”
We need to create technical systems that prevent these things rather than counting on users to spot them because it’s just too hard. How many domain names are associated with your company? If you use Office 365, you’ll see 30 or 40 different domain names show up in links you get from Teams, Office, Word, Outlook, One Drive, etc. How would Chet teach users which ones are legit? He notes that it’s hopeless to try to teach 5,000 people that http://microsoft.com is good, but http://demand.msft.com is bad. Mistakes are going to happen.
Teaching employees to be aware of potential scams is useful. Teaching them to look at a URL and magically understand what it means when it’s designed for a computer, not for a human brain, is crazy. There’s a balance, and the balance is keeping scam awareness in people’s minds. Chet advocates refreshing that training every quarter and supplying pertinent examples, especially ones that have been sent to your executives or staff members.
Training helps eliminate some of the less sophisticated stuff. Also, create a culture where there is no shame in employees asking a question or reporting that they’ve clicked on something they shouldn’t have. If they are targeting multiple people within your organization, reporting it might prevent others from taking the same action. With Office 365 and Gmail tools, you can search for those messages across your organization and delete them or alert users.
“People need to understand that if they fall for something and report it as quickly as possible, it can be a positive thing,” Derik adds. “No good company will fire you because you fell for something once. If they did, congratulations; you got away from a toxic organization. Now, if you’re the CFO and you’ve sent the prince of Dubai money, then maybe you might want to be worried about your position.”
Also, never underestimate an incentive, he notes. “A $50 Amazon gift card is the best $50 your IT team ever spent if it’s a raffle for people who report a security issue. It reinforces a positive thing – that you contribute when doing this. You’re not annoying us. You’re helping us. People like to compete, they like to win things, and it’s a good way to positively reinforce security messaging rather than negatively.”
This article was written from one of our podcast episodes on Between The Bytes!
To learn more about protecting you and your business from cybersecurity threats, check out our Ultimate Guide To Cybersecurity!