INVITATION TO CYBERSECURITY 70 4.1.2.1 Deceiving Authorized Users “What’s the greatest threat to the security of your business assets? That’s easy: the social engineer—an unscrupulous magician who has you watching his left hand while with his right he steals your secrets.” - The Art of Deception by Kevin Mitnick It is commonly said that people are the weakest link in cybersecurity. Cyber attackers look for the easiest way to compromise their target, and frequently this is through the people that work for the organization they are targeting. Social engineering is sometimes called “the art of human hacking.” Social engineering is the practice of deceiving people into divulging sensitive information or performing actions that undermine security. Social engineering can take place over any communication medium, including in person, over the phone, through email, via social media, and any combination of these and more. Dropping a malware-laced USB stick in the parking lot of a target and hoping a curious employee picks it up and plugs it into their work computer is an example of social engineering. More sophisticated types of social engineering typically follow a multi-step process. The first step is gathering background information. This involves uncovering information to find a contact and gain trust from the contact. During this phase, the attacker learns the vocabulary of the organization, including esoteric acronyms and other insider information like the names of employees and vendors. Speaking the language of the organization helps the attacker gain trust. The famous social engineer Kevin Mitnick had an uncanny ability to quickly gain trust by convincingly sounding like an insider. The next step is pretexting. Pretexting involves creating a believable background story for making contact. Essentially, it is lying about who the social engineer is and why they are contacting the target. An example of pretexting is someone dressing up as a plumber and explaining to the front desk receptionist that he is responding to an urgent water leak and needs to be let inside the building immediately. Another example is calling an employee pretending to be an information technology (IT) staff member. Sometimes pretexting involves lying about an imminent crisis to scare the target and create urgency. The final step is influencing. This is getting the target to divulge sensitive information or take actions that undermine security. In some sophisticated cyber attacks, the attacker works over a long period of time to build the trust of an important gatekeeper before asking them to do anything that would undermine security. By then, the social engineer has put himself beyond suspicion. Table 4.3 provides an example of the three phases in a realistic social engineering attack. Phishing emails are a type of social engineering. In some phishing attacks, the attacker sends the target an email with an attachment and tries to entice the target into opening it. The attachment might be a document that executes a script that allows the hacker to ac-
RkJQdWJsaXNoZXIy MTM4ODY=