Connecting the (Information) Dots
In this final post, we tie everything from the previous posts to show you how the bad guys use social engineering, AKA employee manipulation, tactics to break into your company based on what they’ve learned online.
We know the bad guys are out there. We now know they have access to a treasure trove of personal information (see my previous posts). What next? As in the physical world, they will use the information at their disposal to look for the easiest way in.
olks sometimes ask me if hacking is like what you see in the movies. Well, that really depends on the movie! But usually, no. Hackers are like anyone else, and look for the easiest way in, which might not always be at the end of a keyboard in some cold dark basement. In fact, almost a third of attacks are now done with some combination of technical and social engineering techniques.
For example, the Stuxnet attack on the Iranian nuclear plant was a combination of extremely sophisticated code copied to a thumb drive. That thumb drive was harmless until some hapless employee plugged it into the (previously) secure, stand alone network. Then it sprung into action, taking out actual physical systems that were controlled by computer.
The famous Zeus trojan horse, which, among other things, has been used to drain corporate bank accounts, usually gets its network foothold when an employee clicks on an infected link or opens an email attachment. To get the user to take action, the attacker may have spent hours in Internet research, honing the message to make sure the email would get read and opened by the target. Obviously, the more the bad guy knows about the target the easier it is to craft a message that will be opened.
Maybe you feel protected because you don’t post your work email address online. If so, good for you! But, if I know your name and where you work, why can’t I guess it based on your company’s email convention? Firstname.Lastname@company.com? Or why not send the attack to your home account? While it might seem unusual to get something work related at home, a well crafted attack will still be difficult to detect.
Forget email, how about combining the virtual world with the physical world? Why not take something you’ve learned about someone, then send them a package? Or make a fake badge that looks like an employee in a remote location to gain access? Once inside, use “insider” information you garnered online to backstop your cover story. This is surprisingly easy to do.
What is a beleaguered IT department to do? Since money won’t fix the problem (see my previous posts), look at your organization from the eyes of an adversary. Then spend some effort on a thorough, comprehensive security awareness program for your employees. Measure the results afterward to ensure “the light bulb goes off”.
Then maybe, just maybe, the bad guys will look for an easier target!
About the Author