Social Engineering is the new norm in hacking

Companies are constantly evolving their security measures and technologies to prevent hackers gaining access to their networks. However, hackers themselves are becoming more sophisticated in trying to bypass these defences, by going around the network and targeting the aspect of a company where security is most neglected - the people.

Employees who aren’t educated to identify and react to a cyber security threat are a company’s weakest link, as echoed by EY’s Global Information Security Survey 2017, which found 74% of cyber attack sources are careless or uneducated employees. Targeting employees of a company through social engineering tactics allows hackers to bypass advanced defences and technologies.

Here is how cyber criminals are making social engineering the new norm, and how to protect your employees against it.

Don’t get reeled in by the phish

Phishing is the most common form of social engineering and the way cyber criminals gain access to a network. Essentially, hackers trick an employee into trusting them enough to allow network access. As an example, a hacker might spend a few months researching an organisation, its structure and the employees within it to figure out the best target and method of approach. These methods could look something like a fake email mimicking that of a company executive, requesting urgent payment of an invoice.

The urgency of the email would lead to carelessness and mistakes being made by employees. Their intention is to satisfy the boss’ request, so they likely won’t take the time to think about whether the email is legitimate or not.

A recent example of Australians falling victim to a wide phishing attack is the case of Victorian home buyers who were targeted, with the hacker pretending to be a real estate agent requesting payment. Over $200,000 was lost due to the buyers trusting the fake email address used by the hacker.

Carelessness like this is contributing to the expanding cost of cyber attacks in Australia, with the Norton Cyber Security Insights report outlining weak cyber security cost Australian businesses $2 billion in 2017.

Hackers are making themselves at home

With the increase in protection around network assets, cyber criminals have to think outside of the box when it comes to breaching a company’s defences. Rather than trying to keep up with the sophisticated defences in place, hackers are taking traditional routes to gain access to an organisation - through its front door.

Front door social engineering tactics again, involve tricking employees into trusting a hacker enough to let them inside the building or onto a network. It’s easier for hackers to gain access this way as companies are often so focused on securing a network that they forget about their weakest link - humans.

Front door social engineering can take many forms, including:

• RFID spoofing: This is as easy as getting in an elevator with an employee, and standing close enough to them so a scanner picks up their low frequency RFID pass in their pocket and copies the data, allowing hackers to duplicate passes and gain access to all areas.

• Tailgating: As the name suggests, tailgating can be as simple as following somebody through a turnstile, or into an elevator to gain access to restricted floors when employees scan their pass.

• Posing as an employee or contractor: As an IT security consultancy, we are commonly employed by companies to test their defence protocols by attempting to gain access to their network by any means. In the past we have been able to simply walk up to a receptionist under the guise of an IT contractor, and be granted access to a network.

It can also be as simple as asking “Could you hold the door open for me? I forgot my key.” While you may hear this all the time around your office building - and mostly it is harmless - it’s a very common social engineering tactic, which could be easily avoided.

How to combat social engineering

Awareness is key. Social engineering tactics can all be mitigated by ensuring employees are educated in knowing how to identify and respond to them.

This does not have to be elaborate and can include anything from showing educational videos and running through scenarios, to having a cybersecurity expert host an information session. It’s also important to follow up on these lessons with reminders such as posters or quarterly refresher meetings. Test your employees’ awareness by sending out fake phishing emails to everybody, and follow up with those who did not identify the fraudulent email.

Physical access points can also be secured by installing or upgrading building entry systems to make it more difficult for threat actors to infiltrate.

Further to this, companies have to be proactive in monitoring and assessing their defences constantly, as security threats are always evolving and their lifespan is often short-lived until the next advancement in defence technology or software is released.

One way to closely monitor the effectiveness of a company’s security protocols is to employ services such as Red Teaming. This takes a tactic traditionally used by military teams to test their strategy and effectiveness, and employ it within a company setting to identify security shortcomings.

Red Teams look at a company from a hacker’s perspective, with the aim to gain access to a network by any means possible. This can include employing social engineering tactics such as phishing, tailgating or posing as an employee. Red Teaming will help companies identify holes in their security and their susceptibility to hackers, unlike penetration testing which only works with a narrow scope of threats.

A lack of cyber education for employees can create a volatile security environment for Australian companies. To stay ahead of the curve, forward-thinking companies are employing a more holistic approach to cyber security, by including employees in their defence protocols, ensuring all aspects of their business are secure.