The widespread attack on Twitter’s highest-profile users this summer was shocking in its audacity, but the means of attack is one as old as the hills. Kevin Mitnick, arguably the world’s most famous hacker, brought the art of social engineering to mass attention with his best-selling 2003 book The Art of Deception, in which he outlines how deceiving individuals is so important to effective hacking.
It’s a form of attack that was identified by Twitter as central to the breach, which was used to conduct a cryptocurrency scam that resulted in a gain of over $120,000 for the hackers, and a considerably larger loss of trust and brand for Twitter themselves. Perhaps more importantly, however, is that while the Twitter attack certainly grabbed the headlines and the attention, it’s part of a widespread series of attacks on lesser profile targets.
The success of social engineering is predicated on the fact that many of our cyber defense initiatives continue to focus excessively on technical measures. We toughen up our IT infrastructure, install firewalls and virus checkers, and do all we can to make sure our key tools are safe from hacking. Given such defenses, it’s perhaps not surprising that hackers choose to ignore attacks in these areas, and instead target organizations where they’re at their weakest: their employees.
The Art of Deception provides a number of compelling examples of how social engineering can be used to gain access to systems, with most of these examples seeing employees themselves giving the attacker the keys to the vault. It’s a message that doesn’t appear to be getting through to organizations that still leave this creaking back door wide open. Indeed, even at Twitter, a social engineering attack suffered in 2019 didn’t appear to be sufficient to provoke a change in approach.
Protecting against social engineering
So how can you do better? The first step is not to feel (too) bad, as even the Central Intelligence Agency has suffered in the past from a social engineering-based attack, so you’re far from alone. The second step is to understand the essence of social engineering attacks.
There are around a dozen or so different forms of social engineering, and they all deploy a kind of confidence scheme that is designed to encourage employees to give up crucial bits of information to allow the attacker to compromise the system. Arguably the most common form of social engineering comes via phishing attacks, which involve emails that are designed to look and sound like they’re from a trusted source, such as a manager, colleague, supplier, government agency, and so on. These emails typically ask you to reveal key security information, such as a password. They’re often designed in such a way as to make them feel like you’re helping someone out, but in reality, you’re only helping the hacker gain access to your system.
Preventing phishing attacks is by no means easy, especially as attackers become more sophisticated, but organizations are working to do just that. Banks, for instance, regularly inform customers that they won’t communicate with them via certain channels, such as email, so any emails pertaining to be from the bank should be regarded as dangerous.
A more deep-rooted defense revolves around the data we share with the world. Phishing attacks often rely on a detailed understanding of the target so that the emails can appear as realistic as possible. The more information we share online, and that the attackers can access, therefore, the more realistic, and effective, these attacks can be. For instance, the attack on Twitter took place via the company’s internal Slack channel, and the attack was aided by knowledge of the company’s organizational structure, key roles within the business, and even the way they communicated.
A good defense strategy, therefore, is to educate employees on the amount of data that is online about them, and the way this information can be used to first profile that individual, and then compromise them via social engineering.
Taking action now
For too long organizations have treated social engineering as an insignificance, which has left them vulnerable to attack. It’s an approach that Verizon suggests makes up over 90% of successful cyberattacks today, so the scale of the problem is considerable and should force organizations to sit up and take notice.
This is especially so as the Covid-19 pandemic has created even more opportunities for social engineers to weave their magic, as a large proportion of the workforce was forced to work from home, in extremely tense and uncertain circumstances. What’s more, the pandemic has also prompted many organizations to make employees redundant, which creates the prospect of a growing number of disgruntled current or former employees who might be willing to divulge crucial information to cybercriminals.
Huge sums are spent on shoring up our organization’s technical infrastructure. That investment is very much needed, but perhaps organizations should be spending similar sums to protect themselves from the kind of social engineering attacks that have so embarrassed Twitter this year. With cyber security increasingly a very social endeavor, it would be an investment that would certainly pay off.