Last week Smarter MSP examined the security threat that social engineering poses to organizations  of all sizes. Social engineering is a technique that hackers use to gain access to  an organization’s network, without having to break down the metaphorical door. After all, why should you waste time breaking down the door, if someone will open it for you?

Smarter MSP recently hosted a roundtable discussion with an expert team from the University of North Dakota, to learn how MSPs can combat social engineering attempts. We found that some of the best work in cybersecurity is taking place on the plains of America’s breadbasket.

Joining the discussion are James Maguire, Security Engineer at High Point Networks, Martin Pozniak, a University of North Dakota cybersecurity graduate, and Dr. Prakash Ranganathan, the director of the university’s cybersecurity studies program.

Why is social engineering such a powerful tool for hackers?

Social engineering is a powerful tool for hackers because they can evade traditional network defenses through non-traditional strategies. Controls such as anti-virus, firewalls, or encryption do nothing to stop a user from willingly giving their credentials to an attacker.

Even when a company implements the most state-of-the-art technical and physical security measures, all it takes is a single employee to mistakenly trust an adversary one time and inadvertently provide a way into the system for the attacker.

Social engineering can be non-technical and doesn’t need to involve exploitation of hardware, software, or firmware systems. If successful, employees can give access and compromise legitimate information. However, you can’t expect people to be perfect 100 percent  of the time, which is why social engineering attacks will continue to be employed by hackers.

What can MSPs do to combat social engineering-based attacks from hackers?

Education and awareness are the keys to preventing your organization from falling victim to savvy attackers who are trying to gain access to sensitive data. MSPs can combat social engineering attacks by spreading awareness and informing their clients of such attacks.

MSPs should also be aware that they may be impersonated, meaning an attacker could send an email or place a phone call to a client while posing as the MSP. This scenario could also be reversed, as an attacker could pose as a client and call the MSP to request access to a system or credentials. Both the MSP and the client should have a clear understanding of how systems are accessed, how credentials are secured, and how an individual’s identity is verified over the phone and through emails.

Ultimately, it all comes down to training. Employees and people need to learn that these threats are very real and very prevalent.

Everyone wants to be nice and help their fellow man by giving out some information or holding a door open for them. Unfortunately, in this age, attackers take advantage of such gestures and use them to gain unauthorized access to secure systems. Employees must be trained to follow a very specific protocol when giving information, providing physical access, or otherwise dealing with information between people within, or outside of, the company.

What are some of the ways in which hackers are using social engineering?

The most common use of social engineering is a phishing email. Hackers will craft email messages to make them appear to be coming from a legitimate organization, like Amazon or UPS. Email users should carefully scrutinize the domain the email is sent from and verify that it matches up with the company’s actual domain.

Approaches like impersonation can be used to gain physical access to buildings or secure areas. An attacker can simply dress up like an IT person, print a fake badge that looks believable, and the front desk may be happy to let them through. Other social engineering tricks include:

Tailgating, or piggybacking: This is also used to gain unauthorized access to physical locations. An example is following someone with access to a secure facility through the door.

Smarter MSP notes that is a building security issue as much as anything and MSPs need to be working with all stakeholders in an organization, including physical security staff.

Credential Harvesting: Hackers steal credentials of employees by creating fake login pages that look legitimate. Many of these attacks can be strung together and used over time to successfully exploit a company.

Baiting: Attackers leave a malware-infected device, such as a USB flash drive or CD, in a place where someone will likely find it. Success hinges on the notion that the person who finds the device will load it into their computer and unknowingly install the malware. Once installed, the malware allows the attacker to advance into the victim’s system. To thwart this attack, a person needs to be careful with unknown devices.

Pretexting: An attacker fabricates false circumstances to compel a victim into providing access to sensitive data or protected systems. Examples of pretexting attacks include a scammer pretending to need financial data to confirm the identity of the recipient or masquerading as a trusted entity, such as a member of the company’s information technology department, in order to trick the victim into divulging login credentials or granting computer access.

What are some of the biggest social engineering connected cyberthreats?

The biggest social engineering connected cyberthreats are those that pose the risk to human life and safety. Hackers have already proven that they can gain access to credentials and systems using targeted emails or phishing emails.

Look no further than the 2016 Clinton campaign, when Russian hackers used spear phishing emails to target staffers. Also, the 2016 Western Ukraine Power grid attack that left 230,000 users in dark. The attackers were skilled and stealthy strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance.

Hackers will continue to use phishing emails to target organizations. If hackers can compromise businesses in the transportation, healthcare, or energy industries, they may be in a position to inflict physical harm.

Each individual member of an MSP are vital parts of the organization’s defense against social engineering attacks. Strengthening each one of them with education and training is an MSP’s best chance of avoiding becoming another victim of social engineering.

Photo: everything possible / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *