No matter how strong your security strategy is, there’s always one vulnerability hackers can try to exploit: Your employees.
Social engineering relies on human weaknesses to overcome security roadblocks.
Rather than hacking your systems, they hack your users to gain access to sensitive data.
This is most often achieved through phishing, tailgating, and impersonation attempts.
Cyber criminals use well-honed manipulation tactics to instil a sense of urgency or fear. Once they trigger an emotional response, they’ll use this as leverage to cloud your better judgment.
Social engineering attacks can be especially high-risk as they rely on something which is difficult to control: human error. Mistakes made by your employees are unpredictable. They are harder to identify and prevent than a malware-based attacks, but that’s not to say it’s impossible.
Are you addressing human weakness in your security strategy?
As humans, making mistakes is part of our DNA, a core part of our psyche – which helps us learn and grow. Yet when it comes to Cyber Security investment, building human resilience is often low on the agenda.
According to research by IBM, human error is responsible for 95% of security breaches. This means if human error was eradicated, 19 out of 20 security incidents may not have happened in the first place.
Traditional hacking isn’t the only way for criminals to get access to your personal information.
So why is it that many firms still focus solely on preventing hackers exploiting technical weaknesses?
With high-profile malware attacks and data breaches dominating the news, threats like tailgating and social engineering attempts are overlooked.
They may not get as much airtime, but these social engineering techniques shouldn’t be underestimated. They are often exceptionally well researched and present a substantial risk to modern enterprises.
The link between physical security, information security and cyber awareness
There is a close relationship between physical security, information security and cyber awareness which shouldn’t be ignored. To counter this threat, businesses need to address the imbalance of security spending.
It all starts with a change in mindset when building your security strategy. This should focus on the intrinsic connection between people and infrastructure security. An effective strategy should tackle both technological intrusion attempts, and the risk of human error.
Physical security should be more than just locking doors and requiring key fobs or signatures to enter. It also needs to address the risk of social engineering attacks.
The key to building a human firewall is to test for risks and educate people on how to change their behaviour. Your employees are your ally, not your security weakness. Give them the tools they need to protect your brand, and they’ll help you fight cyber-crime.
Social engineering penetration testing in action
We help our clients build more resilient defences from a technological and human perspective.
But how does social engineering testing look in practice?
Let’s set the scene, we’ve taken on the role of a ‘hacker’. We need to create a master plan of how to infiltrate your office building, and gain access to your systems and data. Here’s a summarised version of a step-by-step approach we may follow.
Reconnaissance
- Online research: We start by conducting some online research about your company. Our first stop is your Linkedin page to help us verify office addresses and identify our target location.
- Identify key employees: We take note of names and job titles of key personnel that may help us compromise the site. If we get push back, this can be used to convince your team we have permission to be there.
- Social media information gathering: We take time to research employee profiles on both Linkedin and other social platforms, what are their likes and interests? This could help build rapport and trust once onsite.
- Historic rental listings: We do some online research on the location. We’re able to find a historic rental listing for your office which provides floor plans and images of the layout, to help familiarise us with the building before arrival.
- Onsite reconnaissance: We assess the security of a building before trying to physically enter it. This includes looking at how employees gain access to the office, the times they arrive, and identifying security cameras. We also look through waste bins for sensitive corporate documents.
Developing a pre-text: Who will we impersonate?
“Ultimately if a good pen tester is given appropriate time and resources, they will get it in.”
We then need to decide a pretext to gain access to the building. Common pretexts we use are:
- Consultants engaged directly by CEO to conduct a data security audit of the site. We have a contact in our phone who we can call if we need to impersonate the CEO to verify this back story.
- BT engineer fixing and enhancing broadband capability, we can purchase uniforms online to make us appear legitimate.
- External IT MSP provider, carrying out deployment of new technologies and network changes, (the perfect pretext to get access to restricted areas storing network equipment).
- From a partner company, or well recognised supplier name your team are familiar with.
Breaching the office
- The early bird catches the worm: We arrive early onsite, to give us ample opportunity to tailgate employees into the building.
- Gaining entry: We keep busy on our phones by making calls and wait for the perfect moment to piggyback behind a genuine member of staff. Out of politeness, we usually find a way in unchallenged
- We make ourselves at home: Once inside, we find a spot to set up with purpose and confidence, taking off jackets and making ourselves comfortable.
- Identification: In many circumstances, we can enter the building quite easily, without being asked for identification.
- Build rapport: To take things to the next level, we need to establish rapport with your employees. We could do this by striking up conversation with staff whilst making a coffee, having friendly chit chat about how long they have worked at your company, and explaining our pretext to build trust.
Interviews and data gathering
- Employee interviews: As an internal IT auditor, we may say “We’re here to review the data security of your office, we would like to conduct relaxed and informal interviews, with members of your team”. This helps put them at ease and more willing to share information.
- What can we find out? We quiz them on data handling procedures, find out about their workflows and where critical data is stored.
- Password exercise: Next, we conduct a ‘password awareness exercise’ to help staff choose stronger passwords, and check if their current password is sufficient. We always stress this should not be shared with us; it is for their information only.
- Keyloggers: We ask them to input their password into a password checking service on one of our devices, this has a keylogging script running in the background which logs every keypress on the system. The employees unintentionally log passwords in plaintext to a file for later viewing.
- Restricted areas and filing cabinets: Lastly, as part of our ‘audit’ we may request access to networking equipment or filing cabinets storing sensitive information.
How Can I Prevent Social Engineering Attacks?
Employee behaviour can have a huge impact on information security in organisations.
Although it may be surprising to our clients, we frequently breach office locations without resistance.
In our experience, using persuasion, confidence, and manipulation tactics we can easily assert authority. This allows us to convince employees to share sensitive corporate information, or even provide access to restricted areas and business critical networking equipment.
But once you have identified the risk, how can you reduce the likelihood of real-life social engineering attacks happening?
Before reacting to the findings, remember you don’t want to alienate your team from engaging in your security agenda. Rather than punishing those who followed bad security practice, respond to the negative results in a constructive and educational way.
Take responsibility for the gaps in awareness. You can then build an awareness programme which:
- Empowers your team to follow a security driven approach
- Integrates your business processes
- Gives actionable advice in relatable narratives
- Sheds light on common types of social engineering tactics they need to look out for
Do you want to reduce human risk and build an effective training program?
Look out for our next blog for more on how to improve your organisation’s Cyber Maturity and security culture. We’ll explore topics like how to:
- Build employee cyber awareness around social engineering, phishing attacks and security best practice
- Tackle phishing scams and spear phishing
- Improve on your current phishing campaigns
- Measure and improve human risk
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
