This blog entry was submitted by one of our guest bloggers. The author’s views are entirely her own and may not reflect the views of IT Governance.
Human beings, as we well know, are flawed. Our brains are governed by a complex mix of emotions and (hopefully) rational thought processes; this makes us vulnerable to those who wish to exploit us – it means that we can be hacked.
How do you hack a human brain?
It’s simple if you understand human behaviour. Bugs in our “human hardware” can be exploited using technical and non-technical techniques; these techniques can inspire fear or curiosity, but almost always aim to have the target do something they probably shouldn’t.
It’s often said that the simplest way to get your password or hack your computer is just to ask. It could be in normal conversation, via a social media site, for example. I could send you a friend request on Facebook and quickly enter into a conversation with you about friends and family. This is a fairly normal introductory conversation, one that you will expect, and in that conversation you may tell me –about your children’s names or your football team – you may even mention your partner’s birthday coming up at the weekend. If you happen to use any of this information as a memorable password or recovery question, then you’re now in trouble.
After one conversation I have a lot of information about you – and that information that can be used to steal from you, to commit fraud in your name, to break into your social networking profiles and much, much more. It was easy because you made it easy. I’ll keep talking to you until I have what I want.
Social engineering comes in many forms
There are other forms of social engineering that can be harder to spot. Phishing emails are a good example. It’s quite easy to design an email that looks like it came from your bank; the script may go something like this: “We have detected fraudulent activity on your online banking account. Please click the following link to change your password.” Then a link is provided. The email looks legitimate, it has the bank’s logo on it, and the email sender looks correct so you follow the link to a website that looks just like your bank’s website and enter your details in order to change your password.
The problem is… that email wasn’t from your bank, and the link did not take you to your banking page. It took you to a fake website mimicking the real website’s look and feel, and you just gave the fraudsters the login details for your online banking. You did it because it looked real and you were scared that someone was going to take your money – but instead you walked straight into a trap. Sometimes the emails come with a phone number to call that lead you to an interactive voice system, just like your bank’s. You are asked to enter your bank account number and your sort code, and to divulge digits of your access code – little realising that you are giving this information straight to the criminals.
Quid pro quo is another favourite. Get something, give something. Often referred to as ‘vishing’ or ‘phone spoofing’, this involves criminal hackers telephoning your company and asking to be put through to various members of staff. The recipient of the call will be told “this is IT support” or similar, and eventually the criminals get through to someone who actually has a technical issue. This person will be grateful for the call because they believe someone is there to help them. At this point, they can be asked to do ANYTHING on their computer. They can be guided to a website that’s been designed to steal access information and could even infect your company’s systems with malicious code. The user won’t have a clue because they believe that they are being helped.
The bottom line is that your organisation could spend a small fortune purchasing technology to mitigate cyber risk, yet you remain completely vulnerable because you haven’t educated your staff or addressed and altered common behaviours.
So, who are these human hackers?
They could be anyone: black-hat hackers, spies, disgruntled employees, scam artists, information brokers and everyday people, and they’re good at what they do. They have mastered the art of gathering information and they’re fully aware that their victims are not as educated as they should be. They know that this is an easy job and it pays well.
How do we defend ourselves against this daily threat? How do we prevent ourselves from becoming another cyber victim? Quite simply: be aware.
Understanding social engineering is the first step; questioning everything is the second. Organisations should implement continuous training and awareness programmes, and should recognise and address their biggest risk: their own employees. All staff should be made aware of how they can be targeted by hackers and they should be shown how easy it is to extract information. People who understand the risks and methods used to exploit human vulnerabilities are better equipped to fight them. Don’t let your organisation fall foul of social engineering; instead, ensure that your staff know exactly what they are up against.
Use email certificates to prevent phishing, install antivirus software and keep it up to date, teach your staff how to verify that callers and emails are legitimate. Ensure that your network prevents the use of unauthorised websites. Above all – educate your staff.