social engineering-the underpinning of unauthorized access
TRANSCRIPT
Social Engineering:
The Underpinning of Unauthorized Access
Kory W. Edwards
Webster University
Abstract
In May, 2013, perhaps the single most devastating loss of highly sensitive information
occurred as Edward Snowden boarded a flight to Hong Kong. (MacAskill 2013) Whether Snowden
is viewed as a whistleblowing hero, or as a traitor, the magnitude of this loss of highly sensitive
information boiled down to a singular problem: a disgruntled employee who used social
engineering to persuade 20-25 co-workers at NSA to give him unauthorized access. (Hosenball &
Strobel 2013) Despite formal information security programs and employee training, today’s
workplace continues to endure social engineering attacks. This paper explores the implications of
social engineering attacks, the reason why information security programs fail, the common types
of social engineering attacks and the social engineering tactics commonly used. It will suggest a
new approach to inhibit these attacks by incorporating human intelligence concepts, critical
thinking and social intelligence.
Implications of Social Engineering Attacks
Social engineering tactics using either face-to-face or online interactions are the leading
cause of devastating information security failures. They can result in secret abduction of specific
systems, service presentation rejection, sensitive data destruction or theft, hacker attack of a
network, software security breaking and electronic wiretapping including destruction, abduction
of telephone calls and other forms of attack. (Al-Johani, et al 2013) The theft of intellectual
property or classified data can devastate an organization and result in major monetary losses or
even loss of life in some cases.
Aside from organizational losses, even the most competent and well-trained employees can
be victims of social engineering as attackers use natural human scenarios. In the case of Edward
Snowden, highly intelligent NSA employees confidently gave their user id and password to an
inside, cleared network administrator who sought to resolve a computer issue they were having.
(MacAskill 2013) The social engineering attack happened in spite of frequent, routine training,
stringent security plans and other precautions that were in place. The end result of this attack was
several well-trained, confident, and intelligent employees losing their careers or having them
severely impacted. If all these precautions and training cannot effectively prevent such social
engineering attacks, what can?
Why do information security programs fail?
Companies spend substantial amounts of money, time and resources developing and
implementing security and training plans to make employees aware of security threats. Their
approach relies on the concept that an informed employee will not be as susceptible to social
engineering attacks. Yet these attacks persist. Programs focusing on phishing attempts and spam
emails become repetitive and are often ignored by the employees. The training fails to give
employees a sense of added value that can be used in their everyday duties and not just when a
suspicious email hits their inbox. This is because people do not always have the ability or
motivation for deliberate, careful thinking. (Muscanell, et al 2014) Employees and their
supervisors focus more on checking-the-box for required training than application of what they
learned.
Social engineering is defined as “a set of techniques used for making people do
something or divulge secret information.” (Al-Johani, et al 2013) The description conjures up
images of such as a scenario of a nefarious person conducting clandestine espionage operation
rather than something the average employee might see on a daily basis. This scenario is not
relatable for someone who views their job as routine and less significant. In fact, in the human
intelligence realm, those people most often targeted are the least conspicuous targets. The same
goes for other social engineering attacks. Why would an attacker target the Director of Central
Intelligence, raising alarms, when a disgruntled employee, secretary or janitor can provide
information with less risk? Employees fail to understand that it is the access to a network they
use that makes them a target, not what they do on that network.
Current security plans, programs and training fail to provide a skill that can be applied to
every aspect of a person’s job and interpersonal interactions. If the skills they are trained on are
not practiced on a daily basis, they are easily forgotten. In order to understand how to improve
security programs and training, we must first evaluate the types of social engineering attacks
used and the tactics employed by the attackers. By identifying the commonalities, our new
approach can be developed.
Common Types of Social Engineering Attacks
Insider Threats
The example of Edward Snowden shows the grand scale at which an insider can wreak havoc
by using social engineering to gain unauthorized access. But disgruntled employees represent only
a portion of unauthorized access attacks and risks. Aside from disgruntled employees,
unauthorized access attacks can result from poor information security training, improper badging
and physical access control, and a lack of compartmentalization of the information. What makes
an insider threat so difficult to detect and deter is that they already have legitimate access to the
facility or system, know what they are looking for and know how to circumvent security
protections. (Hau 2003)
Social engineering relies heavily upon people remaining true to social and cultural norms or
a lack of awareness of the information’s value and their role in protecting the information. (Al-
Johani, et al 2013) Social engineers exploit employees that have not been trained, have become
complacent about their training or have failed to remember the training they were provided.
Targets may be new employees that are eager to prove themselves valuable to the company,
complacent employees that routinely have security incidents or personalities that are easily subject
to intimidation or coercion. Even the happy, helpful employee is subject to exploitation due out of
their desire to “help a friend”. A well-designed training program can curtail these issues and
empower employees to stick to security protocol.
Social engineers also exploit vulnerabilities resulting from improper badging and physical
access controls. By not having strict badging standards and adherence to badging procedures,
insiders can obtain unauthorized access. Locked desks can keep prying eyes from accessing office
phone lists, notes, password reminders on sticky notes, email directories, printed papers, electronic
media and other stores of information that can be stolen or copied. (Al-Johani, et al 2013) Guards
and employees that check badges, even when they know the person, can keep recently fired or
disgruntled employees from extending their access beyond its expiration or accessing areas where
they are not properly authorized. Individual burn bags, the use of shredders and securely disposing
of all paper can prevent social engineers from exploiting information found in recycle bins, trash
cans and messy desktops.
Lastly, proper compartmentalization of sensitive information can impede social engineering
attempts to gain unauthorized access. This must include need-to-know barriers between
management and their subordinates. Managers often need to know an overall situation, but do not
need direct access to data used to reach assessments. A social engineer might use anti-social
engineering, which is a highly developed way to obtain sensitive information. The attacker claims
to be authorized a high level of access and elicits information from employees by simply bringing
up a subject and getting the employee to talk. (Al-Johani, et al 2013) Employees share information
out of the belief that the insider is authorized. Information security managers can inhibit such
attempts by carefully compartmenting information and granting access for each compartment to
those employees that can prove a need-to-know.
External Threats
Insider threat attacks can facilitate external attacks. Seemingly non-sensitive information
such as office phone and email directories can facilitate an external social engineering attack such
as via email or phone calls. The attacker can use the company phone or email directory to target a
specific individual. The attacker contacts them directly, already knowing their name and position,
and builds their bona fides with the victim by seemingly knowing them or their associate. Phone
calls to an employee posing as a system administrator with an urgent need can coerce employees
into revealing sensitive information or taking actions on their computer that enable a technical
attack.
Phishing attempts through personal and company email addresses are also common
methods of external social engineering attack. External attackers may use dumpster diving of
dumpsters located outside of the secured area to find sticky notes with passwords, discarded
documentation of initial passwords or details of password build requirements. By having such
information, the external attacker can conduct dictionary attacks by comparing passwords against
dictionary files, hybrid attacks using dictionary attacks combined with extra characters or brute
force attacks that compare every possible combination until eventually one works on the system.
(Al-Johani, et al 2013)
Lastly, physical security flaws can allow an external attacker to place devices or programs
on a system using free flash drive or software giveaways to employees with access. The device or
program then conducts sniffing, wiretapping or eavesdropping on the network. (Al-Johani, et al
2013) It is essential that employees safeguard company computers, cellphones and other electronic
devices when traveling, staying in hotels or passing through customs and security checkpoints in
order to prevent such attempts. Even foreign governments conduct economic espionage!
Social Engineering Tactics
We have all likely had some form of information security training in our careers. Most
victims of social engineering attacks are intelligent people. How then do so many intelligent,
security conscious people fall prey to social engineering exploitation? The answer lies in unique
qualities that humans possess and build upon from birth.
Of all the creatures on the planet, humans have the longest development periods. We are
born exceedingly vulnerable and defenseless. The long period from birth to adulthood allows the
human brain to develop a much deeper level of consciousness, but also has significant draw
backs. (Greene, R. 2012) Humans are highly dependent upon others for their growth and
protection during these early years. We grow to view our parents and caretakers as infallible,
intelligent and strong. If we had the realization of their flaws and our weaknesses, we would not
be able to bear the anxiety it would bring upon us. (Greene, R. 2012) When we enter the
workforce, these views often follow us and are applied to our teachers, friends, confidants,
mentors and bosses. (Greene, R. 2012) We do so at a much greater risk though. The knowledge
of the attributes, emotions and motivations is known as “social intelligence”. It is often referred
to as “street smarts”. (Riggio, R. 2014)
The failure to increase one’s social intelligence leads to what Robert Greene, in his book
Mastery, called “Naïve Perspective”. Greene explains that “With colleagues in the work
environment, we fail to see the source of their envy or the reason for their manipulations; our
attempts at influencing them are based on the assumptions that they want the same things as
ourselves. With mentors and bosses, we project onto them our childhood fantasies, becoming
unnecessarily adoring or fearful of authority figures…We think we understand people, but we
are viewing them through a distorted lens. In this state, all of our empathic powers are rendered
useless.” (Greene, R. 2012)
Now that we understand why people fall prey to social engineering, we’ll now explore
those tactics used by social engineers. Social engineering attackers use what Robert Cialdini
outline as the social influence framework. The attacker uses one of the 6 weapons of influence:
Liking, Authority, Scarcity, Social Proof, Reciprocity and Commitment and Consistency. How
can a trained, intelligent person still fall prey to these weapons of influence though? Individuals
are often quite busy in their personal and professional lives and as a result are unable or
unmotivated to avoid heuristics, or mental shortcuts. (Muscanell, N. et al 2014)
Liking
Throughout our society, likeability is placed in high value. Everyone knows of a
neighbor, co-worker, family member, friend or celebrity that they admire and respect because
they are likeable. Our culture idolizes the celebrity that is “such a good person”, we vote for the
most likeable candidate and seek to be likeable ourselves. People trust a likeable person and view
them with a higher degree of credibility. Likeability plays into social engineering attacks in two
ways; our desire to be liked and our desire to assist a likeable person.
Recently, a well-known email scam involved receiving an email that appears to be from a
friend or family member using what is called the “stranded traveler” approach. This social
engineering attack preyed on the desire to assist a familiar person by sending them money
because they had fallen into a difficult situation while traveling and needed financial assistance,
while promising to repay the victim once they had returned home from their travels. (Muscanell,
N. et al 2014) The approach plays directly into a person’s desire to help a liked person and to feel
appreciated for doing so.
Some online scams prey on victims by impersonating well-liked companies. People often
view the Better Business Bureau (BBB) as a likeable, trustworthy consumer protection advocate.
Recent social networking attacks using a friend request on Facebook from the BBB have
entrapped many people. Once the request is accepted, the social engineer initiates a conversation
and encourages the victim to apply for a Federal grant. The form used to collect their personal
information for the alleged grant is then used in identity theft. (Muscanell, N. et al 2014)
Aside from online social engineering attacks, face-to-face attacks or data spillage can
result using the likeability tactic. A co-worker, friend or family member might ask someone
working for the government for indirect access to sensitive or restricted information. A recent
example of such approach happened when a secret service agent, a seemingly trustworthy
person, approached a good friend who had access to U.S. visa information. The agent, out of
sincere desire to help someone he knew, asked the friend to see if he could look up the visa
information of the 3rd party to see why it was taking so long to process the 3rd party’s visa. When
the friend with visa data access explained that doing so would be a violation of both policy and
Federal law, the secret service agent pressured the employee using likeability as a means to get
his friend to circumvent the restrictions. This placed the friend in the position of protecting the
information and avoiding personal career jeopardy, but alienating his friend, or violating the law
to remain liked by the secret service agent friend.
Ultimately, fear (a much stronger motivator than the possibility of gain) kept the friend
from violating the law and the information remained protected. But what if the fear of search
audits or being caught was not taken seriously or had not been engrained through information
security training? Would the data have been protected? Could the attempt to gain unauthorized
access be a means of verifying the employee’s access for use in future attacks? Assuaging the
desire to be liked by an unauthorized employee must be incorporated into every information
security plan.
Authority
As previously mentioned people often place naïve trust in or fear the authority figures in
our lives. Especially when faced with the dominating presence of a supervisor or significant
other, people often comply with demands from the authority figure rather than suffer the
consequences of their non-compliance. They pursue the path of least resistance. Online scams
involving Federal government entities demanding immediate response with personal information
have become very well-known in recent years. If the Internal Revenue Service demands an
immediate response concerning a tax refund, a victim can easily feel pressured to comply with
the emailed demands and reveal their personal information. (Muscanell, N. et al 2014)
In the case of Edward Snowden, Snowden was not in an supervisory position but
managed to elicit passwords and user ids from co-workers under the guise that as a system
administrator, he had the need and authority to request such information in the performance of
his duties. This goes to show that authority does not need to be real. Perceived authority is
enough to get a victim to let their guard down and succumb to the attack. Uniforms can give the
same perception without verification of credentials. A lab coat can make the attacker be
perceived as a doctor, a police uniform alone implies authority and even a person confidently
following a badged employee into a secure area can circumvent security precautions. The
unauthorized person appears to be authorized access to the secure area by their body language
and confident demeanor.
To retard the effect of a social engineer using authority or perceived authority to conduct
an attack, information security plans and training must empower the employee to challenge the
need-to-know or need-for-access of those in authority positions. While it may not be desirable to
have employees challenge their supervisors all the time, the supervisors must be counseled and
expect to be challenged when requesting information outside of their normal need-to-know. They
must understand the intent is to protect the information and not to challenge their authority.
Scarcity
The idea of scarcity in social engineering relies on the concept that things that are limited
in supply or a limited opportunity have higher value or level of importance than something that is
more commonly available. Scarcity is used most commonly in thee sales profession where
“limited time offers” or sale pricing and discounts motivate people to buy whether they need the
product or not. The same concept can be applied to social engineering attacks on an organization
or networks.
Employees operating on systems with access to the internet may come across scarcity
opportunities for sales, raffles, or as often seen on Facebook “We have a limited supply of iPads
to give away to the first 500 people that request one” scams. The employee clicks on the
advertisement which can either install malware or have the employee enter personal information
onto a form. Local businesses might have “Win a Free Lunch” offers if you place your business
card into the jar with all your company information on them. Drawings and raffles of vacations,
motorcycles, cars and other opportunities provide another vehicle to collect personal
information.
Scarcity may come in the form of a rare and enticing employment opportunity making an
unsolicited email request for a system administrator’s resume. Once the resume is sent, the social
engineer can emphasize the vast competition for the position and the need to find out exactly
what programs, hardware and cybersecurity methods are used by the employee in order to prove
they are experienced enough for the job. In these cases, the employee is even less likely to report
the solicitation out of fear their employer will know they have been looking for employment
elsewhere. Training employees to be aware of such attempts, limiting who has business cards
and encouraging employees to resist such attempts to pursue these opportunities on company
computer systems can deter such attacks.
Social Proof
Social proof is most commonly called “peer pressure”. Our human desire to fit in with
other leads to a follow-the-leader mentality. Nearly everyone has seen the co-worker selling Girl
Scout cookies for their daughter, the office NFL football pool, or unauthorized installation of
games/music/videos on a work computer. When several people we know are all doing
something, we have a tendency to go along with it and do the same thing in order to prove we are
part of the social group. The justification is often that “everyone is doing it”.
In an office setting, one person may decorate their cubicle and install a funny screen
saver or wallpaper on their system, thus exposing the computer and network to malware. Other
employees see it and decide to do the same or install their own. Viruses are launched and passed
through email communications to other employees with a subject line such as “Check this video
out”. Within a short amount of time, the desire to be like everyone else can spread attacking
software throughout the entire network and steal sensitive information or impact the system.
Security training must encourage employees to avoid the group-think mentality and not
following the pack when cybersecurity rules might be broken.
Reciprocity
Reciprocity approaches make use of the societal norm that when someone does
something for you, you should return the favor and do something for them in return. (Muscanell,
N. et al 2014) Taking into account the aforementioned example involving a secret service agent
making an unlawful request for sensitive information, imagine if the secret service agent had
previously done a favor for the employee with the data access. The favor may or may not have
been work related. Perhaps the secret service agent helped the employee move into their new
home. Would the social norm of reciprocity make it more difficult for the employee to turn down
the request for the information?
Online reciprocity attacks are common. One such reciprocity attack is known as the
“Nigerian Prince” attack. In this attack, a person claims to be a wealthy Nigerian prince or a
businessman seeking a way to exhilarate their fortune from a precarious situation in exchange for
giving the victim part of the money. (Muscanell, N. et al 2014) The attacker sends the victim a
fraudulent check and asks the victim to deposit the check and wire the money, less the victim’s
portion, to an intended recipient. Once the victim does so, the check then bounces a few days
later leaving the victim stuck paying the full amount of the check back to the bank.
Social engineers use reciprocity in either a quid pro quo manner, or they may take a
slightly different approach. Cialdini once described this alternate approach as the “door-in-the-
face” approach. Participants of a study were found to be much more likely to comply with a
request after first being presented with a substantially larger or more difficult request. At times,
these two requests might be asked in an either/or scenario. (Muscanell, N. et al 2014) For
example, the secret service agent might ask the employee “Could you either print off a copy of
my friend’s visa information for me or just read me the details I need to know?” The idea of
actually printing off the information and delivering it to the agent presents a much riskier means
of helping a friend. Because the request is presented as an either/or format, it gives the
perception that no other option exists and the less risky option is the clear choice for the
employee.
In a case like Edward Snowden, the system administrator might tell the victim employee
that they can fix their computer issue remotely, which would take much longer, or the employee
could provide their user id and password to the administrator, both helping the administrator and
themselves to resolve the problem much faster. The employee feels compelled to help the
administrator do their job easier because the administrator is helping the employee as well.
Commitment and Consistency
It is human nature for individuals to strive to be reliable, consistent and dependable in
their dealings with others. Value is placed on those that are committed and consistent in their
actions involving supervisors, co-workers, friends, family and love interests. Inconsistency in
one’s dealings gives the impression that a person is unreliable. Social engineers exploit this
desire to be consistent. They use what is called the foot-in-the-door approach. (Muscanell, N. et
al 2014)
This approach is incremental and often the first step is something very innocuous or
small. If the attacker can get even the smallest of initial commitment, the process for exploitation
begins and the ability to resist the attacker’s requests becomes harder and harder. In the cyber
realm this might be a friend request on Facebook. Once the victim accepts the request they have
subconsciously made a commitment to the attacker. The victim and attacker are now cyber
“friends”. From there, the attacker may begin a conversation and ask for personal information
intertwined with less sensitive conversation. This is called masking.
In normal conversation, people often remember the beginning of a conversation and the
end, but rarely remember details about the middle of the conversation. The probing question is
inserted into the middle of less probing conversation. By answering the less sensitive questions,
the victim feels obliged to be consistent and keep answering.
A great example might be a social engineer seeking to find out possible words used in a
employee’s password. The attacker sends a friend request, which is accepted by the victim. A
benign conversation ensues and the victim feels the need to be consistent and to keep answering
and participating in the conversation. The conversation may touch on several topics such as
favorite sports team, family details, work position, networks used, the weather, vacation plans
and ultimately some other benign subject. Out of that conversation, the victim when asked about
it will likely only recall discussing sports, family, and vacation plans. Out of that conversation,
the attacker can identify a target system and likely words used in a password. We often create
passwords we remember involving such subjects.
The need to be consistent and committed to the online “friendship” encourages the victim
to keep sharing information. As long as the attacker does not overreach in their discussions, the
victim will remain consistent in their actions. Training should provide employees examples of
such elicitation attempts and be assured that just because one mistake was made, does not
obligate them to keep making security mistakes.
Conclusion
The most common factor in all the aforementioned attacks and tactics is that the person
falling for such an attack fails to employ critical thinking skills or social intelligence skills.
Critical thinking is the “intellectually disciplined process of actively and skillfully
conceptualizing, applying, analyzing, synthesizing and/or evaluating information gathered from,
or generated by, observation, experience, reflection, reasoning or communication, as a guide to
belief and action.” (Scriven, M. et al 1987) In our social engineering context, it can be
summarized by three words: why, how and what. People remember snippets of information,
which is why slogans, theme songs and other advertising devices are so effective.
To improve the recollection of information security highlights, the keys of information
security should be taught in such a manner. Focus employees on remembering three simple
questions:
Why does this person need the information?
How can I help them without divulging sensitive information?
What damage could be done if the information is released?
The “why” portion of our solution is applied by the employee when dealing with
sensitive information such as passwords, personally identifying information, financial data, etc.
The employee must be conditioned so when these bits of information are brought up, they ask
themselves “Why does this person need the information?” Once the “why” is identified, the
employee must ask them self “How can I resolve this situation without divulging sensitive
information?” Lastly, employees must learn to understand the value of the information they
possess and the possible damage that could be done if it is shared with an unauthorized
employee.
As Samuel T.C. Thompson stated in his article Helping the Hacker? Library Information,
Security and Social Engineering, once a social engineer has established the trust of the contact,
all security barriers are effectively voided and the attacker can gather whatever information they
require. After avoiding social engineering attack, the threat may still exist as the attacker simply
moves on to the next target. Reporting of suspected attacks is a key component of information
security. (Thompson, S. 2006)
The concept of social intelligence can inhibit follow on attacks or identify the insider
threat. Unlike intelligence, or IQ, which is primarily the product of genetics, social intelligence
(SI) is mostly learned. (Riggio, R. 2014) Social intelligence is the product of experiences,
successes and failures, in a social setting. It is commonly called tact, common sense or street
smarts. (Riggio, R. 2014) The employee’s knowledge of the person, gut feeling or street smarts
let them interpret possible motives for the behavior of an insider or external threat.
As cybersecurity directors develop their security plans, training focused on critical
thinking and social intelligence offer the value-added solution that serves the security training
needs but also can be used in everyday management and employee relations.
References
MacAskill, E. (2013) Edwards Snowden: how the spy story of the age leaked out.
TheGuardian.com
Hosenball, M. & Strobel, W. (2013). Exclusive: Snowden persuaded other NSA workers to give
up password - sources. Reuters.com
Al-Johani, A.; Al-Msloum, A. (2013). Social Engineering Risks in the Contemporary Reality and
Methods of Fighting These Risks. (Vol. 5 No. 6) International Journal of Academic
Research
Muscanell, N.; Guadagno, R.; Murphy, S. (2014). Weapons of Influence Misused: A Social
Influence Analysis of Why People Fall Prey to Internet Scams. (Vol. 8 No. 7, pp. 388-396)
Social and Personality Psychology Compass, John Wiley & Sons Ltd.
Hau, D. (2003). Unauthorized Access – Threats, Risk and Control. (Version 1.4b, Option 1)
Globald Information Assurance Certification Paper, SANS Institute
Greene, R. (2012). Mastery. (pp 134-135) Penguin Books
Riggio, R. (2014). What Is Social Intelligence? Why Does It Matter?
www.psychologytoday.com, Psychology Today
Thompson, S. (2006). Helping the Hacker? Library Information, Security and Social
Engineering,(pp 222 – 225) Information Technology and Libraries
Scriven, M. & Paul, R. (1987). Critical Thinking as Defined by the National Council for
Excellence in Critical Thinking 1987 Statements published on www.criticalthinking.org, The
Critical Thinking Community