The security gap sits right in front of the computer. Via social engineering hackers mislead employees to gain access to corporate IT systems. One in three companies worldwide is affected.
In the middle of the 2016 U.S. Presidential election campaign Hillary Clinton had to painstakingly experience what consequences social engineering can have.
Her campaign manager John Podesta received an e-mail telling him he needed to change the password of his Google account. It was genuine, an IT employee told him. But he was wrong. The link led to a bogus Google login page that passed the valid password on to hackers. They gained access to thousands of Podesta’s emails and passed them on to Wikileaks for publication, which caused a huge image damage for Hillary Clinton.
Phishing, or faking emails and websites to access confidential data, is probably the best-known method used in social engineering. Social engineering is the art of deception aimed towards getting people to divulge sensitive information or do certain things – often as the first stage in a cyberattack. The attack does not target the IT systems; it targets their users.
According to the German digital business association Bitkom, every fifth companyin Germany was the victim of a social engineering attacks between the beginning of 2015 and the beginning of 2017.. Worldwide, between the summer of 2015 and summer 2017, even a third of companies were affected, according to a study by British research firm Loudhouse.
Winning SECTF call at DEF CON 25
Chris Kirsch and Chris Hadnagy reenact the winning call from the Social Engineering Capture the Flag contest (SECTF) at DEF CON 25 (2017).
CEO Trick Instead of Grandparent Scam
Hackers use psychological tricks, telling their victims heart-rending stories, putting them under time pressure or intimidating them with authoritarian behavior. As communication channels they use not only email but also faxes, personal conversations or phone calls (vishing). Security specialist Chris Kirsch demonstrated an example of a successful telephone attack in a video by reconstructing a phone call with a genuine company, which won him a social engineering competition at the 2015 DEF CON hacker conference.
In the summer of 2017 the German Federal Office for Information Security (BSI) issued an explicit warning against criminals claiming to be company executives and instructing employees to transfer large sums of money to foreign bank accounts. According to this, around € 75 million in damages were incurred by the German economy in 2016. Victims of such a CEO fraud using fake emails included automotive supplier Leoni and messaging app provider Snapchat. In the latter case, for example, a payroll clerk issued a current salary list after receiving a phishing email posing to be from the CEO.
Facebook a Data Source for Human Hacking
The more detail the attacker has unearthed about his victim(s) beforehand, the greater the likelihood that the hack will be a success. For example, in two studies in 2014 and 2017, German security researchers sent emails with a link and similar content to students. The only difference was the salutation. In the case of personalized emails, 56 percent of recipients clicked on the link, and only 20 percent of the non-personalized emails. Thanks to social media like Facebook and Twitter, social engineering attacks today can be targeted much easier and more precisely than before.
However, social engineering also works without personal contact between hacker and victim, however. By USB stick, for example. When researchers around the Google security expert Elie Bursztein dropped 300 USB flash drives on the campus of the University of Illinois Urbana-Champaign in April 2015 as a test, 48 percent of them were picked up and the files on them opened. Hackers can also search trash cans (a practice known as dumpster diving) for sensitive data like written-down passwords or shadow employees with special access authorizations: This practice is called tailgating or piggybacking allowing unauthorized persons to sneak onto corporate premises.
IT security is not much of use when employees fail to recognize social engineering attacks The most important measure is therefore employee training to explain the typical tricks of the hackers and to practice the behavior in appropriate situations. One-off sessions are no help, warns the German Federal Office for Information Security (BSI), and recommends regular refresher courses. However, according to Loudhouse, only around one in two companies in the world saw safety issues on the training agenda in 2017.
Social penetration tests are one way to test the success of awareness training. An authorized person takes on the role of a social engineer and tests how far he can get using hacker methods. The disadvantage is that employees who are tricked may feel exposed. Social engineering measures are, of course, a part of the security concept that companies must submit and implement for ISO 27001 certification on the basis of BSI IT baseline protection.
In the end, it must be made clear that although employees can pose a security risk, they are also a bulwark against cyberattacks. According to Bitkom, most often companies are made aware of hacker attacks by tips from their workforce.
Explainable AI looks into the “brain” of artificial intelligence and can explain how logarithms make their decisions. An important step, because the new General Data Protection Regulation requires traceability.