Cyber Security and the Danger of Human Vulnerabilities
In season 4 of the TV series “The Blacklist”, Amar, a member of the FBI taskforce, is a victim of social engineering. He is the team’s cyber and encryption expert and yet it was a thumb drive his “girlfriend” gave him that allowed hackers to penetrate the FBI’s systems. This is an example from Hollywood, but can this happen in real life? We are constantly advising companies to beef up their cyber security and get cyber insurance in order to protect themselves against hackers and data security breaches. However, if Aram, an FBI Agent, who specializes in these areas, was unable to keep a government Agency protected – then how do the corporations stand a chance? Is Aram’s scenario merely a fictional scenario invented by Hollywood to boost ratings or does this actually happen?
In order to understand this better, we need to look first at the history, and review some examples of social engineering in the modern era. Perhaps the most iconic example of social engineering from literature was the Trojan horse. After an unsuccessful ten-year siege on Troy, the Greek Army appears to give up. They pack up, head out of town and leave an enormous wooden horse outside of the city. The implication was that it was a conciliatory gift from the Greeks who were giving up magnanimously. In reality, the Greeks used the gift of the horse to hide a small group of their soldiers and the Trojans brought the horse inside their wall. After the Trojans celebrated their victory and went to sleep, the Greek soldiers slipped out of the horse, opened the gates from within. Opening the gates that had withstood a siege for 10 years, and the Greeks who had supposedly left, returned to the city of Troy and destroyed it. The Trojans clearly had the superior security technology at the time and the Greeks were unable to defeat them in a direct attack. Instead, the Greeks tricked the Trojans into accepting a gift, thereby bypassing their own superior security measures and allowing the Greeks to win.
The Trojan horse proves that history and literary greats understood the dangers of social engineering. However, in today’s modern world of increased cyber security, are big corporations vulnerable to social engineering? In July 2012, according to Stacy Cowley of CNN Money, a Wal-Mart store manager in Canada received an urgent phone call from “Gary Darnell” calling from the Wal-Mart home office in Bentonville, Arkansas. Little did the Wal-Mart store manager in Canada know that his call was actually being made from a soundproof booth at the Defcon conference in Las Vegas with 100 spectators. While the audience listened to both sides of the conversation, “Darnell” successfully captured every single data point from the Wal-Mart store manager, utilizing the false identity. Using urgency, charm and the lure of winning a major government contract, the false “Darnell” was able to learn all about the store in Canada’s physical logistics, when managers take breaks, staff shift schedules, what types of PCs they use, and the make and version numbers of the computer operating systems. He even directed the manager to an external website to fill out a survey.
Darnell was actually Shane Macdougall, the winner of the social engineering “capture the flag” contest at the Defcon conference. Macdougall pretended to be a real Wal-Mart executive in order to execute the con. Defcon is held every July and hackers come to share tips and swap stories of exploits. Macdougall demonstrated to the audience that with just a phone line and a charming story, he was able to pry company secrets from a well run and well guarded corporation. According to Macdougall, “Social engineering is the biggest threat to the enterprise, without a doubt… I see all of these (Chief Security Officers) that spend all this money on firewalls and stuff, and they spend zero dollars on awareness.”
What about a case where no emails or technology were utilized by the perpetrators? Could social engineering tradecraft and a plan allow a single person to bypass a top of the line security system? According to Stephen Castle of the Independent, in 2007, a longtime trusted customer of an Antwerp bank stole $28 million worth of diamonds. He used an Argentinian alias and false passport, became a trusted local diamond trader, and was a customer of the bank for a year before perpetrating the crime. There are even reports that he regularly brought the staff chocolates throughout the year in order to win them over. The vault supposedly had a security system that cost more than one million Euros. Philip Claes, spokesman for the Diamond High Council in Antwerp, said the lesson learned was that, “despite all the efforts one makes in investing in security, when a human error is made nothing can help”. Claes also said, “You can have all the safety and security you want, but if someone uses their charm to mislead people it won’t help.”
What about a security company that is usually charged with securing big corporations and government secrets? Are security companies vulnerable to social engineering? An example of a security company attack that is worth exploring is the RSA hack in 2011. According to Riva Richmond of the New York times, the attacker sent phishing emails with the subject line ‘2011 Recruitment Plan’ to two small groups of employees over the course of a couple of days. None of these employees were particularly high up or considered high value targets at the company. One employee found the title interesting enough to retrieve the email from his junk email box and then he proceeded to click on the excel attachment. Inside the attachment was malware that used a zero-day flaw in Adobe’s Flash software to install a backdoor. This exploit allowed the hacker to use the Poison Ivy Remote Administration Tool to gain control of machines and access servers in RSA’s network. In this example, social engineering and human error prevailed even over a security company’s expertise.
Even if you are confident that none of your employees would ever fall for social engineering, there is always the 2013 Target case study to consider. It is believed that hackers were able to steal an estimated 40 million credit and debit cards from Target’s point-of-sale systems through phishing. However, it was not through phishing at Target. Instead investigators suspect the breach was through heating, ventilation, and air-conditioning subcontractor Fazio Mechanical Services, via a phishing email that included the Citadel Trojan.
There is a common theme throughout all of these social engineering incidents. They all had extensive security measures in place, which were all bypassed or circumvented by human vulnerabilites. In one case it was the lure of a sale, in another it was the ego of victory, in another instance it was susceptibility to charm, and in others it was curiosity. It does not matter how extensive your technological defenses are, if your people and workforce remain vulnerable. According to Cyber Security Ventures, J.P. Morgan Chase & Co. doubled its annual cyber security budget while Bank of America has gone on the record claiming they have an unlimited cyber security budget. Even the US government increased it cyber security spending by 35% in 2017 to $19 billion. However, how much of these increased budgets are spent on training employees on awareness of social engineering exploits. How much is spent on ensuring that vendors and third parties who have access to your systems receive the same training as well?
National Security Agency director General Keith Alexander (Ret.) attended the Defcon conference in 2012 and according to Cowley, was a big fan of the “capture the flag” contest. Further, he thanked members for teaching people to socially engineer; the idea likely being that if members of the cyber community and companies learn how to socially engineer, it will be easier for them to recognize when the techniques are used on them. The intelligence world is filled with experts who use social engineering every day to gather intelligence to protect our country. The same social engineering skills they use to keep our country safe can also be taught to corporation and bank employees to keep their assets and information safe.
Sometimes it is as simple as instituting rules regarding clicking on links or opening up files. In other cases, it might be instructing employees who receive calls asking for information from supposedly internal employees, to hang up and promise to call back later before giving out any information. One can then instruct their employees to look up the calling employee’s number on the internal system and call back using that number. Of course, a really skilled social engineer will be able to get the information without the employee even realizing he or she is sharing critical data. By having a good cover story, as Macdougall did, the employee might feel the urgency and forget the basic company rules.
In those cases more extensive training may be required and prove useful. In the case of the Antwerp bank, employees could have received training on awareness, i.e. to be on the lookout for people with access to the bank that bring you gifts consistently for no reason, or who always seem to like the same things you do and never disagree. People who like the same things as you do are viewed as both likable and similar. Similar and likeable people to you are not viewed as threats and you are more likely to trust them and spend time with them; therefore, making your bank or corporation vulnerable to an attack. By bringing employees chocolates and charming them, the perpetrator at the Antwerp bank heist, gained their trust and the time necessary to gain access to the keys.
To do the necessary, an additional change to cyber security is required. By this point, dissemination of horror stories of cyber attacks has become pervasive and combined with the nascent dawn of intrusive cyber security regulations, banks and corporations are willing to invest huge sums in technology for defense. But investment in the human element and human intelligence assets, has lagged behind. Not only is training required, but to combat social engineering, human assets, are equally important. Just as in the real world of intelligence, internal human intelligence assets are necessary to monitor, detect, and combat ever morphing internal human points of vulnerabilities as well as the motivations, methods, and points of entry from the point of view of the attackers.
While Aram’s case was one of pure Hollywood fiction, we now see there are numerous instances of social engineering hacking attacks perpetrated in the modern era. Firewalls and encryption are essential, but as demonstrated above, the only way we stand a chance at protecting our data and customer privacy is by raising the awareness of social engineering threats and recognizing and addressing the importance of human vulnerabilities in our cyber security programs.
Alyson Krause is a global corporate strategy executive with extensive experience consulting in Cyber Security, Medical Devices, Energy, Anti-Money Laundering, Natural Sciences, Finance, and Global Security. Alyson is also on the Board of several companies and works with starts ups and technology professionals world wide helping them achieve investor milestones, enter new markets and improve business relationships. For other posts by Alyson or background: https://claroint.wordpress.com/ or https://www.linkedin.com/in/alyson-krause-3668628a
Blog of Intellectual Capital 