Social Engineering: People as security vulnerabilities

13 February 2020

At first glance, the Ministry of Foreign Affairs in Austria, the automotive supplier Gedia and the Court of Appeal in Berlin don’t have muich in common – except that they’ve all recently been the victims of cyber-attacks. At the Potsdam City Council, it was only in January that hackers managed to slip through a security loophole in the server software. And yet, cyber criminals are increasingly exploiting human failings in their attempts to get their hands on security data. Security expert Tobias Kippert from TÜViT explains which manipulation methods are particularly widespread and how companies can heighten the awareness of their staff of what has become known as social engineering.

#explore: How big a risk do people, as a security vulnerability, pose as possible gateways for cyber criminals, in comparison to other risk factors?
Tobias Kippert: No matter how effective the technical protection we can now provide, at the end of the day, it’s down to people to use these technical measures properly - and, of course, people don’t just deal in zeroes and ones. What’s more, people can themselves be the target of an attack. There’s ample statistical evidence to show that this is one of the biggest weaknesses in security management.

What is social engineering?
Social engineering refers to manipulation by social means. Human characteristics like curiosity, helpfulness and trust are exploited to lure staff into disclosing information which can then be used in attacks. For instance, you might take an apparently harmless call from someone who wants to speak to your colleague. And you might easily then be tempted just to say that the person concerned is currently off sick or away on holiday for a couple of weeks. But as well as breaching data protection law, you might also be disclosing important information to a potential burglar.

So social engineering isn’t just a digital phenomenon?
No, attackers often use analogue means, even if they do generally rely on digital aids to do so. They might, for instance, look for your colleague on social networks like LinkedIn or Xing to winkle out this information. We’re all familiar with those phishing emails which are intended to make us click on a link which enables criminals to access our log-in details for Amazon or online banking. We’re seeing significantly more of these attacks, and their quality is improving too. The hackers have got more professional and are looking more for specific victims. For example, they’re using sales portals to offer expensive products, with the aim of getting the buyer to transfer money in advance to a non-EU state for a product which of course turns out to be non-existent. The hackers are investing more and more time in these individual cases, using emails to construct a narrative and build up trust to get the buyer to pay over the cash. We’re also seeing more cases in which what we call emotet malware is being used. In these cases, criminals send their targets fraudulent emails in the name of actual acquaintances or colleagues. Opening infected attachments or clicking on links can result in significant damage.

What other manipulation methods are doing the rounds in professional circles?
The most prominent example is CEO fraud. An accounts department gets an email purported to be from the CEO with the instruction to transfer a large sum of money abroad. And here it’s the human factor which comes to the fore: Rather than daring to query the order with the director, an accounts worker might just choose to make the transfer. Another classic is the malware-infested “lost” USB stick which turns up in the corridor or the toilet at work. Most people who find such a stick are likely to plug it into their computer - just out of curiosity or to find out who it belongs to. And the member of staff concerned will often not be aware - and many firms don’t yet have the necessary procedures - of the need to get the stick checked for security reasons or to report the incident.

How can staff be alerted to social engineering?
Ideally, the right kinds of awareness measures will be initiated by management and put into practice by an IT security officer. Companies should in all cases be open about the potential risk and use case studies to demonstrate possible attack scenarios to their staff. This can be a moment of epiphany with long-lasting effects, especially for less technically savvy members of staff. It doesn’t, of course, mean that every email they get in future should be viewed with suspicion; the point is to heighten their awareness of potential attacks. Suitable alert procedures should be set up in companies so that employees will know who they should forward a suspicious email to. And it’s especially important to encourage people not to be shy about reporting a possible security breach. In no case should they think they’re being a nuisance or fear that they’ll be held to blame for a false alarm. What companies need is an active culture of openness and an attitude which makes it quite clear that every report is welcome and valuable, regardless of whether the suspicion turns out to be justified. What’s more, there needs to be a basis of trust because you sometimes get reports that need discreet handling.

Alongside penetration tests for the security of IT systems, you also test the susceptibility of companies to social engineering. What exactly do you do?
For example, our experts simulate attacker phone calls, send phishing mails and distribute adulterated USB sticks. In their tests of security awareness, they don’t just focus on methods who are particularly popular with criminals and well known to the staff. The experts then go on to evaluate how often a link gets clicked on or the USB stick is inserted into the finder’s computer. This assessment is of course anonymous. The idea isn’t to name and shame individuals but rather to heighten the awareness of all the staff.

How aware do you think German companies are of this problem of social engineering?
Until a few years ago, data protection was only an issue at work for most people, and even there it wasn’t talked about much. More recently, however, data protection and security have become omnipresent in our private lives too. It might be that we’ve signed a privacy statement at the doctor’s or are looking to protect the data on our smartphones. This is all having the desired effect of getting people to bring these private concerns into their working lives. I’m glad to say that we hardly ever come across the notorious Post-It note under the keyboard with the password during our audits these days. Although awareness of social engineering has improved somewhat, there’s still further to go. Most companies are mainly investing in technical measures like IT security systems and physical access controls. But this is only the first pillar of security and no substitute for a sensible degree of security awareness. The appointment of security officers has been shown to have had a positive effect here. A security officer can use occasions like induction events for new staff or awareness measures to raise the profile of the issue internally. In this way, what is generally seen as a tedious security issue will increasingly become second nature. You do of course also have to impress upon staff members that major security incidents can also put jobs at risk. Everyone is responsible for protecting his or her working environment - this is a crucial message.