What’s this Social Engineering stuff all about?
I’m writing this blog to help educate anyone who’s interested in social engineering. Full disclosure: much of my job is to ethically “steal” information or access sensitive areas. After the engagement, I’ll issue a report letting the client know where their security was lacking and how resistant they are to specific attack types. This type of work could be called social engineering and/or physical penetration testing. This is the first post in a series designed to give you an inside view of what goes into working in social engineering. These posts will include short stories of social engineering attacks, why the attacks worked or didn’t, and how to resist specific attack tactics. I hope that you will find these stories entertaining and educational, and enjoy reading them as much as I have enjoyed experiencing them. Before getting into a bunch of stories we should first define social engineering, and introduce a few key statistics.
Let’s define social engineering
“What is social engineering?” If you type that question into a search engine, you’ll find everyone has their own definition, and many of them sound extremely negative and scary. Kind of makes you think that you need to read their posts right away so you don’t fall victim to a social engineering attack too… see what they did there? It’s a bit ironic to see so many people using a few social engineering tactics when they define social engineering.
So, let’s remove some of this fear mongering and strive for a more neutral definition. Social engineering: The use of imagery, words, or body language to elicit a desired action from an individual or group. Social engineering isn’t inherently good OR evil. In most cases, the tactic that’s used has more good or evil attached to it than the actual intent. Everyone uses social engineering and, in turn, are socially engineered just about every day. An example could be a kid asking a parent for some money. How they ask will dictate whether they get their desired outcome. A clever kid will know the right time and the right way to ask when trying to influence their parent. If it works, they walk away with the cash, if not they will just try again later. Social engineering is all about influence. Understanding that it the first step in resisting it.
As far as tactics go there are a lot of them, but most can be classified into three primary types. Some more advanced tactics use a combination of these types.
Social engineering types:
- Electronic – Attacks seen on computers through email or websites are the most common.
- Telephone – Calls from people impersonating someone else, in order to get your information.
- Physical – Someone or something you interact with, in person, that attempts to influence you.
Over the years, I’ve collected a lot of data on what works and what doesn’t. I should frame this by saying the clients that ask for these engagements come from every line of business. Banking, healthcare, manufacturing, retail, legal, the list goes on and on. Some tactics work better than others on businesses. So, let’s get into some numbers quick and see what’s happening out there.
Success rate averages by type:
Electronic Social Engineering:
- Phishing: click rate 14.13%
- Spear phishing: credentials obtained 23.23%
Telephone Social Engineering:
- Vishing: sensitive information obtained 9.38%
Physical Social Engineering:
- USB drop: software run on company system 8.33%
- Physical access: gained access to restricted or secure areas 100%
These numbers were the results as of 8/15/2017. As you can see some attack vectors are more successful than others. The last statistic on physical access is particularly striking. It didn’t matter if there was a security guard posted out front and two-factor authentication on a data center door, I still got in. But that’s a story for another post.
It seems that with enough time and determination, all physical and technical controls at a company can be bypassed. There’s a likelihood of success for each one of these attacks. The question is, what can you do to reduce that likelihood? What group of people has the time and ability to test how your organization responds to social engineering attempts? What tactics were used? Why did they work? Why didn’t they work? Those are the main questions I’ll be focusing on in the next articles. Please feel free to share your own experiences with social engineering in the comments section, or visit our social engineering page to learn more about FRSecure’s social engineering services.