Last week, we covered the Social Engineering Capture the Flag event at this year's DEF CON, which exposed how too many large companies are still falling for hackers with the plain old gift of the gab – so-called social engineers. Shockingly, contestants were able to gain access to secure company systems by duping employees at major firms, using only publicly available information found on websites and social media.
Today, we spoke to Alex Balan, Head of Product Management for security and antivirus firm BullGuard, about the growing threat of social engineering, and what companies can do to protect themselves.
The days of the purely technical hacker are over, Balan told us.
"People without imagination will basically use tools," he said. "They'll fire up Metasploit or some tool used to hack, and they'll be more or less successful depending on how well the company's security is configured. And on the other side of the barricade, you have the CSO or the CISO making sure the web firewalls and the intrusion detection systems are in place."
This arms race is almost as old as computers themselves.
"But, social engineering is an area that is not covered enough in most of the companies that I know," Balan told us. "Including security companies."
This is based on work he's done for several companies, performing audits of security systems and protocols.
"Companies don't do enough security training for their employees," he said.
"There should be military-style drills. Every now and then, there should be a drill where someone tries to social engineer his way into someone's account. These exercises should be run by the security division of that company."
"They should also do periodic drills to see how well their employees react to social engineering."
So will social engineering play a greater role in security threats as technology advances? Balan isn't convinced.
"Security as a concept may evolve from a technological standpoint, and so will the threats – but social engineering will stay the same. This will be the case in a thousand years, not a hundred years."
The problem is the premeditated and meticulously-planned nature of social engineering attacks.
"Social engineering is targeted," Balan told us. "And usually targeted attacks are the ones that are the most dangerous, that have the most advanced methods of attacks. And they're usually the ones that people are the least prepared for."
So should we despair? No, says Balan, so long as a number of common-sense steps are taken to manage the risks.
Any company should have a security division, even if it's outsourced. Perform drills. Even if it happens twice a year, it's better than never. Enact basic best practices, like using paper shredders and disk drive destroyers so nothing can be recovered from old systems.
With these steps, companies should be able to tighten up their operational security and prevent these breaches from occurring. Unfortunately, we may never move beyond a world where social engineering is a threat.
"The problem is that there are no warning signs," Balan told us. "If you have a warning, then you can get on your toes and be on the lookout."
The problem is that social engineers ensure the success of their attacks with immaculate planning and a long campaign of information gathering on their unfortunate targets. As Balan added, "the attacker only has one shot."
"Usually the attack is already successful by the time suspicions are aroused. What usually happens is that from the first phone call or the first email, the weakest link has already fallen into the trap.
Data access control is the number-one answer to tightening your security.
"It's important to decide who can access what data," Balan said. "Sometimes the janitor at a company has more access than security officials. Personnel like this can be easily plied, and this is another area of vulnerability."
So should small businesses be worried, as well as massive multinationals?
"Usually small businesses aren't of interest to hackers," Balan said, "because they don't have large databases of users, and they're not high profile enough to make the news."
However, he made sure to mention that "if a small business was targeted, it would have a much greater chance of falling victim to such an attack, because they don't have CSO, they don't have a security division, and they're not that aware of what security means."
Image: Flickr (Andrew St. Clair)