When a person reaches the point where they have eliminated the vast majority of their personal data from online sources, it brings a certain sense of comfort and fulfillment of a job well done. If you are able to remove your information from those hard to reach, specialized databases then you have gone further than most will ever go in the pursuit of information removal. Someone who has committed to changing their personal habits and made lifestyle changes that positively affect their privacy and security level, is so far ahead of what most people achieve that they are enjoying a much more private existence. They are safer because of this effort and much more aware of how to avoid compromising their most precious information. We always need to be learning new methods though, because our adversaries never stop learning either.
So, what is it that keeps a privacy advocate up at night? After achieving a level of awareness and privacy above and beyond what most people have, what is it that helps them maintain that focus? It would be easy to sit back and be complacent. Complacency is not part of your personality though if you have taken a serious stance on protecting yourself and your family. With this article, I wanted to discuss what I believe it the biggest threat to anyone who wants to safeguard their personal information, regardless of how well you have ‘hidden’ yourself and locked down your operational security protocols.
Social engineering is the art of manipulating people so they give up confidential information. Another definition is that social engineering is the ‘art’ of utilizing human behavior to breach security without the participant (or victim) even realizing that they have been manipulated. Social Engineering uses human error or weakness to gain access to information despite the layers of defensive security controls that have been implemented to prevent that access. The ultimate security wall is the human being, and if that person is lied to or manipulated into cooperating with the attacker, the gates are wide open for the intruder to access what would have otherwise been unreachable.
Companies spend billions of dollars each year to secure their infrastructure and protect information. You may have spent hundreds of hours or even years to protect your personal information from the threat of hackers, stalkers, criminals, and other threats to your privacy and security. A social engineer takes advantage of the natural tendency to relax one’s guard when things appear to be secure.
From an interview of Kevin Mitnick, an infamous hacker in the 1980s and 1990s, with the BBC News Online:
“The biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall. In fact, the biggest threat could be you.”
“What I found personally to be true was that it’s easier to manipulate people rather than technology. Most of the time organizations overlook that human element”.
Let’s take a look at a simple example of the type of attack that may be possible if an attacker wanted to obtain your physical address…that one critical piece of information that you need to protect if physical security is important to you. In this example, we assume that you have removed all of your information to the extent that it is not discoverable online. The social engineer knows your name and the company where you work.
It would take only a few minutes of searching online to find a phone number to your company’s Human Resources Department. The name of your HR Director may also be available. After researching the name of the company that provides supplemental health insurance to the employees at your company, the attacker places a call to your Human Resources Department. Maybe the attacker uses a female voice, which may be perceived as less suspicious or threatening to the HR employee who receives the call.
The caller introduces them self as the representative from AFLAC (or whatever supplemental health insurance your company has). The caller then explains that they are temporarily covering the duties of John Smith (your AFLAC rep) while John is out on maternity leave. The caller explains that they need to send YOU a claim form for a recent claim with their insurance, and that they need your home address in order to overnight the information. Your helpful HR employee, after hearing a perfectly reasonable explanation as to why the information is needed, then provides the caller with your home address, and a phone number in case that was needed also. The caller makes some additional small talk while writing down your address, hangs up, and is now in possession of your most protected piece of information.
Many companies and government agencies require their employees to have a true physical address on file. It would be a violation of policy not to have that information on file with HR. In the example above, all of your safeguards and efforts to ‘hide’ were quickly unraveled by a clever social engineering attack. The attacker, armed with just enough information to sound credible, took advantage of a well meaning and helpful employee who had no idea they were being manipulated. What the attacker may do with your physical address, is the reason you may rest uneasily while thinking of these situations.
Social engineering attacks can be even simpler, like dumpster diving for information. They can also be much more sophisticated. The avenues of attack are only limited to the imagination. Being aware of Social Engineering threats is the first step to combating them. Run scenarios like the example above through your mind, and consider if there is anything you can do to stop such a scenario. I have spoken to HR professionals using the example I gave, and have been told that such an attack would most likely succeed. It was scary to hear that…and it created some constructive dialog on how employee information could be protected to an even greater extent. Remember, most people (including your HR Department) probably don’t spend much time considering these type of threats. Your IT Department is probably more aware of those vulnerabilities because technology infrastructures are often targeted.
Social engineering is a fascinating topic, it is an art form, and like many other things…it can be used for positive or negative outcomes. Awareness is the key, and as we pursue protecting our data, never stop learning how you may be vulnerable. I think loosing a little sleep is a good thing if the end result is finding a way to lock down an attack surface that you hadn’t considered yet. Maybe you can identify others who have access to your information and discuss ways to better protect it.
The links below offer more insight into Social Engineering, including a website and podcast that are dedicated to helping businesses and individuals protect themselves from such attacks. Take time to explore this topic and you will find tips on how these skills can be used to enhance your operational security. As always, share what you know to help others. Thanks for reading.