Disruption Can Wound or Kill, With or Without Social Engineering

Posted on by Christopher Burgess

The realization that your team is in the sights of individuals performing social engineering attacks is alarming. To think the information they elicited or the actions they induced were used to perform attacks involving your customers—well, you'd naturally feel panicked. But what if you were that customer, whose data or whose network has been made vulnerable by the actions of your team? Think it could never happen? Think again.

Over the course of the past few months, there have been a number of incidents detailed in the media where a company's customer information was compromised to significant deleterious effect. As the public continues to follow the various breaches, those who have personal experience with the effects are watching even more closely.

As we watch and see that social engineering played a role in the data collection phase or the credential compromise phase of the criminal activity, we must collectively look introspectively and ask the question—"what about us?" It was unfortunate that the payment network and the smart-energy command and control network of the Target breach were utilizing the same network infrastructure. The subsequent realization that this co-utilization was one of the factors that made the breach activity possible no doubt served as a wake-up call to many companies with similar architectures.

In one high-profile case, an individual found himself to be the victim of extortion when a skilled social engineer compromised his online accounts and infrastructure. According to the first-person account of Naoki Hiroshima, he found that his Twitter user ID (the single-character handle @N) was a desired commodity, and a criminal went to great lengths to make Hiroshima's life uncomfortable by socially engineering his way through the customer service department of Hiroshima's domain host. In this case, the domain host agreed that the company's training on social engineering methodologies failed and that the customer service representative went off-script. The domain hosting company noted that the individual conducting the social engineering had accumulated a sufficient amount of information on Hiroshima's persona that he was able, with knowledge-based authentication, to "then socially engineer an employee to provide the remaining information needed to access the customer account."

The potential devastation to Hiroshima's email and Internet infrastructure was not hypothetical. The criminal accessed Hiroshima's accounts, changed the passwords, and took control of his email; from said accounts, it was simply a matter of initiating a password reset for one of Hiroshima's social media accounts and threatening to do the same to his other accounts. Ultimately, he threatened to destroy and release all of Hiroshima's website if Hiroshima did not cooperate and hand over the @N Twitter handle.

As detailed in an extensive analysis of the Hiroshima instance, the criminal's social engineering tactics were able to successfully convince a customer service representative to essentially bypass the technology checks and policies and to negate his/her security training—all in the name of being "cooperative."

In many cases, the potential for a serious or mortal wound are very real. The side doors into companies via the extranet connections were exploited by criminals who obtained the network credentials from a partner or client company who had legitimate access to the company network. The need to train not only your own personnel, but also those who access your systems, is very real.

The adage that you are only as strong as your weakest link is a demonstrated reality. In Hiroshima's case, he was facing a very real situation where his ability to function using his online assets was disrupted. Without access to his email and archives, and his website domains all removed and released, he was very much on the way to his online identity being considered dead. The successful utilization of social engineering of one human by another, a methodology present for thousands of years and destined to continue, was once again demonstrated as a viable avenue to compromise.

It is human nature to be helpful, and that is a powerful instinct, but it can also be the most exploited. When it comes to security protocol, process, and access, the playbook has to be clear on access control—customer service representatives need to know that the exploitation of knowledge-based questions as an authentication methodology is a very real threat, and they need to be trained to recognize these attacks.

Christopher Burgess

, Prevendra Inc.

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs