When one uses the words "security threat" and "social engineering" together, the analogy of hand-in-glove is appropriate. At the RSA Conference 2014, this was adroitly explained in the session "When the Phone Is More Dangerous Than Malware" hosted by Christopher Hadnagy and Michele Fincher, both of Social-Engineer, Inc., as they walked the attendees through how social engineers collect, sort, filter, and target specific information from within a company. Now to be clear, Hadnagy and Fincher operate as white-hats, and their activities are on behalf of their clients, so neither personal/professional trusts nor laws are being broken in their activities. Their clients bring them in to mimic the activities used by unscrupulous competitors or criminals and measure the how well the company performs at keeping company and customer information secure. Attendees to their session had no problem extrapolating how an individual or group with malevolent intent could use these same techniques in a manner which would be harmful to their own organizations.
Social engineering is an act that manipulates or influences a person to take an action that may or may not be in his best interest. Understanding how your employees could encounter social engineers is important. As Hadnagy and Fincher explained, they could come at you via phishing attempts, telephone pretext calls, or physical impersonation. And we must remember, the adversary has all the time in the world to collect the information necessary to identify which vector they will use to successfully penetrate your company. To that end, the adversary's data collection phase of the exercise is one of the most important.
You may not think that the information we share with friends or family could be a security threat, but think again. The surveying of social networks, coupled with company websites, personnel requisitions, public presentations, and publicly available information (SEC filings, state filings, etc.) all provide pieces of information that can help form the attack path to your sensitive information. Data collected may range from small tidbits, such as the address of a facility, to true treasures, such as a presentation on the information technology architecture of the company network or the employee directory. It is during this data-collection phase that the gears begin to turn to start formulating the plan for setting the hook.
During this second phase, called "profiling" by Hadnagy and Fincher, the goal is to determine the company's culture, sleuth out vulnerabilities specific to that company, identify the email system and methodologies they use, and understand policies and processes surrounding the release of information. The key is to begin identifying the weak links in the security posture of the targeted company and to identify specific individuals culled from the data acquired during the collection phase. Once these targets are identified, the goal is to determine their hobbies, likes, and dislikes—all useful information to influence the individuals to trust the social engineer.
Keeping in mind that the intent is to separate your employee from her information, the social engineer chooses the various attack vectors. It could be a phish email, a social network friend request, a telephone call, or even a physical encounter. As noted above, the social engineer has consumed the information required to determine what will resonate best and have the highest probability of success.
How employees react when the social-engineering attack hits their screens or phones will be key to deflecting these attacks. If personnel are trained in how to handle pretext calls, spoofed emails, or individual encounters, the odds are considerably lower that a successful compromise of information will occur. That is not to say there is 100 percent surety, but it will certainly be closer to zero likelihood than if there were no employee training.
Those whose entities are compromised may never even know. And once a social engineer has blazed a path into the company, he will want to keep that path well kept so that he can return again and again to harvest information. As Hadnagy and Fincher appropriately point out, education and testing must be ongoing, not "once and done."