You'd be surprised at what you can get away with, or into, if you just carry a ladder around, said Greg Iddon, Sophos security specialist, as he presented at IP Expo 2016.
Point being, an accessory like a ladder, or a high-vis jacket, provides just the kind of costume needed to disarm most people and, in the place of an intruder, see someone only looking to change lightbulbs or fix air vents. If you are so inclined, it really is a great way to get into private facilities. This, said Iddon, is called pre-texting, or more colloquially, blagging your way in.
This presentation didn't address hacking computers as such, but rather, hacking humans. Or, as it more formally known, social engineering.
The methods are not new, but still pervasive. Phishing, which Iddon described as “casting a line and seeing what you can catch”, is still the most commonly used lure for remote exploitation. Typically, an attacker will send out thousands if not millions of emails and just wait for the few to click on the malicious links within that email, or download the malicious attachments. It doesn't necessarily net the highest returns, but email phishing remains reliable enough to be the most popular lure around.
Spear phishing is merely a more sophisticated, and targeted, version of phishing. Here, emails are tailored to their targets, adopting a guise of credibility. Sometimes it will appear to come from someone's boss, telling them to transfer money into a particular account, while other times it will take a roundabout way to exploit an individual or organisation. For instance, said Iddon, a CEO might be fooled by an email from their elite golf club, only to find a short while later that they've “destroyed their company's entire IT infrastructure”.
Baiting involves leaving a trap and waiting for someone to spring it. The classic example is the stray USB key which one employee finds in the parking lot, picks up, looks inside and finds only malware. Of course, by the time he finds that malware, it's already making its way through the company's systems.
Shoulder surfing is comparatively simple: you merely watch someone's hands or keystrokes as they type in a password. In recent years though, said Iddon, it has evolved to take advantage of things like the slow motion function of the iPhone camera.
Social engineering can be so troublesome, especially because it's not always what security teams are looking for. While your CISO might be looking for anomalies in network traffic, they might not consider the stranger who he just directed to the finance department because he was carrying a toolbox. Whatever the technical expertise of an adversary, it wouldn't do to underestimate this kind of exploitation.
In fact, it's a discipline far older than hacking – social engineering merely refers to a confidence trick. Social engineering is perhaps better called by a simpler name: con artistry. Brandishing the age-old weapons of friendliness and charm, any organisation can be ‘hacked into'. In fact, according to Iddon there are few large breaches that have done without it: “Social engineering almost always plays a part in these large breaches.”
So how to ward against this? Well, you're going to have to make sure that employees know they, too, have been conscripted into the security team.
Never make hasty decisions: “Bad guys want you to act now and think later,” said Iddon, reminding the audience not to let someone's urgency affect your decision.
There are, of course, obvious things you can do. Improperly configured security products, for one, are a misstep that too many people take: “Anything you've got in your arsenal that you've paid for, use it.” It will also help to not take unsolicited messages or phone calls and not to give away personal information.
Above all, “Don't be so helpful” to those carrying ladders.