Most successful cyberattacks against organizations and households start with the exploitation and manipulation of the human element through social engineering – this is an irrefutable fact. The question I will attempt to answer in this article is why – what causes social engineering to succeed? Why is social engineering regarded as one of the most effective ways to hack into organizations? According to the Hebrew version of Wikipedia, the dictionary definition is as follows: "Social Engineering is a concept that means the exploitation of a person's psychological characteristics in a way that may lead that person to comply with the requests of the hacker. This method makes it possible to bypass all of the technologies of the security mechanisms (such as antivirus, firewall, etc.) and relies on the fact that all information systems were intended to provide services to users, and those users possess the means to access the information the hacker wants to obtain."
Social engineering attack vectors include Phishing, Spear-Phishing, Smishing (SMS-Phishing) and Vishing (Voice-Phishing) as well as impersonation and physical intrusion into installations. Additionally, attackers can use other ways in order to obtain information and/or to hack into an organization, such as Shoulder Surfing, Tailgating, Dumpster Diving, and many others. The function of the social engineer or hacker has evolved into a profession that calls for attention to detail, acting skills, and self-confidence, beyond "classic" hacking skills.
What stands behind the concept of "Social Engineering"? What is that special element that helps a skilled attacker successfully exploit the human element? In order to explain the secret of that success, we have to travel back in time to the 1960s and the Milgram Experiments. Stanley Milgram was a professor of psychology who conducted experiments in social psychology at Yale University. His range of experiments revolved around the measurement of subjects' willingness to obey authority against their personal conscience.
In his most famous experiment (Milgram's Second Experiment), Milgram explained to the participants that they were about to participate in a study that tests the effectiveness of punishment on the learning process. He assigned the roles so that the subject believed he had received the role of "teacher" through a random draw, while the other participant (an actor) had received the role of "learner." An authoritative researcher (another actor acting as a professor of psychology) ordered the "teacher" to administer an electric shock, by pressing a button, every time the "learner" made a mistake, namely – gave the wrong answer to a question.
The researcher instructed the subject to increase the voltage of the electric shock by 15 volts after every mistake. In effect, the "learner" did not receive any electric shocks, but reacted as if he had received such shocks. When the voltage level reached 150 volts, the actor playing the "learner" asked for the experiment to stop, but was told by the researcher that the experiment must continue. The actor continued to display growing discomfort and pain, expressing concerns for his personal safety if the electric shocks persisted. The researcher told "teachers" who wanted to discontinue the experiment he (the researcher) would assume full personal responsibility for the results of the experiment and for the safety and well-being of the "learner," and that the experiment must continue.
So, what in fact happened here? Milgram "built" the situation and the conditions to subordinate the subjects to the influence of the "researcher," to the extent that most of them went on to commit acts that contradicted their conscience and will. Milgram "framed" the situation. In fact, he shaped the conditions and the psychological context to cause the focus group to do the unthinkable – torture other people by administering electric shocks.
The "Framing" Principle
Milgram's experiment is an excellent example of the principle that I consider the most important in the world of social engineering, the principle of "framing" the situation, or in other words – the context is more important than the content. The secret to the success of social engineering is proper development of the situation through which the social hacker can motivate his victim to commit certain acts or divulge the information the hacker seeks. Whether the hacker employs an attack vector utilizing e-mail (Phishing and Spear-Phishing), telephone communication, text messages, impersonation or physical intrusion into the organizational space – a good hacker will always develop the situation so that the victim would feel comfortable about divulging information.
If we take the Spear-Phishing vector, for example, the entire process where the hacker "builds" the e-mail message and "custom-tailors" it to the victim is, in fact, a "framing" process intended to lead the victim to click on the malicious link or attachment. Such a message may be intimidating – like a message from the boss, or involve the "framing" of the contents of a message sent by the victim's "best friend."
Another example: the social hacker may "frame" the situation to lead the victim to commit the act or divulge the information to the hacker – a telephone call from the organizational "IT and Support Department" that would convince the victim to betray his password, or a call from the victim's "Insurance Company" that would convince him to divulge confidential personal data.
To the same extent, hackers may employ the "framing" principle to physically access installations and organizations. Who would stop a messenger wearing a helmet when he calls to deliver a package? Who would suspect a preliminary telephone call informing the secretary that a technician on behalf of the telephone company will be calling at a certain date and time, and would require an access permit? Building the situation is one of the fundamental principles of social engineering. Social engineers employ numerous diversified methods for this purpose, including creating commitment, invoking authority, etc. A skilled social hacker will build (or "frame") the appropriate situation, thereby setting the scene for exploiting the victim.
Protecting Against Social Engineering
Protection against social engineering attacks consists of three tiers. The first tier includes controls and security systems – control and enforcement mechanisms, authorization management, job rotation, the four-eye principle and so on. The second tier includes procedures – proper work processes and the Do's and Don'ts and sector boundaries for every business process. The third tier is awareness – there is a good chance that the attacker will bypass the security systems. In that case, the defending side should possess good knowledge of the attack vectors, effective practice of countermeasures for these methods and the ability to identify them and mainly to avoid responding automatically – always "count to three" before clicking on links and attachments and reviewing the e-mail message.
Awareness contributes to effective security by convincing employees to work according to the organizational procedures. Educating the employees to identify social engineering methods and to protect themselves against them is an effective and low-cost way to bolster the organizational security layout and minimize the chances of hacking through social engineering.
Guy Dagan is a partner in ConSienta and an expert on changing corporate culture toward secure culture