The World According to Mitch

We have firewalls and Intrusion Protection Systems. We have passwords and encryption and VLANs and network segmentation and every type of cybersecurity device known to man… but none of that will stand up against the biggest vulnerability in our corporate organization: the end user.

In 1894 the Dutch industrialist JC Van Marken coined the term Social Engineering in trying to use social expertise to improve issues in his factories. His hope was to improve the lives of his employees by implementing programs and policies. He believed that social experts could help his workers to he happier and more productive.

I do not know where Kevin Mitnick first heard the term, but there is little doubt that he popularized it and applied it to the modern post-industrial world, and his goals as a social engineer were much less beneficial to the organization than the original intended meaning. The one-time most wanted hacker in the world who would go on to found Mitnick Security Consulting, made the cybersecurity world take notice with how even the best security could be circumvented with a combination of guile, personality, and a decent understanding of the human condition. His four books are a master class on cybersecurity, but with the exception of one (The Art of Invisibility, 2017) none of them spend a great deal of focus on technology. Why? Because in the modern era of technology, with few exceptions, it is easier to hack the human than it is to hack the system.

(In homage to Mr. Mitnick, I would like to point out here that while he was certainly no angel, he also never hacked for profit. He did it to see that he could, and to see how far he could go. The only profit that he made from actual hacking that I am aware of was at a trade show where a vendor offered a challenge that anyone who could hack their system would be paid $300. He and his friend succeeded, and the story goes that the vendor needed to go to the bank in order to pay for their dinner because they were so confident that nobody would collect the prize. It was not until his release from prison that Kevin started earning a living from his skills by helping companies defend against the tactics he had used. Kevin Mitnick passed away in July of 2023 but he left a legacy that would help us to change the world of IT (and corporate) security… along with his wife Julie and unborn child.)

I remember in the Army we had stickers on every telephone that read The Enemy Is Listening! I suppose it is easier to make sure people are always vigilant in a war zone… but how do we convince our employees that they are part of the solution? How do we make them aware that loose lips really do sink ships… and companies? The answer is simple… but it is not easy.

In 2010 I was called in by a company that had been hacked. They had not just been hacked, their server infrastructure had been wiped out… and the hackers had thought ahead to wipe their backup tapes. It had all of the markings of an inside job… except it was not. It was a carefully planned intrusion that had taken weeks to put in place, and the cyber intruders were able to succeed because they had talked their way in. After we rebuilt the server infrastructure I created a 90-minute lunch-and-learn session which I delivered across the country to their staff, outlining the dangers of social engineering. I demonstrated how much damage could be done to a company whose employees were not ever-vigilant. I also outlined some of the TTPs – Tactics, Techniques, and Procedures – that the social engineer might use.

Of course it is not an HR clerk’s job to be a cybersecurity expert. However in the modern era it is vital that we make it clear to our employees that security is everybody’s business; Security Awareness must be written into the job description of every employee.

When I teach my cybersecurity classes I often share stories from my past of how I have penetrated the company’s defenses. At this point I want it to be clear that I have done so only as an authorized agent of the company and, to the best of my recollection, I have committed no criminal act on a computer as an adult. I talk about how I was able to get through the door of a company because I was delivering pizza… and then walked around the offices looking for unlocked workstations, or better yet yellow sticky notes with usernames and passwords on them. I also tell my audiences that for most competent cyber threat actors physical access to your systems will mean accessing your data.

Where do we begin? We need to stop trying to teach our employees what damage the company might suffer for their indifference, and begin to educate them how their vigilance can protect them. Cyber attacks can cost not only the company but it can cost the employee as well. If you do not believe me then think of what you may have stored on your corporate desktop. Before you say that you have nothing personal on it please think about whether you have ever logged onto any personal-use website (Facebook, LinkedIn, banking, e-mail or any other) from your company computer. Remember that passwords as well as images and cookies will be stored in the computer forever unless proper steps are taken to wipe them. A cyber threat actor can talk their way into HR systems that will have personal information of every employee, including their home address, salary, and social security number. Cyber attacks absolutely cost the company, but we need to educate users that it can cost them directly as well.

I do not know what effect the one-time lunch-and-learn session that I delivered for that customer in 2010 had in the long term because the company, even after being hit hard, still looked at cyber security as a goal to be achieved rather than as an ongoing process with no end. Similarly, the end-user education cannot be a one-time session. We cannot expect the average employee to stay vigilant based on a single seminar… especially in a world that is evolving and morphing at an incalculable rate. Training must be ongoing and evolving as well… using a variety of methods to keep the employees engaged, such as gamification and activities. How often we conduct this training is going to depend on the company, but it should be on a regular basis – quarterly, twice-yearly or yearly as examples.

Who should we be training in cybersecurity and social engineering? That’s easy… everybody. That is not to say that every employee will receive the same level or type of training, but every single employee must receive both initial (as part of the on-boarding process) and periodic security awareness training. They should be tested on what they learn (the tests can be drills or scenarios or any other type), and they should be required to sign off that they received and understood the training. According to studies, people are more likely to pay attention if they have to sign that they did. There should be both company-wide and role-based training, and even your IT guys who think they are so smart (I’m one of them) should be given refresher training on a regular basis.

One definition that we use for social engineering is hacking the human. Unlike the technical controls that we implement, people make decisions based on emotions. That is why most social engineers rely on those emotions. Whether it be kindness, neediness, urgency, anxiety, or fear, the social engineer will play on these to try to get what they need from you. Think of these:

• We are generally more likely to do something for someone that we like, so a social engineer will start very friendly, familiar, and genial.
• Most of us like to offer assistance to those in need. If the social engineer projects that they need your help (and hey, based on the first point, you may already think they are a nice person), then you are more likely to offer assistance… even if what they need help with is generally not permitted. ‘I usually wouldn’t do this but…’ is music to the social engineer’s ears.
• When there is a rush on something and the scenario that the social engineer lays out does not allow time for sober second thought, we might do or say something quickly that can be just what the social engineer needs.
• In our corporate culture, and especially in a large organization, the higher up someone is on the chain, the more likely you are to do what they are asking. ‘I am calling from the office of the CEO and I need this now!’ can scare us into giving out information that we should not be giving to anyone who is not authorized, and the social engineer knows this.
• We never want to be the reason something does not get done. A social engineer might call you saying that they are working with your coworker (who they have already verified is out at a meeting) and ask you to send them information that is time critical. When you tell them you can’t they might say ‘Okay, but be sure to tell Suzie that she will have to miss her deadline because you refused to help me.’ The anxiety that we would be the cause of your coworker’s failure might convince you to send them what they need.

The social engineer is a master manipulator who knows how to press the right buttons to convince you to give them something that you should not. I was hoping that by now it would be a universally accepted rule that we do not ever share our passwords… but in the last three weeks I can think of four people who have written their passwords down for me. The password is, for most of us, the most obvious piece of information that we should not share. The social engineer is not likely to ask you for something like that, but if they ask you for a piece of information that seems innocuous we would usually not think twice about it… especially if the person asking seems to belong. That is the problem… a few pieces of harmless information can be the pieces of the puzzle that the social engineer needs to get at what he is really after.

That, by the way, is the key to being a good social engineer (to be clear, the good social engineers are not good people). Seem like you belong.

A few months ago I was teaching a course to a group of military personnel from a particular base in the US. They were quite comfortable in their belief that their base was secure, and that nobody could just sneak onto it. While the class was remote, it just so happens that I had taught in the city nearest their base, and I knew where it was. I told them that I would start by making sure I knew the proper military jargon. <I wrote out the tactics I would use to get all of the information that I would need, but I decided not to share them in this article.> The next day I would put on the uniform that I had purchased at the Army Surplus, making sure my boots, cover, and insignia were all correct for a Major in a unit in which I would fit in on that base. After eight minutes of explaining how I would do it, there was a minute of silence before one of them said ‘You know what? That would probably work!’ He and his buddies gained a lot of respect for the evils of social engineering that afternoon.

The more comfortable you seem, the more you look like you belong, the less likely people are to challenge you… unless of course they know that they should be challenging anyone they do not know. It is easy for me to hang around outside a building and wait for a group of employees coming back from lunch who are engaged in conversation walk in… I attach myself to the group without anyone noticing, tailgate my way into the building, and I am already past my first hurdle. If someone does challenge you and asks for your badge you confidently reach into your pocket, and then say ‘Oh I must have left it in the car.’ It is a perfectly plausible escape, and unless you are in a high security policed building they are not going to escort you to your car to confirm it… and unless you have made it past the public area you have likely not even trespassed.

Your employees all have the potential to be human firewalls that can block unauthorized intruders into your company, whether that be in person, over the phone, or by any other method of communications. Just like a technical firewall, they must be trained to know what type of information is allowed to be shared (and with whom). Unlike the technical firewall, a skilled social engineer can usually convince people to do things that are not usually allowed without checking first. That is not to say that firewalls cannot be hacked, but the skills required are quite different than the ones needed to hack the human.

To stick with the firewall analogy, it is a known fact that firewall rules must be programmed to inspect packets to prevent unauthorized traffic (whether that traffic is malicious or not). These rules must be managed and maintained and periodically adjusted to account for changes to the environment as well as emerging threats. Your on-boarding security awareness training is the human equivalent of setting up those rules, and the periodic training is the management and adjustments. The periodic testing of your employees would be the human equivalent of a technical penetration test.

In addition to training your staff, you must ensure that they know that there is executive buy-in and support for the program. In one of the examples I cited earlier, an employee received a phone call from someone claiming to be from the office of the CEO. Before the employee releases any information to that person, they should follow the necessary steps to ensure that the person is who he or she says they are, and that they are entitled to that information. I have heard of too many cases where an employee tried to do that, and then faced disciplinary actions… for doing the right thing and protecting the company. How could we do this? Tell the person on the line that you will need to call them back, and rather than taking their phone number from the caller, ensure that the person is in the corporate directory… and call them back at the number listed there. This has to be done politely, but if the company is serious about IT security then the employee challenging the caller and confirming their identity should be praised and not chastised.

I am always happy to help companies and students recognize the risks of social engineering, and to develop a comprehensive training plan for their employees that will ensure that they have the tools to recognize, thwart, and report social engineering attacks. It is not about scaring your staff into doing the right thing, rather it is about helping them to understand that whether or not the term is in their title or not security truly is everyone’s business, and whether or not they have any corporate loyalty (does anyone anymore?) there are real selfish reasons why we should take every step that we can to prevent these type of attacks.

The weakest link in your secure, well-managed infrastructure is almost always going to be people. Hopefully by training them to be aware of the threats of social engineering we can bolster that weakest link, and make your environment more secure.