It’s been a short while since I’ve last posted. Life has been fairly busy, but I’m excited to say that I’ve begun work on my capstone project to finish out my BS in Information Technology. I’m definitely grateful to be on the home stretch and nearly finished with the degree program, but I’m also really excited about this new project I’m taking on.
I recently finished reading Christopher Hadnagy’s book Social Engineering: The Science of Human Hacking. If you haven’t had a chance to read this and you find this kind of thing interesting, I highly recommend giving it a go. Social Engineering has always interested me, but this book really opened my eyes to the intricacies of the profession and showed me that it really is more of a science than an art. Reading about the different ways that Hadnagy succeeded and failed in various social engineering penetration tests, and subsequently how he learned from these experiences, got me thinking about how important education is to any security system. You can set up as many security checkpoints, key-card systems, network firewalls, and anti-virus software packages as you can get your hands on — but if one employee doesn’t know any better than to let a stranger into a back door, much of that may as well have been for nothing.
Now, you might think “I would never let a stranger into the back door of my workplace, especially not into a secured facility,” and maybe you wouldn’t. The problem is that this type of situation is usually far more complex. Social Engineers train to prey on human emotion. So sure, if a man in basketball shorts went up to the backdoor of your business-casual office and asked for unauthorized entry, you probably wouldn’t allow this person in. However, if a pregnant woman with an arm full of papers and documents, professionally dressed and noticeably in a rush, shouted out to you, “Hold the door please!” what do honestly think your response would be? The correct answer would be to tell her to walk around the building to the front and badge in like everyone else, but you would likely feel quite rude doing so, especially if it turned out that she was a legitimate employee in a rush. I know I myself would have a hard time turning this woman down; it’s human nature to want to at least lend small courtesies like this to people in need.
This is why education is so crucial, and this education must be three-dimensional. This is a problem that must be trained from all angles, because adversaries will not just be thinking of linear, two-dimensional ways to gain unauthorized access. It is just as important to teach employees not to let people into a facility without badging in as it is to teach them never to enter a building without badging in. These two notions sound quite similar, but the distinction here is important. If you only train employees not to allows access to individuals without badging in, you may still have employees approach a less secure entryway and ask someone who’s heading inside to allow them access. This then puts social pressure on the person with legitimate access to allow the other in, even if they know it’s the wrong thing to do.
Alternatively, if you train employees never to attempt access without badging in, but simply to report to a security desk if they have lost/forgotten their badge, you remove the social pressure from the situation. Now if someone approaches a secure entryway and requests unauthorized access, the employee with legitimate access knows that this is not standard protocol for employees who have misplaced or forgotten an entry badge. You’ve established a culture where it is more socially acceptable to turn someone away. You’ve given employees an option to direct a potential malicious actor toward a front desk rather than simply turning them away. Furthermore, the act of approaching a door to try to tailgate behind someone has become a foreign occurrence because this situation has been trained from multiple angles and legitimate employees are less likely to attempt this mode of entry. Now the act of approaching a door without proper access credentials looks out of place and is more likely to be reported.
Effective training in the dangers of social engineering attacks can help to patch the vulnerability of being human. No one will ever be truly invulnerable to manipulation attempts and social engineering attacks, but we all can become better at identifying them and stopping them in their tracks. I’m sure you’ve probably heard this before, but there’s a lot of truth to the mantra that security is everyone’s job, not just that of the security professional. The problem is that we don’t always do the best job at filling everyone in on this truth, and maybe more importantly, the why behind it. People are more likely to care about something if they have an idea why they should be caring about it. It’s not enough to simply tell employees that they must be security conscious, you also have to tell them why they must be security conscious. Explaining the risks of falling prey to a social engineering attack will likely gain a lot more buy-in than the “do what I say because I said it,” approach.
All this is to say that I find security education extremely important, and that is why I have decided to take it on as a capstone project to conclude my bachelor’s degree. In this post I’ve talked a lot about security training within the scope of the workplace, but my project will approach this subject from a different vector. My goal in this project is to create a user-friendly website that will serve as an information hub on the dangers of scams. This will include information on phishing email attacks, vishing or phone-based scams, smishing or SMS text-based scams, and general social engineering techniques to be aware of.
As we have become more connected as a society, scamming has become a more lucrative business. Every day innocent people are scammed out of their hard earned money by being tricked into thinking that giving this money to the person over the phone or in an email is the right thing to do. Unfortunately, these types of scams are likely here to stay. The best hope we have as a society to thwart these kinds of attacks is to educate the public on identifying, stopping, and reporting them. I am hoping to build a website that will help the general public learn how to do just this.
In addition to a website, I’ll be developing and publish handouts that can be printed and given to elderly friends and family members who may not spend as much time on the internet so that this information may reach them as well. I feel that this is an extremely important piece of this project as the elderly (due to their stereotypical lack of knowledge of computers) are one of the most targeted demographics for these attacks. In fact, there is a specific “robocall” circulating at the time of this post that asks the victim to press one if they are over the age of 65, and hangs up automatically if nothing is pressed.
Lastly, I will be building a simple but hopefully user-friendly and effective program to sift through emails and notify users when an email is likely a phishing attempt. I understand that this type of tool exists and is already implemented in many email and webmail systems, but I still see benefits to writing a program like this myself. For starters, it will help me continue to hone my programming skills and educate myself more on how tools like this work. Additionally, it will be strictly open-source, and I feel that if even one person benefits from this tool and decides not to click on a malicious link because of it, the program will have done its job.
Anyway, like I said, I’m very excited to get started on this project and publish something that will hopefully make the world a little bit safer for those who use it. I think this stuff is super interesting, and if you do too please check out Chris Hadnagy’s book Social Engineering: The Science of Human Hacking. I promise you won’t regret it. Thanks again for stopping by!
-Kyle