There is a scene in the movie Matchstick Men where the main character, played by Nicolas Cage, has this exchange with actress, Alison Lohman:
Lohman: You don't seem like a bad guy.
Cage: That's what makes me good at it.
The conversation captures a fundamental truth of all con games, whether they are played in the digital world or the physical one -- getting someone to lower their guard with a clever ruse makes the life of a thief that much easier. In the vernacular of hackers, this is called social engineering.
Social engineering is about hacking the human mind, something that in many ways is significantly easier than finding a new software vulnerability and using it as a gateway into your enterprise. These vulnerabilities, called zero-days, can cost tens of thousands of dollars in the hacker underground -- money that can be saved if someone can be conned into installing a computer virus on their own machine.
After all, there is no need to go through the effort of picking a lock when you can talk someone into letting you into their home.
But just what makes for a good social engineering attack? The key is the lure, which can vary from an attention-grabbing post on Facebook about a celebrity, to emails with subject lines about your company's business. One of the most publicized attacks of the past year was the attack on RSA, which started with an employee opening up an email entitled "2011 Recruitment Plan."
When the employee opened the accompanying attachment, the person set off a change of events that led to data being compromised. While hacking a system requires knowledge of programming vulnerabilities, hacking the human mind requires a different kind of knowledge -- specifically, what types of emails or links is the victim most likely to click on.
One way to get hold of that information is to target people according to their jobs and interests, and there is perhaps no greater source of data on those subjects than social networks. A cruise through a LinkedIn profile can reveal a person's work history and position; a gander at Facebook accounts can uncover their friends and hobbies. While social networks have done a lot in the past few years to bolster their privacy controls, many users may not use them or may inadvertently render them ineffective by 'friending' someone they do not really know. Research has shown the average fake profile on Facebook has an average of 726 friends -- more than five times as many as a typical user of the site.
Hacking the human mind also takes other forms as well. For example, search engine optimization (SEO) is a favorite technique of hackers. The idea behind SEO is to increase the ranking of your website on search engines such as Google. In the right hands, this is perfectly legitimate; in the wrong ones, it increases the likelihood people will land on a malicious site. There are also techniques that are far less technical, such as an old-fashioned telephone conversation that gets someone to let their guard down.
Just recently, we sponsored a study by Dimensional Research that revealed that 43 per cent of the 853 IT professionals around the globe surveyed said they had been targeted by social engineering schemes. The survey also found that new employees are the most susceptible to attacks, with 60 per cent citing recent hires as being at "high risk" for social engineering.
Unfortunately, training does not seem to be keeping up with the threats, as just 26 per cent of respondents do ongoing training and 34 per cent said they make no attempts to educate employees at all. The good news is the tides are changing and more businesses are raising awareness about security threats -- and what social engineering techniques employees may be susceptible to.
Education is a key element of defending against attacks, but the process begins with having sound policies for protecting data. This includes controlling who has access to what information, and setting policies that are enforceable and conducive to business operations. From there, employees should be educated on what the policies are and then tested on them.
Key to this is sharing information about the attacks that are detected so employees can better understand how they are being targeted. Often, a good dose of caution can go a long way -- if an unexpected email arrives asking for private information, follow up with the purported sender to make sure it is legitimate.
Buttressing all this should be networks and endpoints protected by best practices and the latest security fixes, but at its heart, fighting hacks against the human mind requires attitudinal changes more than technological weapons.
If there is antivirus for the human mind, it has to be updated with knowledge of corporate policies and an understanding of how attackers are targeting their victims. Incorporating that information into a training program can be the difference between a data breach and a quiet night at the office.