Everything You Need to Know About Social Engineering
Published 10/20/2022
Originally published by BARR Advisory here.
Written by Claire McKenna, BARR Advisory.
Uber is the latest prominent company to have a security breach as a result of social engineering. They’re not alone—just this year, Microsoft, Okta, and Cisco have all had security incidents due to social engineering. According to a threat report from cybersecurity company ZeroFox, social engineering has been a frequently reported intrusion tactic so far in 2022, and this trend is likely to continue.
To find out more about what social engineering is, how it works, and how companies can prevent it, we sat down with Senior CISO Consultant Larry Kinkaid.
“Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information,” Kinkaid explained. “It has been around before computers, but in today’s world, the tools and schemes are much more savvy than they used to be.”
Security Breach at Uber
There has been a lot of information swirling around the recent Uber breach. While the complete picture has yet to emerge in its entirety, Kinkaid explained a few details of what we know so far.
According to Kinkaid, “the most interesting part of the incident is what is referred to as a multi-factor authentication (MFA) fatigue attack.” In this case, the end-user received repeated push notifications to login to their VPN, and the hacker reached out over WhatsApp claiming to be from Uber IT. The hacker told the end-user to accept the pin in order for the push notifications to stop. Once the hacker had access to the VPN, they scanned the company’s network and found admin usernames and passwords in plaintext scripts in their privileged account management system. From there, the hacker was able to pivot into Uber’s internal systems.
“The biggest takeaway here is that there are so many ways to compromise credentials, which is why MFA is so important,” Kinakid said. “MFA isn’t a ‘set it and forget it’ control. The way MFA is implemented is becoming more and more important,” he elaborated.
“Shaming Uber, their security team, or even the end-user isn’t the right play here. It can happen to anyone, and the most important thing is that we all learn from this,” Kinkaid concluded.
Preventing Social Engineering
Kinkaid provided a few tips on how organizations can work to prevent social engineering:
- Develop robust security training. While it can often feel like a check-the-box exercise, security training needs to be embraced as part of the company culture to be taken seriously.
- Enable MFA on all accounts. MFA is the best way to prevent a hacker from using compromised credentials to access an account. According to Kinkaid, we are almost to a point where SMS verification is obsolete—organizations should opt for true authenticators or configuring pushes to limit MFA fatigue. There should be a limit on the number of MFA pushes that can be made, which would have potentially prevented the Uber breach.
- Conduct phishing exercises. Kinkaid recommends taking turns with easy and hard phishing templates to gauge where you are as an organization. These tend to resonate with users.
- Build a transparent security culture. People are the center of security. When everyone in the organization understands what’s being protected in the first place, how certain behaviors can lead to compromised security, and who to go to should they have any issues or questions, a culture of security can thrive.
“Lastly, layer the onion! While the human element is significant, we should always look for more ways to layer our defenses, both preventative and detective,” Kinkaid elaborated.
“We have to expect that social engineering will continue to get more and more clever, preying upon the human element,” said Kinkaid. “That’s why security awareness training, phishing exercises, and your overall security culture are paramount.”
Related Articles:
CSA Community Spotlight: Nerding Out About Security with CISO Alexander Getsin
Published: 11/21/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
AI-Powered Cybersecurity: Safeguarding the Media Industry
Published: 11/20/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024