‘White Hat Defense’ CEO and popular podcaster Chris Hadnagy speaks at RSA Conference on how the bad side of social engineering may affect your company.
Here today I will talk to you about human hacking exposed – 6 preventative tips that can save your company. A little bit about me. My name is Chris Hadnagy, I am known online as loganWHD. I am a professional social engineer – that means means that what I do for work is companies hire me to find the vulnerabilities and weaknesses within their people networks, either through on-site visits, phishing, web, email, and things like that. I have written a book called “Social Engineering: The Art of Human Hacking”, as well as the podcast, and the framework, and other things that you can find out online about me.
But today the topic of social engineering is a very important topic, in my opinion of course, I am little biased. Before we can even talk about it, we need to define what social engineering is. I’d define it as any act that influences a person to take an action that may or may not be in their best interest. That’s a very broad and general definition, I know it, but the reason I define it that way is because I don’t always think that social engineering is negative. Your parents, your spouse, your teachers, your priest, your counselor – all of them use aspects of persuasion or influence to get you to take an action that is for your best interest, but those same influence principles, those same persuasion principles and manipulation tactics are used by the bad guys, and that is the type of social engineering that we are talking about today.The reason this kind of a topic is so important is because the last year (2011) was labeled the year of the hack, and this is just a small sampling of the companies that fell victim to hacktivists and hacking attacks last year (see imege). And one interesting part about each one of these attacks was in an interview from a member of Anonymous, her nickname was SparkyBlaze; she said in an interview with Network World: “In my mind, social engineering is the biggest issue today”. Now, why did she say that? And the rest of the interview, she went on to say that in every attack on these companies they used some form of social engineering to gain access to the networks. So this is a very timely topic, it is a topic that we really need to discuss – how we can prevent ourselves and our companies, even down to our family level and our personal level, from becoming victim. Why else should we care? Here is a website Apwg.org – it is an anti-phishing work group that does a report each year, talking about how phishing is affecting the markets. During the first quarter of 2011, you can see how the financial and payment services markets were hit heavily by phishing attacks (see chart). And if you can take a look there at the chart, you can see that almost every sector that we would be a part of was hit by phishing attacks.
This kind of calls to mind a report I read about the IRS1. It was two or three years ago, the IRS submitted themselves to a social engineering pen test. This was a legal, hired-for pen test, and in that pen test 60% of the folks that were tested from the IRS fell for this very simple social engineering test. I will demonstrate it for you: “Hello, this is Paul, I am calling from the Help Desk. We are doing a password upgrade due the new security policies, and I would like you to type in a new password that I am going to give you. Do you know how to do that? Okay, open up the password box and type in 1234password, click OK, and now you are secure”. 60% of the people who were asked to do that in IRS actually fell victim and did that. If this was an actual malicious attack, you can image the devastation it would have caused, many of us being tax payers and them having our information.
The former vice-president of threat research from McAfee said: “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised, or will be soon”. I actually subscribe to this belief, even though it’s a very bold statement, especially seeing what’s been happening in 2011 and continuing on into this year, the amount of organizations and companies that have fallen victim to hacking attacks, many of them involving social engineering.
1 – IRS (Internal Revenue Service) is the revenue service of the United States federal government. The IRS is responsible for collecting taxes and the interpretation and enforcement of the Internal Revenue Code.