Social Engineering: The biggest IT security threat doesn’t come from technology

It’s called social engineering. It’s simple but efficient, and it requires no specialist tech knowledge: You just make up a credible cover story, send an email and sit back and hope the recipient is careless enough to give you the requested confidential information. It works. Data Respons subsidiary, MicroDoc, has once again proven it on behalf of their clients.

  • Published: 27. September 2022
  • Company: MicroDoc
Daily routine at the office

According to MicroDoc directing manager Dr. Christian Kuka, the most serious security threat doesn’t originate from technology. It’s the people using it. Criminals take advantage of the fact that many employees have a rather careless attitude towards IT security, relying on IT administrators to handle it.

This attitude means they are easy prey for criminals using the simplest of methods to extract confidential information from them.

Christian Kuka knows, because Data Respons subsidiary MicroDoc has done it on behalf of client companies to help them find security vulnerabilities and assist them in their efforts to raise awareness among employees of the daily threats they’re facing:

  • We registered a new domain that sounded very similar to the original domain of the user, and used it to contact employees via email, posing as the company’s CEO. We invented a story and created some documents that made it plausible for the CEO to request confidential information from employees. And it worked.
  • If only one employee does what our fake CEO requires, that single person is enough to get access.

A simple email is enough

Most people think cyber threats are about shady Russian networks, malware, and viruses. But according to Christian Kuka, a simple email is enough. He believes that social engineering is a bigger danger to companies than malware and other technology-based threats. Network administrators can solve most technical issues, provided they are given enough resources to stay ahead of the publicly announced vulnerabilities. However, social engineering is everybody’s problem, but not all companies – and certainly not all employees – take it as seriously as they should.

According to Christian, as companies grow bigger, the more vulnerable they become. In smaller companies, everybody knows each other, and they frequently meet in person, thus making it more difficult to succeed with for instance email fraud.

Regulations and red tape

That’s not the case in large companies, and adding to the problem is the fact, that large entities need strict processes and regulations to function. Thus, getting things done can seem to involve a lot of red tape, and often employees try to find workarounds to avoid the hassle. So, it might not be that unusual to receive an email from somebody in another department whom you’ve never met in person, asking you for help. And obviously, that help will include sending him or her your confidential information.

  • We’ve done this kind of social engineering tests for several companies. It’s important to note, that we only use publicly available information. There is so much information out there on company websites, LinkedIn, or Facebook. You can easily collect enough facts to create the illusion that the emails you’re sending come from people inside the company.
  • Afterwards we go back to the customer with the result and reach out to the employees to teach them how to deal with this kind of threat.
  • We make them more aware of their personal responsibility for the overall security posture of the company. For instance, we tell them that if they receive an email that seems suspicious, the simplest and most effective thing to do is to pick up the phone and call the people involved directly.

Christian Kuka admits that security is annoying, i.e., complex passwords for the operating system, multi-factor authentication with additional devices, and expiring accounts that need to be renewed. It always is because security means adding some extra steps to ensure reliable authentication and authorization. And again, the bigger the company, the more hassle because following the Principle of Least Privilege, employees should only have enough access that they need to do their job. However, in many cases, the definition of ‘their job’ is not clearly defined and access restrictions are too tight. It’s a question of finding the right balance. And furthermore, management must focus on educating the company’s employees properly, so they understand the reasons behind the extra security measures and also frequently questioning of the usefulness the extra security measures.

Tech is important too

Although Christian Kuka states that people are more important than technology in building cyber resilience, tech can support the fight in many ways. For instance, you can set up a company’s email system so it automatically marks outside messages, which then should be examined extra carefully by their recipients. And not least, you must think differently about your digital infrastructure than before.

  • In the past, administrators tried to build a secure network infrastructure inside the company, protected by external firewalls. When you were inside, access to one machine significantly improves your chances to get access to other internal machines, i.e., by manipulating file shares.
  • Today, the idea of a secure company network should be obsolete. Now, we must think of every single computer as directly connected to the internet. That means, that people inside the company should be subject to the same monitoring and authentication procedures as people from outside. As soon as we think that a service should not be facing the public internet, we should immediately think about if the service itself is the right choice for the given requirements and not thinking about how to hide the service in a company network.

Double protection

Every part of a company’s digital infrastructure should be protected against internal machines in the same way it’s protected against outside machines, according to Christian Kuka. And you should divide your infrastructure into compartments, so that a security breach only can affect part of your operations. Also, it would make good sense to use different kinds of operating systems and different kinds of services that fulfill the same purpose. In case of an attack only a part of your business is compromised, and you can switch to an auxiliary system.

This approach has obvious drawbacks, making life harder for employees. But as mentioned earlier, security is annoying. No way around it. But it is accepted by employees if they know the reason behind it.

As MicroDoc is mainly a software technology company, specializing in complex software solutions for automotive, energy, and finance, social engineering prevention and awareness constitutes only a minor part of its portfolio. However, Christian Kuka is looking for more assignments in that domain, because to him it is an important but underrated part of cyber threat mitigation. In his opinion, many companies are not giving it the attention it requires, making themselves vulnerable to attacks. Christian Kuka says:

  • We work a lot with the technology part of cyber security. But the social engineering part is even more important, although many companies still think it’s unnecessary to raise their employees’ awareness in that area. They believe too much in technical solutions. There is a false impression, I think, that technology can solve the problem, but that’s not the case. It’s the people, not the technology.

Read more about MicroDoc here