Ghosts in the machines
How real cyber attacks work and what you should do about them
Following a few weeks when the retail sector has seen cyber attacks hit a range of well-known brands, with Marks and Spencer still trying to sort out the chaos in online ordering, payment processing and customer order management that a ransom-ware attack has caused, it is appropriate for all of us in business to consider how strong our defences are.
This isn’t, however, going to be a post about SQL Injections, Man-in-the-Middle attacks or any other technical wizardry - I’m certainly not the person to write that article. This is, instead, going to be about the biggest weakness your technology has for a potential attacker to exploit - you.
The M&S coverage prompted me to dust off and re-read my copy of the book illustrated at the top. Kevin Mitnick was a very famous hacker and in later life the author of a number of works about cyber-security. The Art of Deception, however, is probably the one we should pay closest attention to, because it describes in detail the hacker’s greatest weapon - social engineering.
What does Mitnick mean by social engineering? He describes a broad variety of ways in which a resourceful villain can use basic human traits to get people to give him or her all sorts of information which can then be used to attack or steal from a business. Those basic human traits include our natural tendency to trust people, our gratitude when someone appears to do us a favour (and our desire to return that favour) and the way we make assumptions based on social cues.
Consider the following sequence of events, which I’ve adapted from the book to be particularly relevant to worried retailers:
Someone in your Woking store gets a call from a customer - who explains they were so delighted with some recent service that they want to write to Head Office to compliment the team. Could they have the name of the manager, and the Woking store’s reference number?
Who wouldn’t be delighted to get that call? They cheerfully explain that the store is number 817 and the manager is Bob Jones
Someone in your IT team gets a call from someone explaining that they are Bob Jones from 817 Woking. ‘Bob’ explains that he has screwed up - he has a new starter sitting in front of him right now and forgot to get system access set up for her - could the team do that for him now, and he’ll pass the details on to her.
Two pieces of social engineering are going on here. Firstly, Bob’s casual use of company terminology makes it easy to assume he is who he says he is. Store reference numbers are hardly a secret, but who would bother to describe themselves as being from 817 Woking except someone really working there, right? Secondly, by explaining that he has screwed up Bob immediately puts the IT worker in a position where he or she can solve the problem - our natural inclination to help kicks in.
I don’t need to continue that chain, you can see where it might go now that the hacker masquerading as Bob has a name, a store number and a login to the company’s systems.
In reality, social engineering will be a longer and more complex process than that, but the underlying basics - learn some company terminology, get good at pretending to be an insider, use information gleaning from one call to enable the next - are common tactics.
And all of this telephone-call based social engineering is just one of a range of tactics a potential attacker can use.
Email, for example, is a well-known weak spot because a well-crafted email can look like it is from a reputable source but contain disguised links to sites that can make your business vulnerable. That might include links that install secret programs on the unsuspecting recipient’s computer allowing hackers access. Or it might include links to sites that look exactly like something the user would expect to see, encouraging them to enter their username and password, which the hacker will store and use later.
Even more astonishing, however, is how easy it is for a skilful social engineer to simply walk into one of your offices and start working on your technology directly. I’ve seen several businesses over the years hire security consultants to see if they could get unauthorised access to one or more sensitive buildings and I’ve never seen them fail. One such consultant submitted as his final report a picture of himself eating in the staff canteen with a load of new friends he had made!
So the reality, especially for a retail business with hundreds of stores, thousands of colleagues spread across the country, a set of warehouses and one or more head offices, is that you are vulnerable to social engineering attacks from a range of directions.
So what can you do? The good news is that there are established ways of trying to ‘harden’ your business to these attacks. Apart from the actual IT investments you can make in securing your systems, most of the defences against social engineering attacks are about processes and training. Are your teams trained to assume that no call is internal unless they have checked? Do you enforce the wearing of company ID on site? Do you run regular practice drills on spoof emails by sending them out yourself and explaining to anyone who falls for them what they should look out for in future?
As these last few weeks have shown, a little investment in this kind of training could deliver a very high return indeed!