Yehia Mamdouh knows a thing or two about penetration testing, social engineering, and physical assessments. Well, better said, he knows a lot. In his 8+ years of experience, he’s seen it all: the bad, the ugly and the unexpected. So needless to say that there’s so much we can learn from him!
Just like software, the human mind is not exactly secure by design, so, as we often see, its vulnerabilities are not left unexploited.
We talked to Yehia about some of the aspects of cyber security related to human nature and this is what came out of it. As infosec aficionados, we’re more than familiar with social engineering. But how does the regular internet user see this concept?
Yehia says that he sees “regular internet users’ limited social engineering knowledge at work only against phishing emails and vishing”. “But they have a lack of awareness of other social engineer attacks and techniques. This happens because of the popularity of attacks that target companies through phishing emails and also because almost every regular internet user receives that email offering him/her millions of dollars!
Even so, their knowledge about phishing emails and scams is very limited. If they receive any suspicious emails (asking for information, shortened links, etc), they can tell that they actually may be malicious emails. But in the real world if good skilled criminal attacks, he/she will send a very convincing phishing email. Many regular users don’t see that social engineering targets human behavior first, which consists of many psychological aspects. Yes, younger generations more aware of this threat because the attacks have increased to such massive proportions, especially in the past last 5 years. But only in the past few years has the media started to pay attention, making this top news. Additionally, new social engineering techniques have appeared recently, which prompts the younger generations to be more aware than older ones.”
If you’d list the human mind in CVE details, chances are the table would have a few rows. “There are many leverage points that make most people fall for social engineering scams, like official emails that appeared to be work-related, with subject lines such as “Invoice attached”, “Check the attached file”, “New Company Policy”, etc. People do not verify where the email came from, and this is especially true when employees deal with other vendors or clients.” Plus, the recently developed habit of oversharing is not really helping anyone. “What’s more, surfing social media accounts at work means less work for scammers. It’s much easier to target one employee through one post instead of sending a hundred emails!
People still cannot resist free stuff.
One example is when an employee receives an email about free match tickets or free food coupons. Social engineering scammers trigger many emotions, such as gullibility, greed, thoughtlessness, apathy, fear. These are some of the most impactful ones that many people have in common.” The theory is easy to discuss, but practicing what we preach is the real challenge, emphasizes Yehia.
“When you are aware of social engineering as a threat, it means that you’re aware of how social engineering can be used to leak information or to break into your organizations. You also likely know what kind of emotions they are targeting, you know there is something called phishing or vishing, etc. But to be able to spot and stop a social engineering attack is a different thing because it takes more than to know how to tell the difference between a real call and vishing, how to identify a malicious email and so on. It requires to implement a strong policy inside the organization, that can prevent social engineering attacks, because, in the end, criminals are getting smarter and creative every day.”
If you’ve ever been involved in penetration testing and tested social engineering attacks as part of it, you probably know how surprised people are when they find out they’ve been hacked. Yehia mentions how incredulous people get when they find out they’ve been duped.
“The thing they’re most surprised about is that they have been deceived. Even the people who have little bit awareness about social engineering are surprised about the legitimate scenarios used and about the impact of social engineering attacks on the organization.” So how does a company’s culture impact its resilience against social engineering attacks? Yehia gets practical: “Company culture has, of course, an effect on its resilience against social engineering. Imagine a junior employee joins a company and of course he/she wants to keep his job. The junior receives an email or a text message from his manager asking him to open an invoice or click on the link immediately for an urgent business meeting, but the message does not come from his email. Most probably, the junior will click on that. We also see many companies whose culture allows employees to openly communicate using social media networks, without mapping those communications. Many companies also do not allow their employees to know about any cyber incidents or attacks attempted against their organization.
There are many triggers that will be very effective to spot social engineering attacks early on, like having a social engineering policy.
Very few companies have a policy against social engineering attacks. Security awareness must also be taught face to face, not only through emails or reminders. Companies must educate their employees that security is not only the role of the IT department, that it’s everyone’s responsibility.” But how good do you have to get as a cybersecurity specialist in order to effectively counteract this type of attacks? “I cannot say all cyber security specialists have complete mastery over psychological tactics used in cyber-attacks. Yes, they have the knowledge and that’s because psychological tactics are part of their studies and because education can be improved through experience. But achieving mastery of the psychological tactics used in cyber-attacks requires a lot study on psychology and sociology. But remember: when we say the human mind has vulnerabilities by default, we mean that all humans have them, including security specialists themselves. It’s just going to be much harder to attack someone who works in the security field.”
We asked Yehia to envision how social engineering will evolve in the next 10 years, given the rise of AI and the challenges in defining identity in an interconnected world. Here’s what he had to share: “Social engineering will evolve in many ways in the next 10 years. Many new tactics will emerge, especially of the psychological variety. When a new platform will be used to expose information on, a new technology to exploit it will also emerge. Many years ago there were no ID cloners or rubber duckies that are used today in social engineering attacks. Defining identity is very important, but at the same time there are a lot of challenges. The channels used to share media are increasingly public. We no longer have to rely on a small number of newspapers, television networks and production companies to get information. Today, we are awash in information from decentralized sources such as blogs, wikis and social networking sites. Online social networks connect people and create avenues for extending our identity. Identity is connected to our physical being, but, increasingly, young people are crafting online identities using social networks. This, yes, has its good side in a world full of fake news, but at the same time has a bad side, because it exposes the user’s identity and allows criminals to use it in many attacks. Defining identity is very difficult, especially in an always connected world.”
When we prompted Yehia to define a key piece of advice for anyone who wants to become more adept at dealing with social engineering attempts, he smiled and said that “one key piece of advice is not enough.” “But I would say: don’t fully trust any request you receive, whether through email, text, or direct human request. Check and check again, because social engineering targets trust in the first place.”
The interview & editing was made by Andra Zaharia.
DefCamp 2017 is powered by Orange România and it’s organized by the Cyber Security Research Center from Romania (CCSIR) with the support of Ixia, a Keysight Business as a Platinum Partner, and with the help of Bitdefender, SecureWorks, Amazon, Enevo Group and Bit Sentinel.