Can You Protect Against Social Engineering?
One of the earliest examples of social engineering was during the legendary Trojan War, when the
Greek army were able to sneak into the city and win the war by hiding in a wooden horse that was initially presented as a signal of peace – thus creating the well-known security term of a Trojan Horse attack. It’s that approach that we still face today with social engineering within the workplace. These attacks are usually setup to avoid your security and instead focus on human interactions where that person would then gain trust to attack within.
Phishing and Baiting
Common techniques for social engineering are phishing, spear-phishing or baiting, and they all involve an element of human interaction to force users into a mistake after gaining trust. We’ve all heard of a basic phishing attempt where a co-worker may email you asking to quickly pay an important invoice. Under pressure to complete this task, especially if the request came from a senior member of staff, you may be stressed into overlooking some basic checks before making that payment. The attacker hasn’t had to break through security or gain access to the payment system, they have simply gambled on a human mistake.
If we then explore how random phishing attacks can also be targeted with what’s known as spear- phishing, we see a much darker side to social engineering. Now attackers aren’t targeting 1000’s of users a day in the hope of catching that one employee who has may have been distracted when targeted, they now do research on the company and employees. An attacker may form a list of who works within the finance department by using such tools as LinkedIn. They would then build a personality profile of those people to focus their attack on. For example, if the attacker identified that employee on another social media platform complaining about their job or mentioning constantly that they were overworked, that person could then be elevated as a potential target. Again, the technique at this point could follow several paths but approaching a disgruntled employee for a password is a lot easier than a happy team member. Likewise, if you know someone is overworked, they may be more prone to making a mistake as they may processing requests with less attention to detail.
Uber and Whatsapp
We heard recently of an attack where UBER where targeted using a WhatsApp number linked to an employee at that company. If you think about it, it doesn’t take a great deal of skill to find people
on social media and build up some data around contact details. In this instance on receiving that
WhatsApp message the attacker gained trust of the employee and managed to obtain login
credentials. Yes, Multi-factor Authentication (MFA) was in place, but the attacker constantly spammed the employee to approve access via a mobile push notification.
As Apple Security Experts we would always recommend that your endpoints were secured to the highest level possible. If a device accesses your corporate data, it should be managed and adhere to a security threat posture to identify and block these threats at client level. As a gold Jamf partner we fully endorse their new security suite which further extends security on Apple devices. With the power of Jamf Private Access, even if an attacker has the username, password and MFA method, access to corporate systems would still be denied as the device making the connection attempt would not be managed within Jamf Pro and would not have Jamf Trust configured for secure access to corporate services.
To compliment the security solutions, we always recommend regular employee training to our clients to help them identify a social engineering attack. In fact, our DARE Total support package includes quarterly heath checks of your Apple and Jamf environments alongside any remote training sessions you may require to keep your Apple devices secure and your employees educated.
So, can you protect against social engineering? Absolutely.