Social engineering as we know it is dead, replaced by a new breed of ‘psychological hackers,’ laser-focused on specific target organizations, who use the latest techniques to outwit current mitigations, according to a leading social engineer.
Keynoting at the first day of Infosecurity Europe in London today, Jenny Radcliffe warned organizations that “the human side of security will never be completely covered because everyone has pressure points.”
She claimed that this element of information security has traditionally been thought of as separate to the technology side of things, but that they must be tackled as one and the same if organizations are to marshal an adequate response.
“You will attract the hack you deserve as an organization,” she added. “The cultural profile of how you co-operate will determine the way [they get] in.”
In this way, arrogant staff from large organizations can be socially engineered through flattery, whilst those from smaller firms could be threatened, Radcliffe claimed.
Just as traditional hackers are in a constant cat-and-mouse battle to outwit the white hats, so social engineers adapt their tools and techniques – drawing on advances in everything from linguistics and hypnosis, to psychology and rhetorical techniques.
In the face of this onslaught, the first step organizations must take is to admit they have a major vulnerability – their employees – which only needs to be hit successfully once to let an attacker in.
In fact, CISOs and CIOs have a “duty of care” to address this human flaw as effectively as possible, Radcliffe argued.
So-called ‘red teams’ of ethical hackers and social engineers can be of limited use, because it’s difficult to “human hack” a company effectively if that same firm is paying you a salary, Radcliffe claimed.
Instead, the focus should be on “linking people and technology at every stage,” increasing awareness via audits, inductions and interviews, and trying out so-called “psychological pen testing” to increase resilience, she concluded.