Twitter Hack: How to Reduce the Risk of Insider Attacks

By now, you’re aware of the recent Twitter hack that targeted 130 high-profile Twitter accounts. Well, the gist of it is a group of people, one of them a 17-year-old Opens a new window just out of high school, used social engineering techniques to gain access to Twitter’s internal network. They used their access to originally sell unique and unusual usernames, then moved on to scamming bitcoin payments by tweeting from these accounts. 

The key phrase in this paragraph is “social engineering”. Social engineering is a very powerful hacking tool and doesn’t even need computing knowledge to use. It just needs an understanding of people. Kevin Mitnick, who was considered one of the greatest hackers of all time, used social engineering almost exclusively to gain access to the systems he compromised.

So why does social engineering work so well? To put it very simply, the average person does not like to say no. Humankind is a social creature and it is in our nature to help each other, so when a request is made we automatically gravitate towards satisfying that request. Another point is that people tend to think that everyone has the same sort of values they do and can be trusted. This trust can easily be abused by hackers with malicious intent.

To illustrate this, I have in my then capacity as an IT personOpens a new window at a particular company, gone up to a person who doesn’t know me and requested their password to log into their account to fix a problem they have. This person has no way of knowing if I really am from the company’s IT department and only goes by what I say. I could have walked off the street and as long as I look like I belonged there nobody would have asked any questions. There is a saying that if you wear a high-visibility vest and carry a clipboard you can go anywhere. Numerous Youtube videos show that this is true.

Learn More: Insider Threat: How to Address the ‘Human Dilemma’ in WFH Era

Does Workplace Culture Lead to ‘People Hack’? 

A lot of this comes down to the culture of the workplace. It could be a large place where people may not know people in other departments or it could be a small family-orientated type business where everybody trusts each other. No matter what the culture is, the end result is that someone of the perceived authority can ask for and receive anything. Heck, I have even had people I barely know give me their password without me asking so I can fix some minor problem. Knowing that most people tend to reuse their password for several different things this is like giving me the keys to their identity and wallet.

The most common goal of social engineering attacks are passwords and everybody knows that passwords are important. The thing is they don’t know or understand why they are important. Which is the reason weak and easy to guess passwords are used. Passwords are written down on notes and pasted on the computer monitor and the same passwords are used for different systems. This coupled with people thinking that if it is not important to them, it is not important information is why social engineering is such a powerful hacking tool.

Learn More: Why Businesses Can’t Sleep on Password Attacks

Social Engineering Explained: How Hackers Prey On Human Nature

As per a research paperOpens a new window ,  social engineering refers to the “psychological manipulation of people into performing actions or divulging confidential information.” When brute force doesn’t work, hackers use guile to bypass security mechanisms. 

Here’s how a social engineering scenario can work like this. Malicious entity, whom I will call Mal, calls a company and asks an innocent question, following it up with asking for the person’s name, say, Susan. Then Mal calls back and gets a different person. Mal talks to this person and name drops Susans name and asks for this person’s name, which Karen gives. Having established a rapport, Mal spins a story about how he knew Kevin who works in IT. Of course, there never has been a Kevin, but Karen didn’t know that. She replies that there is no Kevin in IT. Mal acts confused and wonders when he left then asks who works there now. Karen now gives Mal the name of the IT guy, called Steve. Mal wishes Karen a good day and hangs up. 

Then Mal calls the company back again and asks for the IT department. He asks to speak with Steve. Steve may be there or not so Mal explains to whomever he speaks to that he just started working in Susans department and needs to get some urgent information for Karen which is on Susan’s computer and Susan isn’t available right now and was told to call Steve for the password. Steve, or the other IT guy, then gives Mal the password. Mal now has access to the company’s network and can use that entry to gain more access. So you can see how easily social engineering can work. It is not all done in one hit but over a series of calls to gain one bit of information at a time. That information is then used to gain even more information.

How to Avoid Social Engineering Scams 

What makes it difficult to combat social engineering is that it is not a single easily recognizable trait. Preventing this in a corporate environment all comes down to education. Sure, you can put in procedures and identification tags to your heart’s content. However, procedures and identification can be learned and copied and are of no use when a phone is answered and a friendly voice, on the other end establishes a rapport before slipping in a seemingly normal request for some important information. Everybody in a company needs to be educated on what information is critical and more importantly, why that information is critical. 

Here’s how to avoid being a victim of potential social engineering attacks:  

1. Learning the art of saying ‘no’:  the best way to educate company employees is to have training seminars hosted by other companies. This is much more effective than trying to do in-house training. The reason it is more effective is that people tend to believe information delivered outside their social group (a workplace is a social group whether you believe it or not) more readily than coming from inside the group. This training needs to cover subjects like what social engineering is and how to detect it. How to say no to requests for unauthorised information and what sort of information could be dangerous. 

Passwords are an obvious one naturally however, there is also other information which could be used to obtain those passwords, names of other co-workers which can be used to pivot requests. Everybody in the company should be involved in this sort of training because anyone can be approached and have social engineering used on them. Up to and including the janitors. They know more than you think.

Learn More: The Path to Cyber Resilience Lies in Antifragile Culture: Lessons for CISOs

2. Make your company harder to target by building insider threat awareness: As social engineering can target anyone in a company, the organization should be aware of security techniques to combat threats. If everyone in a company is aware then they are more likely to ask questions as to why a random caller is wanting this information and are more likely to say no to these requests. The problem here though is that perhaps not everyone will buy into the company culture. 

Those sort of people may not last long but they can do a lot of unintentional damage in the meantime. These people would need to be identified and limited until they either leave or integrate into the company culture. Another problem is people’s inherent laziness. That can be combated with a carrot and stick type approach but as always, continued vigilance is key. 

Security, social engineering and malicious attacks are not a static thing that is learned once and then forgotten. It needs continuous monitoring, proactive action and educational refreshers in order to stay effective.

Do you have tips for fighting back social engineering attacks? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!