Of all the mythical tales of heroics in battle, there is none that is quite as relevant to modern cyber security as the siege of the legendary city of Troy. The moral of this ancient story has been interpreted in more than one way, but framed in context of the cyber threat landscape of today, its meaning is resolute: Even the biggest, most indestructible walls can’t keep the bad guys at bay. This isn’t to fault the builders of these walls, as the importance of strong perimeter cyber security cannot be overstated.
However, modern cyber attackers are using the same type of manipulation that the ancient Greeks did when they tricked Troy into willingly letting them into their keep. It’s called social engineering, and it’s the bane of the IT infrastructure world.
Here’s the problem: According to MarketsandMarkets, investment in cyber security is not so surprisingly on the rise. By 2020, the research firm estimated that the cyber security market value would exceed $170 billion, up from an approximation of $106 billion in 2015. One of the main reasons for the market growth is the ever-evolving nature of cyber threats. Understandably, organizations are wiling to spend more money in an effort to protect their digital assets. However, social engineering – and to an equally troubling extent, insider threats – can still bypass many forms of cyber security. This is particularly true with phishing scams and other business email compromise (BEC) schemes which are rampantly tricking insiders into opening malicious file attachments and clicking on links that lead to malware. Ransomware in particular has been a huge problem, but keyloggers and other forms of surveillance malware can also pose threats.
And as if all of that wasn’t problematic enough, social engineering also has a physical dimension to it. This became very clear in a recent data breach that involves lessons learned from the ancient siege of Troy and, interestingly, pizza.
A hacker walks into a pizza parlor …
This may sound like the opening line of a joke, but its actually a fairly apt headline for a serious breach that occurred earlier in June to American restaurant chain, CiCi’s Pizza. According to independent journalist Brian Krebs, a group of hackers is believed to have posed as point-of-sale technicians at one of the chain’s many franchises in an effort to orchestrate a data breach. Unfortunately, they succeeded.
Krebs noted that he began to receive inquiries from American financial institutions about the possibility of a breach at CiCi’s Pizza. The sources suggested that they were able to trace multiple cases of credit card fraud back to the restaurant chain over the course of a few months, but had not heard of any official reports that the company had been breached. It’s not terribly unusual for POS data breaches to be discovered in this manner, as several notable hotel breaches in the past year or so were similarly identified.
Nor is it the first time that hackers have gone after the food service industry as a means to steal credit card data. In February, 12 popular food chains in the greater Chicago area were victimized by POS data breaches, according to ABC. The precise number of customers affected was not stated; however, the breach is believed to have lasted for as long as eight in some locations.
The reoccurrence of data breaches targeting a no-so-obvious industry like food service, combined with the fact that social engineering continues to wreak havoc, makes one thing very clear: No business in any market space can assume safety in the modern cyber threat landscape.
Combating real-world social engineering
Trend Micro broadly defines social engineering as “the art of deception employed by online crooks to get their hands on your money.” While not necessarily implicit in this definition, this deception can occur in the real world with the purpose of digital theft. This is exactly what happened to CiCi’s Pizza. While this isn’t most common social engineering attack vector, it’s a serious one that many organizations are unprepared to cope with.
One security-consulting firm aptly called Social-Engineer claims that it has never failed in its attempts to simulate a physical break-in at a company that they were brought on to work with. Given this track record, it becomes even more obvious that CiCi’s Pizza is in no way at fault for having fallen for the hackers’ physical intrusion scam. If it hadn’t been that, it could have been something else, perhaps an unlabeled thumb drive left on the counter that was preloaded with memory-scraping malware. For a commercial eatery that gets its bread and butter from having a hospitable, welcoming environment for all prospective patrons, defending against physical social engineering is especially challenging.
That said, fighting physical social engineering is not impossible. The foundation is proper awareness training for employees combined with adequate physical safeguards. For instance, all POS terminals should at the very least be password protected, preferably with two-factor authentication. Likewise, employees, including management, must be trained to never divulge their login credentials under any circumstances. Furthermore, if ever someone comes into your building claiming to represent a company you do business with, double-check to make sure that they have physical identification that supports their claim, and that an appointment was in fact scheduled.
Finally, never open up an unidentified thumb drive left on a counter or found in a parking lot at a place of work. This is generally a best practice that applies across the board, but is particularly important in a commercial business setting.
Beating it in cyberspace
Defeating social engineering in the digital world is arguably even more difficult than in the physical world, mainly because there are so many more attack vectors. In a study by TrendLabs titled “5 reasons why social engineering tricks works,” the authors pointed out social engineering is all about what you see versus what you might not immediately notice. For instance, click-bait headlines from unfamiliar sources – especially ones that seem to tease potentially explicit content – whether shared on social media or in an email thread should be avoided like the plague in work places. Beneath their sensationalized headlines often lurks a dark motive.
The same also applies for corporate emails. One strain of malware called PETYA disguises itself as a resume attachment in an email sent from an alleged job applicant. Other phishing schemes might entail a hacker posing a corporate executive asking for a transfer of funds or a registry of current employees’ personally identifiable information. Taking a layered approach to email cyber security is good start to preventing these types of scams from being effective, as it could detect threats in messages before they’re even opened, or identify certain traits that signify it’s illegitimacy.
But even with robust email security in place, employee awareness is still the most important defense of all types of social engineering. Always be on the lookout for unusual or suspicious emails, messages, phone calls or visitors. A good idea is to make it a part of employees’ basic training, so that they have a good idea of what qualifies as “unusual or suspicious.”
Hackers will exploit any avenue for financial gain, even it means ruining a pizza-eating experience, but vigilance is still the best defense against social engineering.