Rachel Tobac thinks people are the first line of cyber security defense, not the weakest link. She talks about social engineering attacks and how to be “politely paranoid” with us.
That old line “Just because you’re paranoid doesn’t mean they’re not out to get you” is supposed to be a joke.
But when it comes to social engineering attacks, they really are out to get you. Which means being paranoid is a very useful thing.
Or as Rachel Tobac likes to put it, “politely paranoid.”
“You can shut down an attack while smiling,” she said.
Tobac should know. She’s not only CEO and co-founder with her husband of SocialProof Security, which conducts training on how to spot and block social engineering attacks, but also a three-time winner at the DEF CON Social Engineering Capture the Flag (SECTF) contest.
Not bad for a former special education teacher who admits she’s not a techie, but who has applied everything from an interest in puzzles to the study of applied behavioral analysis and neuroscience in college, training rats, and doing improv comedy to become a star white hat hacker in social engineering—generally known as the most common attack vector for hackers looking to penetrate companies of all sizes in all industries.
That’s in large measure because technological barriers have become more effective. Untrained and unaware employees—not so much.
Tobac’s specialty is “vishing”—the telephone version of phishing. Like other security awareness trainers, she understands why it has become a cliché that the human is the “weakest link in the security chain.” But she insists that well-trained humans can be the opposite—the greatest strength in the security chain. “People are your first line of defense,” she said.
And yes, it starts with polite paranoia. She said if somebody you don’t know—even if it’s somebody you think you should know—is being extra nice to you, talking about things you have in common or displaying uncommon knowledge about your organization and other people in it, but is also asking you for information that wouldn’t be publicly available, your antennae should go up—way up.
It’s human nature to be nice—to be helpful, to share, to be friendly. But as Tobac and others have demonstrated at DEF CON, those otherwise good character traits can be exploited if they aren’t infused with healthy paranoia.
As a headline in USA Today for a story about the 2016 SECTF put it, “A hacker’s best friend is a nice employee.”
Tobac doesn’t entirely agree, noting that being friendly and polite doesn’t have to mean being a sucker.
But she said what she has learned about persuading people to give away information that is not in their or their company’s best interest is what she now teaches them: Be polite and friendly, and also be wary and paranoid.
Be aware that good social engineers do advance homework and invariably find publicly available information they can use to, as she puts it, “authenticate” with a target.
Social media is an obvious place—photos and posts of family members, vacations, work events, and interests can create a profile.
“I can take any piece of information to connect with you, to build rapport with you on the phone,” she said. “There are things I’ll know before I call that you’re going to care about.”
A good visher will also know about a target’s work life. A photo of a person at the office with named coworkers, wearing a badge or with a computer screen in the background, offers a trove of information that can help to compromise either individual or corporate security.
“If I can see your computer, I can see in the little bottom tray from the logo what kind of antivirus you used. So I can tailor malware and avoid detection on your machine,” she said.
And of course a company’s website generally carries names and bios of those in management and a board of directors. In other words, it’s very easy to drop the name of a boss without having a thing to do with a company.
So what are the best ways to be politely paranoid? Tobac covers them in corporate training sessions. She said her clients include some of the largest tech firms in Silicon Valley. Among them:
One of the basics is to think before you post on social media. “If somebody knew this, could they trick me?”
But it also helps to understand how human behavior is exploited. Tobac said one of the better books on the subject is Influence: The Psychology of Persuasion, by Robert Cialdini.
Among his Six Principles of Persuasion are reciprocity, authority, and liking. They aren’t complicated, she said, but it’s important to be aware of how they work and can be exploited.
With reciprocity, “What would they [an attacker] drop about themselves to get you to drop something you shouldn’t?” she said.
Or with authority, “What name would they need to drop to get you to comply with what they want?”
And if somebody on the phone seems nice—and coincidentally has enough in common with you to be your new best friend—keep in mind that while you may like the person, you don’t know him or her.
How to avoid falling for social engineering attacks isn’t all that complicated either. “If somebody says they are somebody, confirm it by using a different method controlled by you,” Tobac said.
“Remember that when we vish, we spoof—we make a phone number look like it’s coming from where it’s not. So all you have to do is to call the phone number that you know. If it’s spoofers, they won’t receive it. Or use work chat.”
The most encouraging thing, she said, is that awareness training is working: Social engineering is getting harder.
“The scores at the SECTF have been going down,” she said, “which is awesome for the company [being vished].”
She said the same has been true after training sessions. “They’d tell us that before we came in, the incident rate was high and reporting was low. After 90 minutes of training, they said the reporting went through the roof—that they couldn’t even get their red team past them.
“Which is frustrating for the [red] team but awesome,” she said. “Once people understand the principles, they’re excited about it. They remind each other to take their badges off and not to have any computers in pictures.”
Of course, the reality is that it is impossible to be perfect. “The rate [of successful social engineering attacks] is not going to zero,” she said, “but it can be way less of a risk.”
Rachel Tobac is also chair of the board for the nonprofit Women in Security and Privacy (WISP), which works to advance women in those fields. She can be found on Twitter at @racheltobac, @socialproofsec, and @wisporg.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.