Appalachia Technologies Blog

Appalachia Technologies team is comprised of a diverse mix of IT professionals, some of whom have been on the forefront of IT since the industry’s inception. Through the years, our team has developed a wide array of experience in understanding individual needs and how they relate to your business.

Social Engineering: How Kind Humans Can Cause Big Breaches (appTECH TALK Ep. 6)

Humans are the smartest beings on earth.  So why is it that they are the number one cause for breaches that cost millions of dollars?  It’s because they are kind.

Because of the kindness of human beings, they are easily manipulated by bad actors to give up private information or even hold a door.  This is the foundation of Social Engineering.

Social Engineering is one of the number one issues when it comes to organizations protecting their networks.  Companies spend millions of dollars on their IT infrastructure only to have it breached by someone holding a door for someone they shouldn’t.  Today I’m going to break down three types of social engineering.

Physical

The first one that I’m going to talk about is physical engineering.  Picture someone who wants unauthorized access to the inside of a corporation.  With badge access in use and doors mostly locked, how would someone infiltrate a seemingly secure building?  Easy - they social engineer their way in.  In one of my past positions, I would always use a box of donuts to get inside a building.  I would walk up to the door in the morning, joining the morning door traffic.  By holding a box of donuts, you automatically become friendly and non-threatening to people, so they are eager to hold the door to let you in.  At that point, someone is now inside the building and past the badge and door lock layer.  With no visitor controls in place (or being followed), “the guy with the donuts” could freely wander the building with potential access to trade secrets, client and employee files with PII – anything that is held within the physical walls.  Taking it even further, the benevolent donut guy could find an unoccupied desk space and plug into the network.  All this access for the low cost of a box of donuts and the kindness of a stranger to hold a door – that, my friends, is social engineering.

Phoning

In this day and age, it is still a common practice for employees inside a corporate network to be manipulated into giving access to the wrong person outside the company.  As an example, imagine someone calling and introducing themself as the ISP (Internet Service Provider).  In this case, a bad actor might call an employee to tell them they are working on the internet connection – not out of the realm of possibility.  Now, nearly anyone will tell you their internet is slow if asked.  The fake ISP has set the bait.  An employee might then follow the direction of the person on the other end of the call and be led through steps that would give them access to the computer.  Once they have access to the computer (to “fix” the internet connection), they could unknowingly install software that allows them to have a backdoor continuously.   From there, the malicious intent is to pivot to other areas inside the corporate network to exploit systems.

Phishing

Phishing is an attempt to fool a user into clicking a link that was sent in an email.  Often an email can be sent to look like it is from upper management.  In a previous social engineering assessment, I was able to craft a PDF file titled “Change in Dress Code Policy”.  Once this email was sent out, it was clicked by nearly 40 percent of the users that received it.  Typically using a topic that can be sensitive will result in people emotions playing a part in decision-making.  A bad actor could pack the PDF file with malicious code that when opened, would install a backdoor.  After the backdoor is installed, the bad actor has persistent access while the trusting clicker is unaware and in this case, happy to know Casual Friday is still in practice.  Normally these emails look like they are coming from someone in the company they know, so they feel safe clicking them.  Presenting as a member of leadership with an urgent request is common phishing tactic.

Another tactic can be to focus on a specific department that may be more trusting of attachments and links.  For example, the Accounting department may frequently receive invoices as attachments.  If they do not verify the sender and run through the basic checks of an email before opening, they could introduce malware to the company’s network.

For more information simple steps to protect against phishing emails, check out this blog.

In the end, most of these attempts can be avoided by repetitious security awareness training (and yes, repetitious means more than just an annual training session).  As well, a great security culture within an organization will stop many breaches.  Providing an environment that will allow for employees to talk openly, communicate freely, and “team up” on security awareness can have the potential for saving a company’s reputation by preventing a breach.  With nearly all breaches happening because of the kind nature of humans, it is imperative that people are prioritized as much as security appliances and tools.  As mentioned, millions can be spent on items, but it only takes one kind and trusting human to break down all defenses.


Mike MillerMike Miller is a cybersecurity professional with 25 years of experience through the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.

Top 8 Sources for Cybersecurity News
What is a vCISO? (appTECH TALK Ep. 5)

News & Updates

P R E S S  R E L E A S E Grantville, PA:  On Wednesday, October 19, Appalachia Technologies will be hosting a free in-person cybersecurity summit at the Hollywood Casino at Penn National Race Course for regional CIOs, CISOs, and IT Security Leaders.

Contact Us

Learn more about what Appalachia Technologies can do for your business.

Appalachia Technologies
5012 Lenker Street
Mechanicsburg, Pennsylvania 17050