In light of the recent security breach at Uber, Senior CISO Consultant Larry Kinkaid explains what social engineering is, how it works, and how organizations can work to prevent it.
Claire McKenna: [00:00:00] Hello everyone and welcome to today’s episode of CyBRR Chats. Today we’re joined by senior CISO consultant Larry Kinkaid to discuss social engineering, what it is, why it’s so prevalent, and what companies can do to defend themselves from social engineering breaches. According to a recent report from Cybersecurity Company Zero, Fox Social Engineering remained one of the most frequently reported intrusion tactics in Q2, and this will almost certainly remain the case for the foreseeable future.
Just last week, Uber suffered a major security breach as a result of social engineering, and they’re not the only ones. Microsoft and Okta also suffered security breaches from social engineering earlier this year. So, Larry, let’s dive in. What is social engineering? How does it work and why can it be difficult for companies to protect themselves from it?
Larry Kinkaid: Definitely, yeah. I , I actually looked up the definition just to, you know, level set. So social engineering is the [00:01:00] use of deception to manipulate individuals into divulging confidential or personal information that may be used for broad purposes. Um, I liken social engineers to kind artists. I mean, that’s really what they are.
In today’s day and age kind artists have been around far, far before computers. Um, really it’s confidence, it’s a sense of urgency. It’s, um, the ability to convince, uh, somebody that you are. Establishing, I guess that reputation that you are willing and, and trustworthy to get the same information. And I think, um, 99 times out of a hundred it’s credentials, username, password, in order to, uh, compromise systems.
So that’s what we look at when we say social engineering. Got
Claire McKenna: it. Thank you. Um, so this is at the top of everyone’s mind right now because of the recent Uber breach. So can you describe a little bit about that situation and how the hacker was able to gain access to sensitive information in that incident?
Larry Kinkaid: Of course. So there’s a lot of information going [00:02:00] around. Um, Uber has recently disclosed that, uh, the credentials were purchased on the dark web. Um, With that being said, I mean, at the end of the day, credentials were gotten somehow, um, and typically that is by social engineering. But the interesting thing that does align with what they’ve disclosed and what, um, has been, I guess, uh, expressed by the hacker, is that MFA fatigue was used, um, which is a newer concept.
Uh, In which they essentially spanned the end user with MFA pushes from their, um, system until they accept it. Uh, I’ve read that there’s an element of, um, reaching out to that individual and saying that if you want this to stop, you should just accept it or trusting something. Um, began establishing that trust and that credibility and, and, uh, compromising their credentials and, and getting into the, the vpn.
From there, they were able to. Um, find some plain text scripts with some other user passwords to other systems, namely, uh, an account management system in which they found, again, more credentials and [00:03:00] then were able to basically just pivot throughout the system into their Slack channel, um, in which they disclosed who they were and what they were doing.
Uh, so. It was, I think the MFA fatigue is interesting in that it’s probably the, the first time that I at least have heard about it on this big of a scale. Um, but there’s also like, I guess a lot of other layers to, um, this, uh, breach. Got it. Thank
Claire McKenna: you for that explanation. That was really helpful. So what can companies do to try and prevent social engineering?
Larry Kinkaid: So , my gut tells me security training, and I know a lot of people roll their eyes at that. Um, and I think that’s part of security training in relation to, to culture as well. You, you’ve gotta train employees. They’ve gotta be aware. They’ve gotta understand what they’re looking at, what happens. And even if they do, I guess, you know, click accept on the MFA or provide the credentials, there should be the wherewithal that maybe think about it later and go, You know what?
Maybe that wasn’t such a good [00:04:00] call. And then reach out to the security teams and say, Hey, you know, this is, I let this happen. Yeah. No shame. Like the real thing here that needs to happen is people just need to even, even if it’s after the fact, is understand what’s going on and how they can be a part of your security culture.
I would give someone so much credit if they were to do that, because it’s not easy, I think. Um, It’s actually a story with, uh, someone, a personal friend of mine that admitted that they, they got their bank credentials, uh, stolen in a very similar way, and they’re very savvy, they’re very knowledgeable, just having an off day.
Um, so that’s where security training and, and culture come into play. Fishing exercises, um, very easy to implement, very easy to do, and very effective in training users. You know, we gotcha. If I can get you, then anybody can. Uh, it gives you a baseline for where you’re at as an organization. I like to mix easy and hard just to, you know, kind of keep things, uh, interesting as well.
Um, but I think the, the aspect I wanna stress, especially on the fishing and even again, like I kind of stressed on, um, you know, reporting, [00:05:00] self-reporting, uh, um, potential security breaches is no shame. Shaming is not the right play in any of these cases. Um, and then I think that, In addition to just, I think more of the, the non-technical controls, there’s always reevaluating technical controls, ensuring that MFA is enabled everywhere it can be, um, that you’re using a password manager using, uh, password generators instead of remembering your passwords to prevent password reuse.
Um, all these things layered on top of each other, make that onion to protect your, your infrastructure and your network. That was a
Claire McKenna: really great analogy. Thank you. Um, and you mentioned this a little bit, but let’s talk about individuals for a moment. So we’ve talked about what organizations can do to prevent this from happening.
What can an individual do to protect themselves or maybe the organization that they’re working for from a social engineering breach?
Larry Kinkaid: Yeah, so I think traditionally, um, [00:06:00] uh, a security, uh, professional would say, lock down your social media. You know, don’t put everything out there, Protect your information.
Is the first step. But I think in today’s day and age, a lot of that information’s out there anyways. So I think the best thing to do is be prepared to have those conversations with social engineers. Um, be aware that you could be socially like engineered tomorrow. Um, it’s, it’s instead of the preventative of limiting that information that’s out there, just assume that they already have it and be prepared to.
Detected on the fly, if I’m gonna be using some security terms. Um, you know, talking to your kids, your grandparents. I know grandparents are typically pretty susceptible. Um, you know, it’s really just, uh, being ready for it. And then also implementing your own controls. I know, um, I guess what I always say is MFA on your emails, because that’s usually the base of any, uh, significant breach into your personal life because then you can reset passwords from there and then [00:07:00] go from there and think about, um, your financials.
So banks, credit cards, and then just make sure everything is, is, um, Good to go and then setting up alerts as well. Uh, so I have alerts set up on all my, my credit cards to say if there’s any kind of spend, send it to me even over a penny, just because I, I, if I’m using it, I know. Um, and then I can ask questions if, if something doesn’t look right.
Claire McKenna: good advice. Thank you. So I wanna talk about that mfa, uh, a little bit more. It’s a common misconception that MFA prevents social engineering breaches entirely, but as we just saw in the Uber breach, this was not the case. So why does MFA not entirely protect organizations from social engineering?
Larry Kinkaid: Great question. Um, It does feel like in this case, that that MFA has failed. But I’d argue that it didn’t. It gave an individual an opportunity to stop and think about the context and what’s going on and why this would be happening. Um, but the social engineer was [00:08:00] dedicated and persistent, uh, would be a, a great word here in which they were able then to convince that end user that, yeah, let’s, uh, let’s go ahead and accept that.
Um, but MFA again, you know, It’s, it’s, um, it’s another, it’s best practice to always put in, so. Got it.
Claire McKenna: So if an organization is hacked as a result of social engineering, what should their next steps be?
Larry Kinkaid: Yes. Um, I think as I kind of mentioned earlier about the shaming aspect, I think this is also an aspect of, um, shaming Uber that’s not the right play here.
It’s shaming any organization for any, uh, kind of breach at this point in time is just not, um, beneficial to anyone or the industry at large because, you know, we’re not sitting here trying to point fingers and laugh or. Or make, uh, light of a situation. Um, I, I’m sure their security team [00:09:00] is having a tough time right now and their PR team in addition to that.
Uh, but what should happen is transparency across the board. Um, everybody can learn from this. Everybody can sit down and kind of think through their security programs. Are use susceptible to MFA fatigue? Um, what would happen if someone’s credentials were taken? Do you have plain text credentials out there?
Those are all great things to ask yourself and, and reevaluate your programs. And anytime a breach like this happens, that’s what needs to happen. Um, I think how Uber responds will be defined as, uh, in this moment.
Claire McKenna: Thank you. Those was a really great answer again with more great advice. So we’ve reached my last question for you today, Larry.
Is there anything else on the topic of social engineering that you would like
Larry Kinkaid: to add? Yeah, so I mean, I kind of mentioned it before, but the evolution of social engineering in and of itself. Fascinating. Um, I’ll drop Kevin Mitnick as a good, uh, name to look up as in regards to early, uh, social [00:10:00] engineering.
Um, Frank Abernathy. You know, Catch Me if You Can, is another one. Um, but you know, anything from the Nigerian Prince to, uh, our boss requesting iTunes gift cards. Uh, , it’s, um, it’s, it’s evolved a lot and I, you know, we laugh about it today, but, um, it’s just getting more and more savvy and. You know, I think we just always need to be aware of it happening.
And again, technical controls compliment the, the, um, security training and the security culture, but everything needs to be taken seriously. Um, and that’s why security awareness training, fishing exercises, and your overall security culture paramount.
Claire McKenna: Thank you so much. That was a great answer. Um, well Larry, that was my last question for you, so I just wanna thank you for coming on and sharing your time and expertise with us and to our audience.
Thank you so much for tuning in and we look forward to seeing everyone next time on cyBARR Chats. Thanks, Claire.