Social Engineering — An Enduring Vulnerability

By Colin Mo
January 3, 2022
person using laptop computers

While the world is still reeling from the Log4j RCE vulnerability and organizations around the globe are undoubtedly scrambling to secure their infrastructure, the recent IKEA email reply-chain cyberattack has become buried in the news. Yes, it is important for companies to secure themselves against ubiquitous technical vulnerabilities that exist throughout their stack. But what are organizations doing about their own very vulnerable, very exploitable human personnel?

To illustrate with an extreme example: what’s the point of securing something on the Moon if your own people can be talked into ferrying bad actors there?

Only amateurs attack machines; professionals target people.

— Bruce Schneier

In this blog post we’ll use the IKEA cyberattack as an example to talk about social engineering, why it works, and how companies can protect themselves from this type of attack.

Social Engineering in Action

For those that need a quick recap of the IKEA email reply-chain cyberattack, here’s a summary of events from a fictional employee’s point-of-view:

  1. An internal email-chain enters your inbox from a trusted coworker, asking you to view a link and download an Excel document for work purposes.
  2. While you’re at it, the Excel program asks you to Enable Editing and Enable Content so you can see the work document!
  3. Malspam campaign does its thing
  4. Congratulations! You are now one of many IKEA employees that fell victim to a socially engineered spearphishing campaign.

If it’s any consolation for our fictional employee, the above series of events could have happened to anyone and any company — and while the specific trojans exploited known technical vulnerabilities, it is unlikely for the powder to be ignited without the first employee being compromised.

Why Does It Work?

This combination of phishing and social engineering is extremely effective because it exploits the weakest link in most organizations’ security surface area — people.

The attack is effective because it hijacks the embedded trust people have from a known, familiar source in a context they are already familiar with — in IKEA’s case, an email reply-chain. An email is sent from a “trusted” source, the initial response from the victim is to open it; and in this particular case, they download and open the Excel file that was attached, thus introducing the security breach. Attackers are effectively able to “bootstrap” a level of trust in their victims that doesn’t set off any of the normal alarm bells traditional training teaches about suspicious emails or activity.

To reiterate that point: this level of undeserved trust is mind-boggling. The employees trusted it so much that they unquarantined the emails when IKEA’s own email filters were filtering them out, forcing IKEA to disable the ability to release emails from quarantine.

Every company needs to ask itself: What do you do to prevent your own employees from being susceptible to this level of social engineering, directing them to subvert your security systems?

How can companies protect themselves against this type of attack?

Enterprises can protect themselves from this type of attack through two main avenues: better training for personnel and limiting blast radius.

Training

When it comes to training, personnel need to know the signs and symptoms.

  • Training should acknowledge that hacks can come from even trusted sources and contexts. The IKEA breach relied on an employee to be willing to download and open a file from a “trusted” sender. We recommend that training include the extra step of reaching out to verify that an individual meant to send a file or link. Follow-up steps include alerting the IT team in the case that the individual’s account is deemed to be compromised.
  • Knowing when your security system is trying to alert you. Excel gives a warning to people when they attempt to enable potentially dangerous functions. Employees that were simply attempting to do their job ignored the system when they enabled the macros without being suspicious. Whenever these warnings pop up, employees should be concerned and immediately report the situation.

Ultimately, employees need to be trained to develop a sense for when they may currently be the target of a social engineering attempt and immediately report it.

Limiting Blast Radius

Of course, employees will still inevitably err because they are human. While the technical exploit behind the malspam was probably not preventable once executed, corporations should have the tools, policies, and procedures to ensure that there is no single point of failure when an employee makes an honest mistake. For example, it should be standard corporate policy that employees cannot override Excel warnings on a corporate-owned device without explicit approval from IT. Additionally, corporations would benefit from having established contingency measures for a breach to limit spread and undo damage.

This involves tools such as an Identity-Aware Proxy designed to prevent the spread, as well as a disaster response plan. Assuming a breach is inevitable when someone eventually falls victim, does the organization have the process in place for ensuring damage is contained to a minimum while undoing changes or restoring backups? Ultimately, how will the enterprise expedite its own recovery to operational capacity?

Securing the Organization From Damage

When it comes to limiting blast radius, access control and limiting lateral movement come to mind. While no organization can truly ensure employees are immune from being socially engineered, the right tool dampens the damage when it happens.

Pomerium is an open-source platform for managing secure, identity aware access to applications and services. Organizations (like IKEA) can easily deploy Pomerium with their existing infrastructure to adopt a secure, identity-driven access to their internal services, limiting blast radius in the case of a breach. IT management teams can easily use Pomerium to provision access and ensure security for all users without sacrificing productivity, enforcing corporate policy and ensuring that when employees make honest mistakes the company is protected from the worst fallout.

Check out our open-source Github Repository and give Pomerium a try today!

Sign up to be notified of new features and product updates

Try Enterprise