I am currently on holiday, sadly about to finish, reading an interesting book called “Ghost in the Wires” by Kevin Mitnick. It is an autobiography of his time as a hacker and, according to him, the FBI’s most wanted hacker in the 1990’s. The reason for sharing my holiday reading is because the book is all about how Mitnick used social engineering to gain access to telephone companies, mobile phone manufacturers and software companies.
What is social engineering? It is the art of obtaining confidential information by manipulating and/or deceiving people. In the 1990s the internet was only just starting and there were no smart phones, so research was much more difficult. Breaking the security of companies relied on hackers finding out information by convincing employees to give him information over the phone, which he would then use to hack the target company to steal their source code, or to set up a system whereby he could use the telephone networks for free.
So how did he do this? Mitnick did his research on companies to discover the names of real employees within a company and then used these names to call another employee, usually a junior grade, and convince them to give him the information he needed in order to hack into the IT systems. By using technical jargon and by sounding confident, he was able to con the unwitting employee to give him the access he wanted; people like to help colleagues and, because hacking was not well known in those days, company employees were not on their guard as much as they would be today. That said I came across a classic example of social engineering last year whilst working with a client; a large multi-national company. One of the IT team didn’t think that the company’s password protocols were good enough and raised this with a senior manager within the IT department. After some time nothing had changed so this technician decided it was time to make a point. He called the global IT helpdesk and pretended to be his manager saying that he had forgotten his log-on password and was now locked out of the system. Could they please re-set the password for him? They duly did this and when the senior manager came to work the next morning he found that he couldn’t log into the company’s system. The password protocols were changed shortly afterwards!!
So how is this relevant to data protection in the GDPR world we live in some 20 years on? Social engineering will still exist for 3 main reasons; first there are still hackers out there for whom the best way into a network is to use social engineering as the first step, second there are those who want to steal people’s identities to commit fraud, and third there are those whose objectives are malicious against one person. We shall look at each group in turn.
The Hackers. There are more hackers than ever before. Some hack for financial gain and some for the sheer thrill of it. It matters not to the target company because either way their data has been compromised. Security systems are much more advanced these days, making it harder for hackers to solely rely on technical solutions. Also, as with any security system, the weakest link is usually a human being; this is because they can be conned, threatened or induced to give out the key piece of information that allows a hacker to gain entry. Staff training is imperative to prevent employees from being duped by a hacker using social engineering to pry out information.
The Identity Thieves. If you are a criminal it is best you don’t use your own identity, just in case you get caught, or so as to make it more difficult for the authorities to catch you because they are looking for the wrong person. The GDPR has enshrined many Rights for a data subject, one being the Right of Access to the person’s data, whereby a person can demand that an organisation holding their data, gives out everything they know about them. In a retail context this would normally be names, postal address, email address, telephone numbers and perhaps credit card information as well. For employees the data would be more extensive and would include bank account information, national insurance numbers, driving licence, passport information etc. If an identity thief was able to get hold of the personal data I have just described, then they would be able not clone the employee’s identity and / or access their bank accounts. Therefore when an organisation receives a subject access request (SAR), it must be sure that the person they are sending the personal data to is, indeed, the correct person, or has the legal authorisation to receive this information.
The Malicious Actors.The motives for these people are to disrupt someone else’s life for reasons unknown to the rest of the world. Again the GDPR gives them a way of achieving their objective through the Rights of the data subject. By either requesting a SAR, as above, or by requesting the erasure of all data, another one of seven rights the data subject has under GDPR, the malicious actor can hurt their target by denying them access to the products and services of the organisation affected, or by erasing their records. For example imagine if following the break up of a relationship one partner decides to request the erasure of the personal data of their partner from a company they previously worked at. This would deny the affected person the chance of receiving a reference or employment check, which may hurt their chance of getting a new job. Therefore it is important that an organisation verifies all such requests as best they can.
So what can we learn from my holiday reading that is applicable to the world we live in now? That as much as we rely on software companies providing the appropriate patches to plug security gaps and our IT departments ensuring that the organisation’s firewalls guard against viruses and malware, the weakest links in the security infrastructure are often the human beings within the organisation. Much like investing in IT security infrastructure, organisations must invest in their staff and provide training on the technical aspects of IT security, e.g. how to recognise and guard against a phishing attack, but also how the organisation’s policies and procedures are designed to protect against a social engineering attack and why it is important that they are followed.
If you think your organisation would benefit from staff training in data security please get in touch.