Social engineering, ‘The art of manipulation for information’. With cyber attacks making headlines, the security industry is always innovating to help companies implement more sophisticated software to hit back at the attackers and protect sensitive data. But as Jamie Woodruff explains, even with the right technology in place, social engineering is one of the easiest and simplest ways to get into the organization. It takes advantage of the weakest link in the chain – employees.

At our security and mobility conference Level, we were lucky enough to learn more about social engineering methods from Jamie Woodruff. He’s the ethical hacker who has hacked everything from Facebook to Kim Kardashian (all ethically of course!). Jamie gave us an insight into what methods social engineers use and how we can go about protecting ourselves.
Watch the full presentation here
Jamie Woodruff started his hacking career at nine years old, after being kicked out of school and college and almost deciding university wasn’t for him. He ended up at a hackathon where a company called IT Security Experts saw his potential and gave him the opportunity to sit his certifications and exams to become an ethical hacker. After going back to university, this time to teach, he ended up giving his first presentation on IT policy (in the same venue Level took place) to Boris Johnson, the London Mayor at the time, and David Cameron, the UK’s former Prime Minister. Now Jamie Woodruff travels all around the world giving talks, as well as juggling his day job as an ethical hacker.
jamie woodruff

The evolution of hacking

Hackers used to be the Banksys of the cybersecurity world. As a teenager, Jamie would edit an index page or put pictures into a document. He and others like him would not actually destroy any of the data. Only recently ransomware and corporate extortion have taken off. Hackers have now reached a point where they install ransomware on someone’s laptop and even have support set up for them to help them get their bitcoins, pay the ransom and get their files back. This is a long way from online graffiti.

In some ways, data is more valuable than currency.Jamie Woodruff, Ethical Hacker

Jamie Woodruff puts social engineering into practice

Jamie Woodruff legally breaks into companies around the world and he most commonly uses social engineering to gain access to buildings and/or data. It is a cyber attack that relies on minimal technical interventions. Social engineering is based on cognitive bias. That is our preconceived notions of ourselves and the world around us.
The companies who hire Jamie will often give him guidelines. They will include the end goal – for example, gaining access to our server room – as well as rough guidelines on what he is and isn’t allowed to do.

I can break into the company by any means necessary without causing physical damage or distress, so I can’t press the fire alarm or make anyone cry. These are basically my rules.Jamie Woodruff, Ethical Hacker

jamie woodruff

Where to does social engineering begin?

Reconnaissance. It is easy enough to gain schematics of the building, see where CCTV cameras are. It is even possible to go on google and find all the public CCTV cameras around using sites such as view.shtml. Google has also added geolocation. So you can find open cameras in your location. This means you can point the camera at the entrance of a building and start gathering information.
Included in this is profiling of human targets. Jamie will build a persona of you based on what you wear, how you act and how you present yourself. From here, he can figure out the best way to get information from you. This is where social media can play a big part in gathering information on individuals.
So let’s say you have found an open camera in the area, all you need to do is direct it to the entrance, count the number going in every day. On conference day more people go in, and there is your entrance. Say you are part of the conference and you have access to the building. Or, you have found the area where people go to smoke, you mingle, talk about that manager no one likes, when they re-enter, you go with them, someone holds the door open for you and you are in the building.

Time to launch an attack

Once you have all the information you need to launch a valid attack, you do and if it doesn’t work you go back to the drawing board and start again. Eventually, you will gain access. (unless it is a pharmaceutical company, they are really difficult to get into).
Jamie uses a variety of different tactics to gain access into companies. Tune in to part 2 to find out what these are.
[text-blocks id=”phishing-report”]