In September 2013, viewers across the world watched the 62nd and final episode of the hit AMC show Breaking Bad, a show about a chemistry teacher, Walter White, who becomes a methamphetamine kingpin after learning that he has cancer. What people may not have realized is that in this final episode, Walter employed a technique commonly used by cybercriminals, known as Social Engineering, and the show offered a very realistic illustration of a threat regarding which all businesses and individuals should be aware.
In the final episode – “Felina” – the show depicts Walter White at a New Mexico gas station, preparing to return home to Albuquerque. He stops by a pay phone and makes what appears to be an innocent phone call to the New York Times, but instead of calling as himself, he imitates a New York Times reporter. He deftly states that he needs to track down the Schwartzes, the billionaires Walter helped make rich, for an interview. His convincing performance, by using social cues and leveraging his limited knowledge of the couple, allows him to extract the couple’s full address and schedule. He then goes about executing his version of “revenge.”
By imitating another person within a large organization like the New York Times, Walter successfully extracted information he had no authority to receive. This technique is known as Social Engineering. Social Engineering is the practice of “non-technical intrusion” that “bypasses or otherwise breaks normal security procedures.” Social Engineering is precisely what Walter did. The person on the other end of the phone at the fictional New York Times had the authority to access certain data. Walter bypassed any sort of checks the fictional New York Times had for its data by exploiting that person. These types of attack are becoming increasingly sophisticated. The potential for social engineering is the main reason why a typical phone call to your TV or Internet provider requires you to provide some information to validate your identify before the call can continue. PC World describes five different types of social engineering techniques. This isn’t an exhaustive list, but it’s a good one.
The best way to combat Social Engineering is to develop a comprehensive Information Security Program which takes the potential for social engineering into account and includes training for your entire workforce to spot it, avoid it and report it. WebRoot has a great list of suggestions for how to avoid social engineering attacks (as well as another good list of various social engineering techniques). Avoiding social engineering isn’t that hard, but data thieves are always looking for the weakest link in the chain, so if your entire organization is not trained and continually re-trained about social engineering and the latest techniques, the data safeguarded by your organization is as vulnerable as your most gullible employee.