The hacker’s guide to securing your organization

My name is Rachel Tobac and I’m a hacker, an ethical hacker, to be clear. This means companies hire me to tell them where their vulnerabilities are, so I can keep them and their customers safe. As an ethical hacker who’s breached the systems of news reporters, billionaires, and everyone in between, I know first-hand how often people fall for very simple principles of persuasion that have stood the test of time, and the technical tools that could have protected them from that fate.

The way to protect yourself and your corporation is three-pronged.

• First, familiarize yourself and your team with the principles of persuasion we use while hacking so you can recognize and shut down the social engineers.

• Next, arm yourself and your organization with the right technology - password managers (or passkey managers), and the right multi-factor authentication for your threat model.

• Finally, because this technology is moving so fast, you can future-proof your security by understanding the risks that are coming next, and the tools you can use to defend against these new threats.

Understanding how hackers apply the principles of persuasion is crucial in developing effective defense strategies. By recognizing the tactics hackers and social engineers employ, individuals and organizations can adopt a more “politely paranoid” mindset and implement robust security measures. Building awareness, educating users about common techniques, and promoting a security-first culture are essential steps in combating human-based attacks. Vigilance and skepticism serve as potent shields against the manipulative tactics used by hackers in their quest for unauthorized access.

By recognizing the tactics hackers and social engineers employ, individuals and organizations can adopt a more “politely paranoid”mindset and implement robust security measures.

When someone tells you information about themself what do you usually do? Reciprocate! It’s human nature. Hackers offer something of value to others, whether it’s information, assistance, or a favor, and this can increase the likelihood that their targets will be reciprocal to their requests and tell them information about themselves or their organization, for example. If I need to know which operating system (OS) you use to tailor my malware for your machine, I may offer up the OS I “use” to encourage you to reveal the details I need when hacking.

We tend to look to others for guidance when making decisions. At its heart, this means we’re more likely to take certain actions if we see others, especially people like us, doing the same.

By posing as reputable individuals or organizations, hackers instill a false sense of trust, making social proof an effective technique for manipulating targets into sharing sensitive information or engaging in risky actions.

Hackers who manage to convince us that “everybody’s doing it” are using social proof to influence our decision-making.

Humans like to be consistent and keep their commitments, especially if we’ve made them publicly or shared them with others. People are essentially “allergic to being awkward” – if we’ve given a commitment to someone or made a choice to trust someone, we’re more likely than not to stick with that prior choice.

Hackers will try to convince their targets to commit to small actions or statements that align with their ultimate goal, to increase the likelihood of the victim following through on the request. Once a scammer sees commitment, they will often escalate their requests, leading to more significant compromises.

People are more inclined to say “yes” to those they like or feel similar to. Hackers will attempt to build rapport, find common ground, and show genuine interest in their targets. Developing positive relationships and appearing to seek genuine connections with others can enhance a hacker’s persuasive abilities.

In his book, Influence, The Psychology of Persuasion, Cialdini illustrates this principle with the idea of the Tupperware Party. “The Tupperware Home Parties Corporation arranges for its customers to buy from and for a friend rather than an unknown salesperson. In this way, the attraction, the warmth, the security, and the obligation of friendship are brought to bear on the sales setting,” Cialdini writes.

People are more likely to comply with requests from authoritative figures or those perceived to have expertise in a particular domain. Hackers will feign credibility, expertise, or authority in a relevant area to enhance their persuasive impact.

Good social engineers leverage the principle of authority by skillfully crafting phishing emails to mimic communication originating from trusted and authoritative entities. They may try to gain your trust by impersonating your co-workers, your boss, your boss’s boss, or technical support. By assuming an authoritative role, hackers increase the chances of victims complying with their instructions, such as providing login credentials or granting remote access to their systems.

The principle of scarcity suggests we value things that are limited in availability. When we perceive something as rare, exclusive, or in high demand, we’re more motivated to acquire it. When a hacker highlights the unique features, limited quantities, or time-limited offers associated with their proposition, they can create a sense of urgency and increase the offer’s perceived value.

The scarcity principle also applies to time. Who among us hasn’t been influenced by the “Act now! This deal won’t last long!” email?

Unity is the seventh principle that Cialdini added in his later work. It emphasizes the power of shared identities and a sense of belonging. By emphasizing commonalities and aligning individuals with a shared group identity or cause, hackers increase our motivation to cooperate with them and abide by their requests. When I’m hacking executives, for example, I tend to pretend to belong to the same gym, board, community group, etc.

• Time boxing a request to convince you to take action quickly.

• Creating urgency by manufacturing an imminent threat or time constraints.

• Manufacturing urgency by posing as a trusted authority figure or organization and claiming immediate action is required to avoid dire consequences.

• Inducing panic or fear by emphasizing time-sensitive situations, such as imminent account closure, legal consequences, or financial loss.

• Using time-limited offers or limited availability claims to pressure individuals into making impulsive decisions.

• Fabricating urgent situations, such as a compromised account or a security breach, to prompt immediate action and divulgence of sensitive information.

• Exploiting current events or news topics to create a sense of urgency and capitalize on people’s desire to stay informed or involved.

Skilled cyber criminals capitalize on the natural human inclination to prioritize immediate action over careful consideration, exploiting our vulnerability in moments of perceived urgency to gain compliance and facilitate their malicious intentions.

Creating a strong line of defense against hacking is crucial for individuals and organizations alike. Organizations should prioritize a comprehensive cybersecurity strategy that encompasses human-based social engineering prevention measures, detection systems, technical tools, and incident response protocols.

Now, getting the security culture right isn’t solely the responsibility of the CSO. Everyone in the C-suite plays an important role in emphasizing the importance of a robust line of defense against hackers, reducing the risk of successful breaches, and safeguarding your company’s critical assets and reputation.

Despite our overall busyness and tendency to multitask (even though we know it’s not good for focus), we need to be cautiously skeptical in all of our online interactions in order to defend against malicious actors. I call this “Being Politely Paranoid” and it means using two methods of communication to confirm someone is who they say they are before fulfilling their request – a bit like human-based MFA! When in doubt, opt for multi-factor communication. For example, If someone emails you from a new email address requesting sensitive data, call them using the number you already have stored.

A proactive approach to protecting sensitive information can go a long way in maintaining the security of your organization.

By being “politely paranoid” about sensitive requests such as requests for wire transfers, access to company data, bank changes, admin account changes, etc., we can catch cyber attacks in the moment.

Open-source intelligence or OSINT is a reconnaissance step we take before starting the hack. We try to find as much publicly available information about a target as possible, such as their contact information, technical tools in use, likes/dislikes, etc.

Hackers employ OSINT to query search engines, explore massive public forums, or comb through troves of public records online to find the details needed to launch an attack.

Your company can fall victim to phishing scams through various deceptive techniques. Phishing is typically carried out via emails, messages, or fraudulent websites designed to trick employees or individuals within an organization into revealing sensitive information or performing malicious actions.

Attackers may impersonate trusted entities like banks, service providers, or company executives, creating a sense of urgency or importance to manipulate recipients.

(Remember those principles of persuasion?)

Hackers often find passwords online in what’s commonly known as a “password dump.” This is simply a massive number of passwords collected from hacked websites, data breaches, or underground forums where cybercriminals trade stolen information. These dumps often contain plaintext or hashed passwords alongside associated usernames or email addresses. Password dumps pose significant risks as they are often the first source of OSINT that attackers leverage to see if they can easily breach an organization’s systems. Once a password is found in a password dump, malicious individuals can use it to attempt to gain unauthorized access to user accounts, engage in identity theft, or launch other cyber attacks.

Hackers often employ tactics such as social engineering, where they exploit psychological factors to convince targets to click on malicious links, download malicious attachments, or provide login credentials. By mimicking legitimate communication channels, phishing scams can successfully deceive employees into divulging confidential data, compromising network security, or enabling unauthorized access.

• Are you or your organization in the public eye?

• Are you or your organization currently being targeted in a harassment campaign?

• Do you or your organization support journalists, activists, or other targets of nation state actors?

• Do you speak publicly about your work and role?

• Do you or your organization post in a detailed way on social media?

• Do you or your organization have a lot of followers or attention on social media?

• Do you have to trust a lot of different types of people and roles to get your job done?

The more of these factors you relate to, the higher the likelihood that you will be targeted by cyber criminals more frequently.

Use a second method of communication to Be Politely Paranoid: Make sure that everyone on your team understands common social engineering scams. Encourage all employees to confirm people are who they say they are and build that into your procedures so your team doesn’t feel awkward confirming your requests.

Physical Security Measures: Ensure that individuals with high-threat models have access to physical security measures to enhance their safety. Conduct regular risk assessments to identify vulnerabilities in their physical environment and implement appropriate measures to mitigate the risks in their threat model.

Digital Security Measures: High-profile individuals are often targeted or impersonated through digital channels. Implement strong cybersecurity measures to safeguard your VIPs’ digital presence. This includes password managers, MFA, encrypting communication channels, regularly updating software and systems, and conducting security awareness training to educate your VIPs about the most common threats they’re likely to receive.

AI tools have empowered hackers to emulate any brand voice seamlessly. Before these generative AI tools became so accessible, it would take far too long for a hacker to learn to write like a specific enterprise. Only the most artisanal hacker would take the time to study a company’s email and website copy.

And if English isn’t a hacker’s first language, they’d make errors that could make it easier to spot a scam quickly. But now, anyone can simply ask a generative AI app like ChatGPT to write in the style of any company and a hacker doesn’t even need to speak English well to get the majority of the copy correct. Now hackers have a strong call to action with immaculate copy written in somebody else’s brand voice in a language that the attacker doesn’t even usually speak.

By using AI to analyze vast amounts of data, these malicious actors can replicate the tone, style, and messaging of well-known brands, effectively deceiving unsuspecting individuals. From spear-phishing emails to fake social media campaigns, AI-powered attacks can be indistinguishable from legitimate

communications, leading to devastating consequences for both individuals and organizations. The ability to manipulate brand voices through AI amplifies the already complex battle against online fraud and poses a grave threat to the integrity of digital platforms.

Individuals with high-threat models, such asVIPs, face unparalleled challenges in the AI-powered hacking landscape. As AI evolves, it becomes increasingly difficult to distinguish between authentic and AI-generated content, blurring the lines between truth and deception. VIPs, who are often the targets of sophisticated hacking attempts, must navigate this treacherous environment with heightened caution. They are confronted with the constant threat of AI-generated impersonation, where adversaries can fabricate compelling personas to manipulate and exploit vulnerabilities for nefarious purposes – for example, I was able to impersonate a VIP at 60 Minutes to her team in 5 minutes using an AI Voice Cloning Tool.

For the third year in a row, Bitwarden partnered with Propeller Insights to conduct a global survey of internet users to understand the state of password management.

The survey probes password habits (including a continued trend of password reuse), cybersecurity risks, and the promise and particularities of passwordless authentication.

Unfortunately, some of the high-level findings show that a lot of folks still have some risky password habits.

• 19% admitted to having used “password” as their password.

• 52% have used well-known names, lyrics, or personal names (such as their child or pet). 84% of respondents reuse passwords.

• 11% reuse passwords on more than 15 sites.

• 60% have used the same password for 3+ years.

• 26% of those who reuse passwords have been reusing the same password for more than a decade.

• 34% still write their passwords down on paper like Post-it notes or a notepad.