The hacker’s guide to securing your organization

When someone tells you information about themself what do you usually do? Reciprocate! It’s human nature. Hackers offer something of value to others, whether it’s information, assistance, or a favor, and this can increase the likelihood that their targets will be reciprocal to their requests and tell them information about themselves or their organization, for example. If I need to know which operating system (OS) you use to tailor my malware for your machine, I may offer up the OS I “use” to encourage you to reveal the details I need when hacking.

We tend to look to others for guidance when making decisions. At its heart, this means we’re more likely to take certain actions if we see others, especially people like us, doing the same.

By posing as reputable individuals or organizations, hackers instill a false sense of trust, making social proof an effective technique for manipulating targets into sharing sensitive information or engaging in risky actions.

Hackers who manage to convince us that “everybody’s doing it” are using social proof to influence our decision-making.

Humans like to be consistent and keep their commitments, especially if we’ve made them publicly or shared them with others. People are essentially “allergic to being awkward” – if we’ve given a commitment to someone or made a choice to trust someone, we’re more likely than not to stick with that prior choice.

Hackers will try to convince their targets to commit to small actions or statements that align with their ultimate goal, to increase the likelihood of the victim following through on the request. Once a scammer sees commitment, they will often escalate their requests, leading to more significant compromises.

People are more inclined to say “yes” to those they like or feel similar to. Hackers will attempt to build rapport, find common ground, and show genuine interest in their targets. Developing positive relationships and appearing to seek genuine connections with others can enhance a hacker’s persuasive abilities.

In his book, Influence, The Psychology of Persuasion, Cialdini illustrates this principle with the idea of the Tupperware Party. “The Tupperware Home Parties Corporation arranges for its customers to buy from and for a friend rather than an unknown salesperson. In this way, the attraction, the warmth, the security, and the obligation of friendship are brought to bear on the sales setting,” Cialdini writes.

People are more likely to comply with requests from authoritative figures or those perceived to have expertise in a particular domain. Hackers will feign credibility, expertise, or authority in a relevant area to enhance their persuasive impact.

Good social engineers leverage the principle of authority by skillfully crafting phishing emails to mimic communication originating from trusted and authoritative entities. They may try to gain your trust by impersonating your co-workers, your boss, your boss’s boss, or technical support. By assuming an authoritative role, hackers increase the chances of victims complying with their instructions, such as providing login credentials or granting remote access to their systems.

The principle of scarcity suggests we value things that are limited in availability. When we perceive something as rare, exclusive, or in high demand, we’re more motivated to acquire it. When a hacker highlights the unique features, limited quantities, or time-limited offers associated with their proposition, they can create a sense of urgency and increase the offer’s perceived value.

The scarcity principle also applies to time. Who among us hasn’t been influenced by the “Act now! This deal won’t last long!” email?

Unity is the seventh principle that Cialdini added in his later work. It emphasizes the power of shared identities and a sense of belonging. By emphasizing commonalities and aligning individuals with a shared group identity or cause, hackers increase our motivation to cooperate with them and abide by their requests. When I’m hacking executives, for example, I tend to pretend to belong to the same gym, board, community group, etc.

Creating a strong line of defense against hacking is crucial for individuals and organizations alike. Organizations should prioritize a comprehensive cybersecurity strategy that encompasses human-based social engineering prevention measures, detection systems, technical tools, and incident response protocols.

Now, getting the security culture right isn’t solely the responsibility of the CSO. Everyone in the C-suite plays an important role in emphasizing the importance of a robust line of defense against hackers, reducing the risk of successful breaches, and safeguarding your company’s critical assets and reputation.

Despite our overall busyness and tendency to multitask (even though we know it’s not good for focus), we need to be cautiously skeptical in all of our online interactions in order to defend against malicious actors. I call this “Being Politely Paranoid” and it means using two methods of communication to confirm someone is who they say they are before fulfilling their request – a bit like human-based MFA! When in doubt, opt for multi-factor communication. For example, If someone emails you from a new email address requesting sensitive data, call them using the number you already have stored.

A proactive approach to protecting sensitive information can go a long way in maintaining the security of your organization.

By being “politely paranoid” about sensitive requests such as requests for wire transfers, access to company data, bank changes, admin account changes, etc., we can catch cyber attacks in the moment.

Open-source intelligence or OSINT is a reconnaissance step we take before starting the hack. We try to find as much publicly available information about a target as possible, such as their contact information, technical tools in use, likes/dislikes, etc.

Hackers employ OSINT to query search engines, explore massive public forums, or comb through troves of public records online to find the details needed to launch an attack.

Your company can fall victim to phishing scams through various deceptive techniques. Phishing is typically carried out via emails, messages, or fraudulent websites designed to trick employees or individuals within an organization into revealing sensitive information or performing malicious actions.

Attackers may impersonate trusted entities like banks, service providers, or company executives, creating a sense of urgency or importance to manipulate recipients.

(Remember those principles of persuasion?)

Hackers often find passwords online in what’s commonly known as a “password dump.” This is simply a massive number of passwords collected from hacked websites, data breaches, or underground forums where cybercriminals trade stolen information. These dumps often contain plaintext or hashed passwords alongside associated usernames or email addresses. Password dumps pose significant risks as they are often the first source of OSINT that attackers leverage to see if they can easily breach an organization’s systems. Once a password is found in a password dump, malicious individuals can use it to attempt to gain unauthorized access to user accounts, engage in identity theft, or launch other cyber attacks.

Hackers often employ tactics such as social engineering, where they exploit psychological factors to convince targets to click on malicious links, download malicious attachments, or provide login credentials. By mimicking legitimate communication channels, phishing scams can successfully deceive employees into divulging confidential data, compromising network security, or enabling unauthorized access.