Cybersecurity Workshop Held for Residents and Businesses
April 20, 2017
By Ginny Wray. A self-described hacker on Wednesday outlined “red flags” to help area residents know if their computer systems are vulnerable to being attacked and entered.
Darren T. Manners, security practice manager for =SyCom Connected, with headquarters in Richmond, spoke on “Social Engineering — Why me?” in the latest presentation in the New College Institute’s Non-Credit Lecture Series. About 75 people attended the event which was sponsored by the NCI Foundation and the Martinsville-Henry County Economic Development Corp. (EDC).
Hackers break into others’ computer networks, sometimes to steal data or other information. Manners, however, is hired to break into companies’ and organizations’ systems to reveal their security flaws so they can be repaired, he said.
Valerie Harper, director of the Small Business Division of the EDC, said her office is aware of a couple of area businesses that have been hacked, including one that was breached from China. The FBI ultimately confiscated the business’ computer equipment, Harper said, adding that the business owner had done nothing wrong.
“I imagine it happens more” often, Harper said of businesses falling victim to hackers.
For that reason, she and Mike Palmer, the technology manager for NCI, discussed holding a program on cybersecurity, and the result was Wednesday’s lecture.
Cybersecurity should be a concern of anyone who uses technology or who has an email address, tablet or other device, said Melody Stowe of the Southern Piedmont Technology Council, who attended the lecture. It is an essential skill that is taught in schools, she added.
Hacking encompasses many techniques, including social engineering, Manners said. He defined social engineering as “a kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.”
“People are the weakest link but also the strongest,” he added.
A social engineering attack has four stages, Manners said. They begin with researching a company and an individual, physical research and defining the pretext or story used to gain entry into a system. Stage two includes the initial contact rules and the framing of the victim. In stage three, the hacker gets the victim to do something or “deliver the payload” and obtain information, and stage four is the cleanup.
He gave details of each stage so the audience members would recognize when they were being victims of social engineering. For instance, when talking about researching a person, he held up a smart phone and asked the audience, “Will you remember where you were in four years? This will.” And that data is valuable, he added.
Information about individuals also can be gleaned from social media sites, job sites and personal websites, where people sometimes put out too much information, Manners said.
Engaging someone in a conversation opens the door for a hacker. That can start with a hacker making a seemingly random comment and another person responding, often providing personal information without even realizing it; gaining validity by, say, carrying a clipboard; mentioning organizations that supposedly the hacker and victim both belong to; or hiding a lie among truths, Manners said.
Social engineers pay attention to body language, he said, noting that things such as a person’s hand movements and feet can be telling.
The same is true of language, Manners said. For instance, if a caller gives incorrect information, there is a “human need” to correct it, which may give the caller useful information, he said. Also, reflective questions keep the victim talking, which may create opportunities for the perpetrator, he said.
“A lot of things we do with social engineering we (also) do naturally. We (social engineers) just think about it,” he said, “Social engineers pay attention.”
Security is improving, Manners said, but he warned that, “as people move to more secure platforms,” hackers get more sophisticated. Password management systems are good but have limitations, he said, cautioning people against emailing their password information to themselves.
“Email is like a storage container,” Manners said.
He also warned against divulging password reset answers in social media space and against using your dog’s name or your mother’s maiden name in a password.
In general, he concluded, the more hurdles are created in a system, the harder it is to hack.