Cyber attacks are becoming increasingly complex, while at the same time attackers are showing more and more creativity in exploiting security gaps in IT systems. Social engineering, in which the human factor is used as a potential weak point, offers a variety of methods for obtaining information. Tobias Franz is responsible for social engineering at TÜV TRUST IT GmbH TÜV AUSTRIA Group. In this interview, Mr. Franz reveals how he got his job and what the well-known German phrase “Audacity wins” has to do with the topic.
Mr Franz, what do you mean by the term “social engineering” in the context of cybersecurity?
Social engineering is the exploitation of human characteristics such as helpfulness, trust or respect for authority in order to gain access to a company’s internal IT systems via employees. For example, attackers try to gain direct access to confidential information through employees or to install malware in the internal IT system in order to compromise the network there. In short, the term social engineering is used to describe attack methods that are not only intended to succeed through technical vulnerabilities, but also include the psychological level.
How exactly do the attackers go for it?
The best-known method, which we are hearing about more and more in the media, is the sending of phishing mails, i.e., e-mails that appear to evoke trust and, for example, ask the recipient to hand over information or contain a link that is used to infiltrate malware into the system. But it can also be much more personal, with attackers gaining direct access to buildings in order to place network sniffers there, for example, and thus gain access to the internal network. Password interception devices are also very popular.
Aren’t company buildings usually adequately secured against entry by unauthorized persons?
You would think that strangers would quickly attract attention in company buildings, but here it is quite clear that audacity wins. The more confidently and discreetly the attackers move around the building, the lower the risk of being approached. What employee would want to go to the trouble of asking a high-ranking business partner what he is doing there? It’s better not to say anything. The first important step in defending against such attempted attacks is to train all employees in security awareness. They should learn to recognize such situations, to assess them correctly in an event of an emergency, and to react appropriately.
So companies often lack this awareness?
In some cases, yes, but this is not due to unwillingness or lack of interest on the part of the employees. Often, people simply haven’t had any contact with the topic and are willing to learn more. That’s why we regularly hold awareness training sessions in which we teach the basic know-how needed to recognize potential attack attempts at the human level. Now that many colleagues work in home offices and are increasingly on their own, the topic has become even more relevant. This is because the outsourcing of information to private home networks opens up new opportunities for attackers. Here, we also offer online crash courses to teach employees the most important skills.
And when did you yourself have your first contact with this topic?
During my studies of computer science, I oriented myself towards information security at an early stage and because the topic appealed to me, I specialized in security analyses, which have been part of my everyday work here at TÜV TRUST IT for four years now. Over the years, I have worked on more and more social engineering projects for our customers and finally took over responsibility for the area, which I really enjoy because the conditions are different for each customer and therefore no two projects are the same. We always have to adapt to something new and keep an eye on the latest developments. Because the attackers are not asleep either and are fine-tuning their methods. It’s this “cat and mouse” game that makes my job so appealing.
Anyone who is interested in a job in social engineering should therefore be prepared to constantly develop themselves further.
That is definitely an important requirement. The challenges are becoming increasingly complex, both at the technical level and in terms of the creativity of the attackers. That’s where you have to keep it rolling. You have to be motivated to achieve your goal and be as creative as possible, have an understanding of the technique but also of the attackers’ way of thinking. As a basis, a university degree, as in my case, is certainly not bad, but you can work just as successfully in this field via appropriate training, courses and certifications.
Thank you very much for the interview, Mr Franz!