Kelly Coughlin:

The Chinese have a phrase. If you want to kill the tiger, masquerade yourself as a swine. He who poses as a fool is not a fool. The best way to be well received by all is to clothe yourself in the skin of the dumbest of brutes.

Announcer:

Kelly Coughlin, CEO of BankBosun, a management consulting firm helping banks C-level offices, navigate risks, and discover reward. He’s the host of the syndicated audio podcast bankbosun.com.  Kelly brings over 25 years of experience with companies like PWC, Lloyd’s Bank, and Merrill Lynch.  On the podcast Kelly interviews key executives in the banking ecosystem to provide bank C-suite offices risk management, technology, and investment ideas and solutions to help them navigate risks and discovery reward.  Now your host, Kelly Coughlin. 

Greetings. This is Kelly Coughlin, CEO and program host of Bank Bosun, helping banks C-Suite executives manage risk, regulation, and revenue in a sea of threats and opportunities. You know, 100 years ago the risk environment of the banking world was much different than it is today. The Federal Reserve System was established only a little over 100 years ago in 1913. There were about 26,000 banks back then compared to about 7,000 today. In fact, Citibank only had about $1 billion in assets back then compared to $2.6 trillion today. And the risk profile of bad guys ? criminals – was much different, too. Charles Ponzi was launching his famous scheme to turn a profit by manipulating international reply coupon systems in which he’d buy stamps in one country, and then sell them for profit in another. He defrauded investors of about $20 million, $220 million in today’s funds, and destroyed six banks in the process. And then in 1925, the famous Victor Lustig convinced a bunch of investors to give him funds to purchase the Eiffel Tower for scrap metal. He even convinced Al Capone to invest $50,000 in another bogus scheme. Lustig returned the funds to Capone, who was so impressed with him that he let him keep $5,000 of the original $50,000. Of course, that was Lustig’s plan all along. That’s all he was looking for.

Today’s criminals, however, are different. Yes, we still have bank robbers. The FBI reports that U.S. has about 5,000 per year. But the bigger risk today is in the cyber security and social engineering area. Cyber security, of course, is new. We didn’t have computers or Internet 100 years ago. Technically, though, social engineering is not new. The definition of social engineering is the clever manipulation of the natural human tendency to trust, but the tactics and methods used today are much different than in the days of Ponzi and Lustig and Jessie James. These methods involve strange names like dumpster diving, email phishing, vishing, pretexting, baiting, and piggybacking, just to name a few.

My guest today is a recognized expert in today’s version of social engineering. His name is Kyle Konopasek, and he works in the Business and Technology Risk Services Group of CBIZ MHM.

The stated mission of CBIZ is to help clients prosper by providing them with professional business and individual services to better manage their finances and employees. To accomplish that, CBIZ has three operating practice groups, one of which is Business Services, and that’s where Kyle operates out of, in their Kansas City office. The specific mission of Kyle, however, is to assist clients in the internal control areas related to information security, cyber security, vendor management, and of course social engineering. Kyle has a BS in accounting at Rockhurst. He is a certified internal auditor. He lives in the great city of Kansas City, home of some of the best barbeque in the country. So, I want to start off with the most important thing and get that out of the way. Kyle, what is your favorite barbeque restaurant in Kansas City?

Kyle Konopasek:

That’s kind of a loaded question, Kelly. I actually had Joe’s KC Barbeque today for lunch. Used to be known as Oklahoma Joe’s. Don’t understand why they changed that iconic name to Joe’s KC, but it’s still pretty darn good. But you know what? There’s a smaller, a little bit lesser-known barbeque restaurant in town called Smokehouse Barbeque, and that’s actually my favorite.

Kelly Coughlin:

Smokehouse Barbeque? Where is that located?

Kyle Konopasek:

Well, they’ve got just a few locations around town. They’ve got one up in Gladstone, Missouri, one out in Independence, Missouri, and then there’s another one over in South Overland Park, Kansas.

Kelly Coughlin:

Okay. I’ll have to give that a go. Well, now that we’ve got the important things out of the way, let’s get down to business here. First of all, did I get your bio correct, and was there anything that I said in my introduction that was either wrong or you disagreed with?

Kyle Konopasek:

Not at all, Kelly.

Kelly Coughlin:

Why don’t you tell me what your definition of social engineering is? I think I took my definition frankly from a Power Point that you had, but is there anything you wanted to elaborate on in terms of the definition of social engineering? Especially related to the cyber security world.

Kyle Konopasek:

Yeah. Kelly, you did mention the technical definition of social engineering earlier. However, we can elaborate on what social engineering is and what that means a little bit further. In some of the speaking engagements that I have with some of my clients and various organizations around the country, we usually talk about what our children do to us. If you think about it, even just a small child, a toddler, a three- or four-year-old, take them to the grocery store, you push them in the cart through the grocery store. Oh, Mommy, Daddy, I want this. Mommy, Daddy, I want that. Well, you tell them no a few times, and then they begin to find other ways to try and manipulate Mom and Dad into how to get that item that they want. We start performing acts of social engineering, every one of us, very early on in life without really understanding what it is. And I think that’s very important to distinguish, because social engineering, as you stated, is not new at all.

In fact, we all do it without really understanding or comprehending that it is social engineering that we’re doing. We may not necessarily be trying to manipulate one another for bad intent, but we often use different shades of social engineering, if you will, to try and get certain things that we want. And quite frankly, social engineering is ancient in its methodologies. The Trojan, with the whole Trojan horse scenario, that’s really social engineering. Hollywood loves to depict examples of social engineering in its movies. Just to name a couple of better-known social engineering oriented movies, Catch Me If You Can, with Leonardo DiCaprio, about the story of Frank Abagnale. Sneakers, with Robert Redford. Those are both excellent movies that depict in every facet, different types of social engineering.

Now, when we talk about social engineering, sometimes, people get confused as to how that relates to cyber security. Cyber security and social engineering are very tightly linked together. However, we like to take it up one more level when we think about the two. We think of this large bubble called information security, and within that large bubble of information security, there are other bubbles floating around inside, one of which is social engineering. Another one is cyber security. Another one is vendor management, and you can continue to break it down into subsets of bubbles within the information security bubble. So, that’s important to point out, that they are related, but they’re not one and the same. For example, email phishing is one type of social engineering that is widely understood, but many people still describe that actively as a cyber security breech or a cyber security issue. You can definitely blur the lines between those two, and there is a gray space there. But email phishing at its heart belongs to social engineering.

Kelly Coughlin:

What are the main motivations for social engineering attacks? Is it always financial gain? Or on the other side of is it harm? Or is it a competitive advantage? Or do we get personal vendettas or that part of it, too?

Kyle Konopasek:

In the business world, Kelly, really all of those are examples that you mentioned of motivators for performing an act of social engineering. Social engineering is essentially a grouping of attack vectors that an attacker can use to attempt to not necessarily defraud an organization, but start to build a dossier of information about that organization for the purpose of executing a much larger attack. And when I say a larger attack, it can be in terms of dollars or it can simply be in terms of volume of information obtained. For an example, email phishing might be a starter for a social engineering attack to build that larger dossier of information. The attacker would be hoping that perhaps yourself of myself would be willing to click on a link in an email to take us to a website that was built to mock a website that maybe we’re familiar with or maybe that we would typically trust. In reality, they’re wanting to get one piece of information from us. The attacker wants to have login credential information to our networks, our systems, within the workplace.

They don’t really care what other information we provide, but sometimes we provide additional information that they don’t really ask for but help them to build that case. For instance, if I then provide them with a user name and a password or other types of login credentials to a network or a system, they obviously can then use that information to assist them in hacking into that system. The word hacking from an information security perspective or cyber security perspective is somewhat clouded by the fact that social engineering methods and techniques are many times one of the leading methods used to get to a “cyber attack” to “hack” into a system. There aren’t that many individuals that are literally sitting there in front of their laptop computer, trying to brute force hack their way into a network. Social engineering is a much easier way, because what we’re looking to do is just very easily and inconspicuously have the victim, or one of the victims, provide us the information that we need to do our bad work, to do the attack. And from that perspective, social engineering is very useful to a more intelligent attacker. And that’s quite honestly, why so many foreign entities are using social engineering to get sensitive information.

Kelly Coughlin:

Give me some examples of that. Keep in mind, the audience is community and regional banks. What are some of the techniques? What are some examples that you’ve seen where this manipulation occurs successfully?

Kyle Konopasek:

Well, email phishing is the low-hanging fruit in terms of an example for a social engineering attack. Many of us have seen that on a personal level as well. But yes, vishing, starting with the letter V, vishing is a legitimate social engineering attack method. And vishing is the telephone equivalent of email phishing. It’s simply picking up the phone and perhaps pretending to be someone with a help desk or with, perhaps it’s an outsourced company that the financial institution has engaged with, that caller is hoping that the person that picks up that phone is going to feel pressure to provide them an answer that they’re asking for. It might be that they’re going to try and elicit an attack based on patch management, for example. Maybe I work for a third-party data management company and I call XYZ Community Bank and I call Sally. And Sally answers and I tell her, Hi, I’m Kyle with ABC Data Management Services. We see that your desktop computer didn’t have the patches updated on it last week. All the other terminals did. We can take care of that patch for you right now if you just provide us with your user name and password for your desktop computer. That way, you don’t have to mess with it and you’ll be able to continue doing your work.

Kelly, it’s something as simple as that. While the broader population might scoff at that scenario and think that it’s not possible, the social engineering attackers needs one person, and you’d be surprised that many, many times, people fall for those attacks because a, again remember the true definition of social engineering, the natural tendency, the manipulation of the natural tendency to trust one another. They don’t want to inconvenience another human being from doing their job, or what’s perceived to be them just doing their job. They want to do something that’s helpful to them. So, therefore, the pressure is enough to where they just provide the information and hope that their day can go on without any further interruption, and that that person that in perception, is on the other end of the phone, trying to get information is truly trying to help them out. That’s one example.

Kelly Coughlin:

Well, I’ve never had that kind of luck, because if I get a bounced email from like a CFO or a CEO and I try to call secretary and say, hey, what’s Joe’s email? I got a bounced one. And they won’t even give that to me. So, I’m not a very good hacker, I suppose. I’m going to do a quiz for you, Kyle, since you started showing off on some of these terms. We’re going to play Jeopardy! with Kyle. Dumpster diving.

Kyle Konopasek:

Dumpster diving is literally me and/or my crew, our staff, getting into the large metal dumpster out in the parking lot behind the financial institution, in the middle of the night, usually. This is one of the more intriguing services that we provide. And again, keep in mind as I describe, social engineering is about getting tidbits of information through different attack vectors and building that dossier of information. In a dumpster dive, going out in the middle of the night with the rubber gloves on?yes, Kelly, I carry latex gloves with me at all times, and I travel a lot. The TSA hasn’t said anything yet, but one day they will.

Kelly Coughlin:

What are you diving into the dumpsters for?

Kyle Konopasek:

We’re actually getting in the dumpsters and looking for things like social security numbers, bank account numbers, anything like that. And you might say, well, what financial institution’s putting that kind of information in the trash? A lot of them. We have had so many clients over the years where this is the first test that they fail. When they ask us to come in and perform social engineering testing, this is the first one they fail. And many of them fail it miserably.

Kelly Coughlin:

You’re diving in as your internal audit function.

Kyle Konopasek:

Absolutely. Kelly, you know, one of the things that, from a dumpster diving perspective that I think is really important to stress is that documentation as simple as a phone listing for the organization or an email listing for an organization, because they have a whole listing of people they can call to try and perform vishing on. Or even a vacation schedule for an executive or senior management person, because then they know that person’s gone for that period of time. In addition to that obvious personally identifiable information like social security number, account number, it’s that other often overlooked information that becomes valuable. And let me tell you, just shredding that information and then putting it in a trash bag and putting it in the dumpster’s not good enough. We have taken shredded material from a dumpster, laid it out on our conference room table and taped it back together, and we have found full listings of user names and passwords that employees have kept over the years for access to not only their own systems and networks, but for some of their customers’ trust accounts. We’ve tested those, and they’ve been active. The amount of information that’s out there is absolutely astonishing to me, and how easy it is to come across in a dumpster is even more terrifying to me, just as a human being.

Kelly Coughlin:

That’s amazing. All right. So, next question. What is phishing?

Kyle Konopasek:

Phishing with a P. Kelly, that generally, when it’s mentioned by itself, refers to email phishing, and that is essentially, you’re receiving that unknown email or that unexpected email in your inbox that looks like it might be from someone that you would expect, but upon further inspection, if you really look, like if you hover your cursor over the link to the website that it wants to take you to, if you look at the URL address, it’s actually going to take you somewhere else, which would be typically a website that was built specifically to look like XYZ Community Bank’s website. Vishing is the telephone equivalent of email phishing. Same thing, except that I’m picking up the phone and I’m calling you, trying to extract as much information out of you as I can. Maybe it’s just to find out if Kelly’s out of town for the next two weeks.

Kelly Coughlin:

What is pretexting?

Kyle Konopasek:

Pretexting, that’s the Hollywood that we like. The Hollywood version of social engineering is where we are basically disguising ourselves to walk in face-to-face and try and gain access to a secured area of a financial institution, whether it be the vault or the telephone closet or the server closet or the surveillance system. You would amazed at how easy it is to gain access to secured areas of financial institutions through pretexting.

Kelly Coughlin:

What is baiting, B-A-I-T-I-N-G?

Kyle Konopasek:

Baiting is when you would take a USB thumb drive or a CD, and you would pretend to put information on that media. If you’re a true attacker, what you would put on that media would be some type of a virus or malware, but the key behind the baiting piece is that you write on the cover of the CD, it says, Bank Bosun 2016 annual bonuses. Or maybe you put the USB thumb drive in an envelope and you write something conspicuous on the outside that might get someone’s attention, and then you leave that item in a conspicuous place, in a hallway or on the corner of a desk or a conference room table, because what you’re hoping is that a curious eye is going to catch that and say, oh, I want to know what so-and-so’s making. Well, that put that item in their CD drive or their USB port, and once they open up that file, bang. That virus has been installed, and they don’t know it. But in reality, there’s nothing on there. So, that’s all we’re trying to do with baiting, is get that virus on there so they can then phone home and tell us all the information. Maybe it’s a keystroke logger so we can user names and passwords that are put into that terminal.

Kelly Coughlin:

Wow. What is piggybacking?

Kyle Konopasek:

Today would be a good day to do piggybacking, Kelly. It’s about 18 degrees here in Kansas City. Maybe I want to go piggyback into a multi-tenant building. Smaller organizations with a few employees are not as easy to perform this test with, but if there are more than 50 or so employees, it’s generally possible. Basically, take a cold day like today, have a heavy backpack over one arm and maybe have a box of donuts or something or a coffee in the other hand. And then, you’re trying to watch for someone to come in through a secured exterior door, as an example. What you’re wanting them to do is just hold that door open for you, because your hands are full. It’s cold. They don’t want to leave you out in the cold and make you get our your keycard to badge your way in. This can happen inside, as well. Again, the more employees, the better, because they don’t necessarily know all the faces, and they’re more willing to trust strangers.

Kelly Coughlin:

Okay. Now, the trick question. What’s the difference between phone phishing and vishing?

Kyle Konopasek:

No difference whatsoever, Kelly.

Kelly Coughlin:

That was the trick question. Good job. All right. I give you 100% on that. Where are the biggest human vulnerabilities? Is it new employees? Is it the older employees that, presumably are less tech savvy? Or are they the younger, heavy tech users that are certainly more tech savvy, but because they use it more? Or is it kind of the third-party consultants that are working inside a bank? Do they create more vulnerabilities?

Kyle Konopasek:

Based on statistics that we know of, anyway, new employees are the number one weakness for falling for social engineering attack. The reason why they don’t want to do anything to disrupt the culture of their brand-new employer. They don’t necessarily know everyone. They don’t necessarily know if the person sitting next to them is a person of importance or not. May or may not be. They’re more likely to both fall for email phishing, vishing, and occasionally face-to-face social engineering attacks, just from the perspective of not understanding the culture, not being completely versed to all of the policies. And also just wanting to please everyone. As a new employee, you want to be a pleaser. You want to come across as positive and liked and all those good things. From that perspective, new employees are the number one threat. After that, it’s third-party service providers. It might not necessarily be your auditor that’s coming in once a year, but think about all the other vendors that are engaged to do business with the financial institution. It’s not necessarily just IT vendors, either.

That’s the other issue that we run across is that so many organizations want to focus on all of the vendors that they use to outsource IT to. It might be a data center, but it could also be a payroll company. Payroll companies have access to a lot of information. Let’s not forget about the sensitive information of our own employees. It’s not just our customers, but also our employees. So, we need to be cognizant to that as well. New employees and third-party service providers are the top two most likely to fall for a social engineering attack. The way that someone outside the organization would find out that there’s new employees that have been hired on? Dumpster diving. There might be some on boarding information that got in the trash and shouldn’t have been. You can kind of start to see how all of these different types of social engineering attacks work together to build that bigger dossier of information for a larger type of attack. I think it’s important for all employers of all sizes to have some form of consistent and periodic information security training. If those employers are providing that training, then it is appropriate to test those employees. And when we do social engineering testing, we have to be very clear, because we are not testing to identify the bad eggs within the employee group. That is not the point. Social engineering testing, or any types of test on information security, is designed to identify weaknesses in the culture, in the policies, the procedures that are performed. The employees are just the vessels by which those items are implemented and executed.

Email phishing tests. Those are an easy one, fairly expensive for an organization. They can even be done internally by the organization. Spending $25 on a domain name, a website domain name that looks similar to a financial institution’s actual domain name and then setting up a fake website. An example of a good fake website to use in an email phishing campaign would be from HR, or if there’s some type of HR function. Send out an email to a group of employees that says, good afternoon. We have just implemented a new human resource information system, and we want to make sure that all of our vacation accrual balances are up to date. Why would we choose vacation accrual balances? Well, because it’s something that is impactful to the employee as an individual. They want to make sure they get their vacation time.

That email phish is going to go out with a link to that fake website, and what we’re trying to see is if those employees actually click that link and then, do they actually go to that website and enter in their user name and password that we’ve requested so they can get to that fake website. Well, they’re doing it in the hopes that they can make sure their vacation accrual’s correct. We just want to see if they’re following policy. And again, if they fail, and nine times out of 10, they do fail, it’s not a poor reflection on that individual unless they fail that same test 15 times. It’s more a reflection on the level of effort and quality of the information security training that management has provided to those employees.

Kelly Coughlin:

Now, I assume that you guys at CBIZ MHM have engagements where you’ll do training, testing there, too, if that’s called for?

Kyle Konopasek:

Yes, absolutely. From the training perspective, we actually partner with a company in Minneapolis named InteProIQ. They do a lot of online information security training for organizations of all sizes. Then, we come in and test how employees react after having that training. Sometimes, it’s valuable to do a test before the training and after so that you can then compare to see if there’s been improvement in the employee base in terms of how they handled those types of attacks, breach efforts. Then, kind of the third leg of that is cyber security insurance. CBIZ Property and Casualty does provide cyber security insurance, and that’s also a key component. If an organization performs social engineering testing and jumps through other certain hoops, many times, they can get a discount on their cyber security insurance if they’ve demonstrated that they have gone through tests of controls and that they have validation that controls work.

Kelly Coughlin:

Why don’t we wrap it up? What’s your favorite dumpster diving story? Where you were in a dumpster and you’re thinking, what the heck have I done with my career? What am I doing in a dumpster?

Kyle Konopasek:

Well, Kelly, honestly, our CBIZ office here in Kansas City has about 400 people that work in our office space. In our financial service division where I am, there’s about 150 to 200 people, so, I think that just to kind of give scope to the workplace. Now, most of the people on our financial services division are traditional audit and traditional tax CPAs. I am not, obviously. From this phone conversation, you’ve learned that. However, when we talk to our internal management about some of the services we offer and we mention dumpster diving, we just get these cold, blank stares, because they’re wondering how in the world is a CPA firm paying us to go out and get in our clients’ dumpsters? And do our clients actually value that? Well, they absolutely do, and the reason why is because we’re in harm’s way, Kelly.

We’ve found ourselves in large dumpsters that, come to find out, are actually big trash compactors. And then once we learn that, we do everything we can to scramble out of that dumpster as quickly as possible. We’ve been in that situation before. Fortunately, those trash compactors have not turned on, but those are the types of stories and little details that sometimes we don’t tell management about. Another dumpster diving story that we’ve kind of run across is that in speaking with local law enforcement, they actually encourage us to carry handguns, because some of the different areas, not just Kansas City, but all across the country that we do this work, they’re not in the best areas. And we’re also doing it late at night. Do we carry handguns? Absolutely not.

Kelly Coughlin:

Well, you haven’t seen any dead bodies in the dumpster, have you?

Kyle Konopasek:

No. We have not seen any dead bodies in the dumpster. We found some deer parts during hunting season.

Kelly Coughlin:

All right. That’s just, that’s terrific. I really appreciate your time on this. How can people get ahold of you? CBIZ has got, I don’t know, 1,000 offices, I can’t remember the number, all over the country. Are they best just to contact one of the local offices and then they get directed to you? Or do you want them to call you?

Kyle Konopasek:

You know, it’s best if they just call me directly, because our Kansas City office is the primary location for this particular type of service. My direct number is (816) 945-5512, and I can certainly be reached by email. My CBIZ email address is my first initial K, and my full last name spelled out, Konopasek, which is K-O-N-O-P-A-S-E-K at CBIZ.com

Kelly Coughlin:

That’s excellent. All right, Kyle. You’re the man. I really enjoyed it. Thank you for your time.

Kyle Konopasek:

Kelly, thank you very much.

Announcer:

We want to thank you for listening to the syndicated audio program bankbosun.com.  The audio content is produced and syndicated by Seth Green, Market Domination with the help of Kevin Boyle.  Video content is produced by The Guildmaster Studio, Keenan Bobson Boyle.  Voice introduction is me, Karim Kronfil. The program is hosted by Kelly Coughlin.  If you like this program, please tell us. If you don’t, please tell us how we can improve it.  Now, some disclaimers.  Kelly is licensed with the Minnesota State Board of Accountancy as a Certified Public Accountant.  The views expressed here are solely those of Kelly Coughlin and his guests in their private capacity and do not in any way, represent the views of any other agent, principal, employer, employee, lender, or supplier.
Check out this episode!