Social Engineering and the Cyber Black Market

buildingintelligence2_smallerIn movies, you see some guy sitting at his computer banging away at the keys and creating sophisticated algorithms that can go around advanced cybersecurity measures or can crack strong passwords or anything else that looks really cool for the camera. The not-as-glamorous reality is that hackers can shop for hacking tools online. Or better yet, they can exploit social engineering and get access to your system directly from you.


What is social engineering?

Social engineering, if you are not familiar with the term, means basically a “con game” to get information needed to access networks/equipment. In other words, hackers rely on our trust to be our weakness. Some examples of social engineering are:

  • Shoulder surfing  Gathering someone’s info make be as simple as looking over someone’s shoulder to get their credentials.  Now that we have cell phones with great cameras it is not necessary for them to remember what you typed. The hacker can record a video of you entering your credentials and figure it out later.  Google Glass makes it even easier.
  • Dumpster diving  We throw away a lot of information that can help a hacker.  It is not just user credentials.  It could be who a contact person is that can get them access to sensitive areas and insider information to help them find a way in.
  • Capitalizing on our predictability  Social engineers rely on our natural inclination to choose passwords that are relevant to us.
  • Pretending they belong  Hackers know that first impressions carry a lot of weight.  They will come in as though they belong and get access by looking the part.  Once inside, they can plug a USB drive, “work” on the copy machine, swap out a phone with an altered handset, etc.  For less than $100, they can own your network.


Today, you don’t have to be a code genius to start a hacking career–you can buy what you need. There is a huge cyber black market that sells and even rents data and hacking tools starting at around $50 and up. Cybercrime is a growing segment, so much so that it’s surpassing the illegal drug trade. Silk Road was a site that originally started out as a drug trafficking and other crimes site. They began selling hacking tools and stolen log-in credentials due to the lucrative nature of  market.  An article from RAND Corp concluded that “cybercrime can be more lucrative and easier to carry out than the illegal drug trade,” while a second article from RAND Corp/Juniper Networks found “that the ‘Cyber Black Market’ is more profitable than the global illegal drug trade.”


What does this mean to the control community?

Hackers and social engineers are well aware that building control networks and corporate networks intersect and that the security of control networks is generally weak. They also know that control systems’ PCs are typically physically exposed and accessible, giving them the change to physically enter a building, plug a USB drive into the PC, and then punch into the corporate network for days on end searching away unobstructed.


As control system integrators, we need to stretch our thinking past what we think is good security. Firewalls and antivirus are good, but all it takes is a person (you or your customer) giving another person (the social engineer) access/credentials to allow them to circumvent all of the security measures. Physical access has also got to become a part of the “shield.” Anyone (coder or purchaser in the black market) who can plug a USB drive into a PC can launch software that will give them unrestricted access to the corporate network.

  • We must do our share to help protect our greatest asset–our customer
  • We must protect our brand/credibility from a breach
  • Our customers’ IT networks and building control networks cross paths, which could be an security issue
  • Control system security is typically weak, so we need to focus on new ways we can strengthen it


Closing Thoughts

Check out these stats from a report from Mandiant:

  • 100% of breaches involved stolen credentials
  • 100% of victims have up-to-date antivirus software
  • 63% of breaches are reported by third parties
  • 243 is the median number of days advanced attacker are on the network before being detected


As this report shows, breaches are made not by a guy banging away on his keyboard like in the movies but by someone simply capturing, buying or tricking valid credentials from someone. Security hardware and software is not the only thing needed to combat the “bad guys.” Education, staying up-to-date on the latest threats, and oh yeah… a little bit of paranoia doesn’t hurt either.


Have a question for our experts? Leave you comment below or contact them directly at


About Fred Gordy


Email Address:

Fred Gordy is the operational technology manager for the McKenney's Enterprise Intelligence Group and is responsible for the technology strategy for the Automation & Control Solutions team. Fred has focused on control system cybersecurity for the past few years and has built a network of cybersecurity professionals to grow knowledge for the control system at large. He is also the current chair for InsideIQ's cybersecurity committee. Fred's portfolio includes projects with Chevron Energy Services at Eglin Air Force Base to reduce operating expense through real-time analysis as well as developing secure power monitoring systems for a national IDC, a national retail chain, and an international media company.

Leave a Reply

Your email address will not be published. Required fields are marked *