Beware Of The Social Engineer; Your Assets Could Be in Danger

Feb 1, 2003 12:00 PM, By JIM WILLIAMS

A computer system administrator receives a phone call from a distressed employee who has lost access to the network and humbly requests a password change. Meanwhile, someone posing as a mail carrier peers over a receptionist's shoulder to discover the company log-in ID and password. Later on, a hacker searches the dumpsters to discover clues unwittingly tossed into the trash during the busy day that will uncover corporate intelligence.

Do these scenarios seem implausible? Not any longer, as IT hacking becomes increasingly more sophisticated. This kind of deception, designed to prey on a victim's human nature to show compassion and trust, has uncovered a hole in many companies' security.

Social engineers, as they are called, get as much information from a company as they need to compromise its security. Otherwise known as “people hacking,” social engineering is one of today's most specialized and successful forms of corporate espionage. And once information is attained from these social engineers, there's no telling what they will do with it next.

A Method to the Madness

Hackers are choosing to forgo the “old-fashioned,” technical way of breaking into a computer system in exchange for the user-friendly social engineering route. It is both an art and a science. Once mastered, the technique is useful for a range of systems, despite the platform, hardware or software involved. Furthermore, it is applicable in a variety of situations — live or by phone, mail and Internet. With practice, the technique can be completed rather quickly.

Although creativity is key to social engineering, some of the most popular methods include:

• Role playing — Pretending — via phone, e-mail, live or in a chat room — to be a service technician, employee or system administrator who needs a password for maintenance or urgent access.

• Shoulder surfing — Peering over a computer user's shoulder to take note of a log-in ID and password.

• Account sharing — Asking for permission to use someone else's account to gain access and steal a password.

• Reverse social engineering — Sabotaging a system by gaining access through a workstation, advertising the corruption through an error message with contact information for “help” and acquiring more information by assisting the user with the problem.

• Dumpster diving — Sifting through company trash bins to find important information about computer systems, corporate structure and company contacts.

• Trojan horses — Sending Internet Relay Chat (IRC) and Instant Messaging (IM) messages offering software or file downloads that, when accessed, will recruit the system for use in a distributed denial of service (DDoS) attack.

• Voice mail compromise — Gaining access to an executive's voice mail then requesting the help desk to leave a message with the requested password in the voice mailbox.

Falling Behind, Getting Ahead

The secret to any method's success lies in the failure of society to keep pace with technology. The ease of gaining and exploiting another's trust is one reason cyber-criminals have successful “careers” in social engineering. Books on the topic explain how even the most seemingly insignificant data can be used to betray the most trusting employees at the nation's largest companies.

What to Listen and Look For: Hacker Minds Think Alike

In addition to books, many hackers are publishing their own tried-and-true strategies of social engineering on the Internet, making learning the techniques easily accessible. These Web sites offer advice on how to conduct social engineering stunts in any number of ways. Some suggest using a female voice to procure the necessary information. Others recommend acting helpless or even demanding. Virtually all warn to conduct extensive research on the company and to be prepared with information that will verify identity to more easily infiltrate a system.

The Weakest Link

Unfortunately, not all trusting employees think like a hacker, nor do they know how to identify the signs of a social engineering attempt. Most often, corporate training programs cover everything from customer service to company history, but omit security training. Although a company's infrastructure may be tightened with authentication processes, firewalls, VPNs and network monitoring software, these measures are doomed once employees share passwords or other crucial information with the wrong people.

The Strongest Defense

The answer to thwarting these attacks lies in education and security awareness and training. Companies can take the following steps to ensure systems remain protected:

• Train employees.

• Avoid posting employee names, titles and contact information on the corporate Web site.

• Refrain from publishing any information related to the company's IT infrastructure that is easily accessible via the Internet. Examples include vendor case studies and support questions in chat rooms and hardware/software support sites.

• Conduct periodic tests to determine exposure from social engineering and make appropriate adjustments to corporate security policies and training procedures to address these risks.

• Encrypt sensitive information sent via e-mail.

• Update anti-virus software regularly to minimize impact from virus, worms and Trojan horses.

Security does not end with these steps alone. It is a continuous process companies should strive to perfect when attempting to beat the social engineers at their own game.

For the Record

ABOUT THE AUTHOR

Jim Williams is director of security solutions at Solutionary Inc., Omaha, Neb. Mr. Williams' background as a special agent with the FBI and as an attorney provides a security and legal perspective.

ABOUT THE COMPANY

For information, circle the Reader Service number (listed below) or visit securitysolutions.com

Solutionary Inc.

29

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue