Why work hard for something when you can just ask!

If you think about it from time to time we're all really victims of social engineering. I know, because my wife uses it on me quite often and her methods are subtle but effective. I'm sure she generally doesn't even think about what she's doing. "Honey, if you go shopping with me, I'll let you get that "thing" you've been wanting for awhile!" It really doesn't matter what I've been wanting, she really has no-one else to shop with, needs my muscles, or just wants to spend some quality time with me.

Alright lets stop picking on the spouse, she really is great! Your boss does the same thing to you, and often you do the same thing to your boss. It's that "jockeying for position" that we all do to get something in return for something! The "social engineer" makes this their art and science!

What is Social Engineering?

Political science refers to social engineering as an attempt by government or private groups to change or "engineer" the views and behavior of citizens.

In computer security, social engineering is the practice of obtaining confidential information by manipulation (social skills) of legitimate users. A social engineer commonly uses the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against policy. With this method, social engineers exploit the natural tendency of a person to trust their word, rather than exploiting computer security holes. It is generally agreed upon that "users are the weakest link" in security and this principle is what makes social engineering possible.

Social Engineering is a non-technical kind of intrusion relying heavily on human interaction which often involves tricking other people into breaking normal security procedures, the attacker uses social skills and human interaction to obtain information about an organization or their computer systems.

Most experts would agree that social engineering is generally a hackers manipulation of the natural human tendency to trust! The weakest link in the information security chain is the natural human willingness to accept someone at their word. This is exactly what makes us vulnerable!

A social engineer runs what is typically known as a "con game". A person using social engineering to break into a computer network generally gains the confidence of someone who is authorized access to the network, in order to help reveal information that compromises that networks security.

With the Internet's current proliferation of poorly-secured computers and "many" well known security holes, the majority of security compromises are now done by exploiting vulnerable computers. However, social engineering remains extremely common and is a common way to attack systems protected by other methods.

An attacker may seem respectable, possibly claiming to be a new employee, a repair person or a consultant and even providing phony credentials to support that identity. By asking the right questions, the attacker may be able to piece together enough information to aid in their infiltration of an organizations network. If an attacker is not able to gather enough information from one source, they will contact another source within the same organization and rely on the information from the first source to add to their appearance of credibility.

One of the most infamous "Social Engineers" was Kevin Mitnick. In his book "The Art of Deception", one of the worlds most notorious hackers gives new meaning to the old adage, "It takes a thief to catch a thief." Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on getting to corporate database, or an irate employee determined to crash a system. In the book Mitnick provides many fascinating true stories of successful attacks on business and government. He illustrates just how susceptible even the most locked-down information systems are to a slick con artist. Written from the points of view of both the attacker and the victim, Mitnick explains why each attack was successful and how it could have been prevented. Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.

Typical Targets

• Telephone Companies
• Financial & Banking Institutions
• Military Targets
• Large Corporations
• Government Agencies

The Internet boom has had it's share of engineering attacks. In general attacks focus on larger organizations, but never let your guard down! Any organization with data of any kind of value, makes a great target!

Typical Methods

Attempting to steer a victim towards giving the hacker information employes several methods. The first and most obvious is a simple direct request.

Memory - One of the essential tools of social engineering is a good memory. This is something that good hackers tend to excel in, especially when it comes to facts relating to their field. Social engineering is part art form and part science. Those who are good at it have studied the ways people think, and know how to trick the other person into saying or doing things they may not normally have done. It is a form of Psychology where the victim is the patient.

Dumpster Diving - A term used for going through the trash (or dumpster) to obtain helpful information in stealing ones identity. It is truly amazing the things people discard that can be helpful in finding additional information about a person they are potentially targeting. Dumpster diving is not technically "social engineering", but it can sometimes be deployed as a step towards getting helpful information .

Raiding Mailboxes - Once the person has selected a victim, raiding that persons mailbox can often lend additional information to be used against them. The more you know about a person the more effective that alternate means of gaining data become.

Phishing is one of the newer forms of social engineering - It involves creating and using e-mails and Web sites designed to look like those of well-known legitimate businesses, financial institutions, and government agencies to deceive Internet users into disclosing their personal information. Phishing scams typically operate counterfeit web sites that lure consumers into revealing their personal and financial data, including social security numbers, bank and credit card account information, and details of online accounts and passwords. Click Here for additional reading on Phishing.

Impersonation - This is a method where the attacker pretends to be someone in an authoritative position. Some of the methods used during impersonation attacks include... acting as an IT support or help desk employee, a repairman, a supervisor or manager, a trusted third party vendor. In a large company acting as a fellow employee is not hard to do at all. There is absolutely no way to know everyone! Many employees really want to impress the boss, so they might do anything to provide requested information to anyone who sounds official.

Password Harvesting - Is deploying many of several different methods of collecting passwords. While the typical (and easiest) social engineering attempt would be to gain trust and just ask for the password. Many methods are used to gain password information. Trojan Horses are often slipped in to collect passwords. Additionally, sniffing a network segment can often provide password info.

Surfing Company Web Sites
A lot of corporate information can be obtained before even talking to anyone by simply surfing company web sites. Employee email addresses and phone numbers, organizational charts, executive titles, financial information and more. I recently dealt with a company who was becoming very frustrated with the large amounts of SPAM they were receiving, and yet all of their executives had their picture on a web page, along with their phone number and email address. Not only were they prime targets for SPAM, but they also provided plenty of information to aid in a social engineering attack.

Avoiding the Threat

Avoiding the Social Engineering threat requires companies to adopt a more security aware conscience. Many companies conduct safety courses and testing in order to ensure their employees are working safely and responsibly, however it is amazing how few companies take that same stance with information security. They fail to remind employees about the ways "information theft" is conducted! Social Engineering is an underestimated security risk rarely addressed in employee training programs or corporate security policies.

• Ensure your company has a strong information security policy.
• Conduct in-depth information security training.
• Be suspicious of unsolicited email messages phone calls, or visits from individuals asking about employees or other internal information. If dealing with an unknown person claiming to be from a legitimate organization verify their identity directly with the company.
• Never be afraid to question the credentials of someone posing to work for your company.
• Install and maintain firewalls, anti-virus software, anti-spyware software, and email filters.
• Pay attention to the URL of a web site. Malicious web sites generally look identical to a legitimate site, but the URL may use a variation in spelling or a different domain.
• Don't send sensitive information over the Internet before checking a web sites security.
• Don't reveal personal or financial information in email, and do not respond to email solicitations requesting this information. This includes following links sent in email.
• Don't provide personal information or information about your organization to anyone, including the structure of your networks, unless you are certain of a persons authority to have that information.
• Be very careful what is provided on your company web site. Avoid posting organizational charts or lists of key people like officers.
• Shred any document that is discarded that may contain sensitive data.
• Don't allow employees to download from just anywhere.

Summary

The goal of this article was to get you thinking about your companies exposure to Social Engineering. If I look back to positions I have held or some of the consulting tasks I've had, I realize how vulnerable almost every company is to the weakest link in Information Security! I bet that if you asked the average employee if they new what the term social engineering meant, that 80 percent or more would have no clue. And then even after explaining the term and the consequences, most employees would still be very easy prey. Help the policy makers within your company or organization to understand the threat, the risks associated, and help train fellow employees to understand the problem. Ensure proper policies and methods are in place to reduce your risk. And send out reminders to employees from time to time. New threats and methods of exposure are constantly being developed. Keep your knowledge up, but most importantly share what you learn in periodic reminders to fellow employees. Many times they will find the information interesting, and often it will help them stay safer at home and in the work place.