Social Engineering
Donovan Anderson
July 24, 2006
Many firms believe that they are security conscious. Large portions of IT budgets are spent on adaptive firewalls, distributed virus scan software, intrusion detection systems, and other security related products. What all of these products fail to address is the human element, which is the weakest link in the security chain. In his observation of the state of physical security at the 2001 RSA (Rivest, Shamir, Adleman) conference, Kevin Mitnick noted: “you could spend a fortune purchasing technology and services… and your network could still remain vulnerable to old fashioned manipulation.”
Social Engineering, defined as “the practice of obtaining confidential information by manipulation of legitimate users”, is more common than many realize (Reference.com.) There are many varieties of social engineering attacks. There are direct personal or phone attacks, where the attacker pretends to be someone with proper credentials requesting privileged information, shoulder surfing, where the attacker observes the victim typing in a password or PIN code, dumpster diving (digging through trash for corporate documents), and on line phishing scams such as the “eBay scam” (Granger, 2001.) While much time and effort is spent defending the infrastructure from a technical standpoint, many organizations fail to adequately address this threat. Training in how to deal with a social engineering incident is often limited, or non-existent. Social engineering is often the easiest way for a criminal hacker to gain access to a company’s network.
The reason that social engineering is such a successful vector of attack, is that it exploits tendencies that are common to all human beings. “The average user wants to believe the colleague on the phone and wants to help” (Granger, 2001.) There are certain psychological situations which can be exploited by a hacker using social engineering techniques. One is the diffusion of responsibility. If a user can be made to believe that they will not be held responsible for their actions, they will more willingly give up information. The next is the chance for ingratiation. Most employees will do anything to impress their management, and they do not want to get in the way of their boss or displease
them. Another factor is that most people will try to do what they believe is right. If an attacker can appeal to a victim’s sense of moral duty, the victim will play into the attacker’s trap, giving up information and believing that they are doing the right thing (Brenner, 1997.)
An attack may sound something like this:
Attacker: “Hey, this is Elaine from accounting, I need Peterson’s password.” Helpdesk: “I’m sorry, I can’t give that to you.” Attacker: “Please, this is really really important, if I don’t get this report done Peterson’s going to have me fired.” (appealing to moral duty)Helpdesk: “How do I know you’re Peterson’s assistant?” (trying to be helpful)
Attacker: “His mothers name is Estelle, and he has a dog named Barney.” (information
gained through evesdropping)
Helpdesk: “Ok, it’s ‘bigboy’.”
In this example, the attacker appealed to the helpdesk technician’s sense of moral duty. The helpdesk tech wanted to be helpful and did not want to impede what sounded like important work. Other attacks may be more insidious. There have been numerous document incidents of attackers gaining access to corporate networks by sprinkling media containing trojan horses around the area. In one such attack, a CD-ROM labeled: “2005 Financials & Layoffs” was left in a restroom to be picked up by an employee and inserted in the employee’s computer. When the employee inserted the disc, a trojan was installed on his machine that opened a back door to the entire network. This is known as a “180 degree attack” (Miller, 2005.) These kinds of attacks appeal to a person’s sense of scarcity. People desire knowledge that they are forbidden to have. It is not necessary to breach an security measures by technical means, in this type of attack, as an attacker gains direct access to the network.
There are certain precautions an organization can take to protect itself. The first and most important of these is user education. Every member of an organization must learn how to recognize a social engineering attempt, and must know how to prevent them. Employees must be trained to properly dispose of classified information by shredding or incineration. Policies must be set forth defining what information is deemed to be classified and what the proper procedures are regarding
access to classified information. In addition to user education and training, risk can be mitigated by properly segmenting the network, and restricting user access to only the sections required. By doing this, a company can avoid the “180 degree attack” by limiting the resources the compromised workstation has access to.
The best information security posture is a multi-layered defense. Social engineering is a threat that cannot be addressed by throwing technology at it. Only through diligence, training, and awareness, can an organization defend itself against these techniques. Companies that continue to ignore this reality do so at a great financial risk.
Brenner S. (1997). The psychology of social engineering. Retrieved
July 17, 2006, from Web site: www.cybercrimes.net/Property/Hacking/Social%20Engineering/PsychSocEng/PsySocEng.html
Granger S. (2001). Social engineering fundamentals, part I: hacker tactics . Retrieved
July 17, 2006, from Web site: www.securityfocus.com/infocus/1527
Mitnick K. (2001). My first RSA conference . Retrieved
July 17, 2006, from Web site: www.securityfocus.com/news/199
July 17, 2006, from Web site: www.windowsecurity.com/whitepaper/Social-Engineering-Victim.html
0 comments:
Post a Comment