- What is Social Engineering?
- Common Types of Attacks
- Social Engineering by Phone
- Dumpster Diving
- Online Social Engineering
- Reverse Social Engineering
- Policies and Procedures
- Employee Education
- Social Engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action.
- Companies with authentication processes, firewalls, virtual private networks and network monitoring software are still wide open to attacks
- An employee may unwittingly give away key information in an email or by answering questions over the phone with someone they don't know or even by talking about a project with co workers at a local pub after hours.
It is said that security is only as strong as the weakest link. Social engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action. It need not be restricted to corporate networks alone. It does not matter if enterprises have invested in high end infrastructure and security solutions such as complex authentication processes, firewalls, VPNs and network monitoring software. None of these devices or security measures is effective if an employee unwittingly gives away key information in an email, by answering questions over the phone with a stranger or new acquaintance or even brag about a project with coworkers at a local pub after hours.
Most often, people are not even aware of the security lapse made by them, albeit inadvertently. Attackers take special interest in developing social engineering skills and can be so proficient that their victims would not even realize that they have been scammed. Despite having security policies in place within the organization, they are compromised because this aspect of attack preys on the human impulse to be kind and helpful.
Attackers are always looking for new ways to access information. They will ensure that they know the perimeter and the people on the perimeter - security guards, receptionists and help desk workers - to exploit human oversight. People have been conditioned not to be overtly suspicious that, they associate certain behavior and appearance to known entities. For instance, on seeing a man dressed in brown and stacking a whole bunch of boxes in a cart, people will hold the door open because they think it is the delivery man.
Some companies list employees by title and give their phone number and email address on the corporate Web site. Alternatively, a corporation may put advertisements in the paper for high-tech workers who trained on Oracle databases or UNIX servers. These little bits of information help Attackers know what kind of system they're tackling. This overlaps with the reconnaissance phase.
- Social Engineering includes acquisition of sensitive information or inappropriate access privileges by an outsider, based upon building of inappropriate trust relationships with outsiders.
- The goal of a social engineer is to trick someone into providing valuable information or access to that information.
- It preys on qualities of human nature, such as the desire to be helpful, the tendency to trust people and the fear of getting in trouble.
Social engineering is the art and science of getting people to comply with an attacker's wishes. It is not a way of mind control, and it does not allow the attacker to get people to perform tasks wildly outside of their normal behavior. Above all, it is not foolproof. Yet, this is one way most Attackers get a foot into the corporation. There are two terms that are of interest here.
- Social engineering is hacker jargon for getting needed information from a person rather than breaking into a system.
- Psychological subversion is the term for using social engineering over an extended period of time to maintain a continuing stream of information and help from unsuspecting users.
Let us look at a sample scenario.
Attacker: "Good morning Ma'am, I am Bob; I would like to speak with Ms. Alice"
Alice: "Hello, I am Alice"
Attacker: "Good morning Ma'am, I am calling from the data center, I am sorry I am calling you so early..."
Alice:" Uh, data center office, well, I was having breakfast, but it doesn't matter"
Attacker: "I was able to call you because of the personal data form you filled when creating your account."
Alice: "My pers.. oh, yes"
Attacker: "I have to inform you that we had a mail server crash tonight, and we are trying to restore all corporate users' mail. Since you are a remote user, we are clearing your problems first."
Alice: "A crash? Is my mail lost?"
Attacker: "Oh no, Ma'am, we can restore it. But, since we are data center employees, and we are not allowed to mess with the corporate office user's mail, we need your password; otherwise we cannot take any action"(first try, probably unsuccessful)
Alice: "Er, my password? Well..."
Attacker: "Yes, I know, you have read on the license agreement that we will never ask for it, but it was written by the legal department, you know, all law stuff for compliance. (effort to gain victim's trust)
Attacker: Your username is AliceDxb, isn't it? Corporate sys dept gave us your username and telephone, but, as smart as they are, not the password. See, without your password nobody can access your mail, even we at the datacenter. But we have to restore your mail, and we need access. You can be sure we will not use your password for anything else, well, we will forget it." (smiling )
Alice: "Well, it's not so secret (also smiling! It's amazing...), my password is xxxxxx"
Attacker: "Thank you very much, Ma'am. We will restore your mail in a few minutes" Alice: "But no mail is lost, is it?"
Attacker: "Absolutely, Ma'am. You should not experience any problems, but do not hesitate to contact us just in case. You will find contact numbers on the Intranet"
Alice: "Thanks"
Attacker: "Goodbye"
- People are usually the weakest link in the security chain.
- A successful defense depends on having good policies in place and educating employees to follow the policies.
- Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone.
Social engineering concentrates on the weakest link of the computer security chain. It is often said that the only secure computer is an unplugged one. The fact that you could persuade someone to plug it in and switch it on means that even powered down computers is vulnerable. |
Anyone with access to any part of the system, physically or electronically is a potential security risk. Any information that can be gained may be used for social engineering further information. This means even people not considered as part of a security policy can be used to cause a security breach. Security professionals are constantly being told that security through obscurity is very weak security. In the case of social engineering it is no security at all. It is impossible to obscure the fact that humans use the system or that they can influence it.
Attempting to steer an individual towards completing a desired task can use several methods. The first and most obvious is simply a direct request, where an individual is asked to complete the task directly. Although difficult to succeed, this is the easiest method and the most straightforward. The individual knows exactly what is wanted of them. The second is by creating a contrived situation which the victim is simply a part of. With other factors than just the request to consider, the individual concerned is far more likely to be persuaded, because the attacker can create reasons for compliance other than simply personal ones. This involves far more work for the attacker, and almost certainly involves gaining extensive knowledge of the 'target'. This does not mean that situations do not have to be based in fact. The fewer untruths, the better the chances of success.
One of the essential tools used for social engineering is a good memory for gathered facts. This is something that hackers and sysadmins tend to excel in, especially when it comes to facts relating to their field.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.