When writing about social engineering it’s probably appropriate to start with a quote from the most famous of social engineers; “Hackers are going to go after the weakest link in the security chain, which is always the people. You can have the best security in the world, but if I can convince one person in the company to give me sensitive information, your security budget has been wasted.” - Kevin Mitnick (2007).
Social engineering is the named coined to the approach of manipulating a social situation in order to gain information on a specific target which is done on a covert level (i.e. the target does not know the real reasons for the request of the information). This information is then used to gain further sensitive information.
The main aim of most social engineers is to gain unauthorised access to a system in order to obtain information; this is either for personal or financial gain. The social engineer himself (they are more often than not male) will be either working as an individual or in a small group and as mention above will be doing so for either personal gain (status within his peer group) or financial gain. The latter reason of financial gain is becoming a more frequent occurrence as data becomes more of a commodity in modern businesses. The reasons for attacks are numerous but a large proportion can be acclaimed to industrial espionage incited by a rival company.
If not instigated by an opposition organisation, the social engineers intent is usually to sell the data on to the highest bidder (a rival company) which would ultimately gain financially from this information. It doesn’t end there though, the need for a buyer isn’t necessary to the social engineers goal – data can be sold back to the company from which it was stolen from… in other words it can be used as blackmail. It is not in a company’s best interest to have bad publicity, especially when it boils down to the security of its client’s data. This ultimately would lead to a decline in customer/shareholders/partners et cetera trust with the company, and could result in the company loosing business or worse still – bankruptcy.
Techniques
The most common means of infiltration is by phone as it is hard if not impossible to trace. Physically visiting the site leaves fingerprints – this is at the conceptual level of any identifiable information (security cameras, eye witnesses, actual fingerprints et cetera). With the aid of modern technology it has become increasing easy for the attacker to keep his anonymity through the use of non-registered pay-as-you-go mobile phones and services such as VOIP.
An attacker will not initiate a social engineering situation without doing his homework (known as Pretexting) and will use an arsenal of techniques to con the target into falling into a false sense of trust. One such modus operandi is the prior gathering of seemingly useless information, seemingly useless information to the target that is, the social engineer on the other hand knows that credibility is obtained through details. These details can be as simple as knowing a managers name, a co-workers nickname, the date of a company social event, technical terminology of the company, in fact any small detail if used by a creative mind can be manipulated in the right way to make the attacker sound authentic.
With the knowledge of an employee’s name (in this example ‘Julia’) and a managers name (John Markoff) the following conversation can be fashioned; “Hello can I speak to Julia please?” (Attackers will usually be polite as it sets forward a friendly mindset in the targets mind; if the attacker is being friendly the target does not want to appear to be a ‘jerk’ by questioning the other parties authority). After getting put through to Julia (or improvising with someone else if she’s not there), the attacker might say something along the lines of “Ah hi Julia, John Markoff from IT asked me yesterday if I could verify that you lot are running on the right IP address, sorry I didn’t call yesterday I’m running a little late with all this work they expect me to do! Anyways I know this might sound confusing and all but don’t worry I’ll talk you through it, John did say you were the best person to talk to about this stuff…” What the attacker has done here is play on several psychological strings; sympathy and narcissism in particular. The target wants to get that ‘feel good factor’ from helping others and also gains that feeling of importance with the comment “best person to talk to”.
Social engineers don’t always need to communicate directly with company personnel to gain information from them, social engineering works by using a combination of attack techniques. Information can be gained by eavesdropping; being in the right place at the right time while remaining inconspicuous. Passwords, logins, and other valuable information can be obtained by looking at keyboards and monitors while someone is typing, this technique is commonly known as ‘shoulder surfing’.
Impersonating company members is also a technique used by social engineers. “Hi I am Joe from the helpdesk. I need to login to your machine to install a patch. What is your user name and password?” Staff should be told this simple rule; ‘no one but you needs to know your password’. This brings us onto the subject of countermeasures…
Countermeasures
I’ll start this section with a slogan from Ronald Reagan which I feel sums up this entire section in three words; “Trust, but verify” (1980).
Spending an entire IT security budget on expensive hardware and software firewalls and hoping that that will keep the company’s data safe is an erroneous belief which results in the penetration of even the strictest of systems.
You can have the biggest most paranoid and locked down firewall but that will only protect the company’s data from outside online attacks. Once the attack is initiated from the inside the firewall is rendered useless. This situation is often referred to as “Armadillo Security”, simply put – it’s tough on the outside, but soft on the inside. So to be able to prevent a wetware attack we need to be able to recognise one – just like antivirus software relies on viral signatures.
The only approach to combating the threat posed by the social engineer is through the education of personnel and the implementation of correct security procedures. Company personnel need to be made fully aware of the importance of the data that they hold and trained to question any attempt to relinquish them of this information. At no point should untrained staff be put in a situation where they have contact with the outside world while retaining knowledge that the social engineer might use. Periodic training should be compulsory for all levels of personnel not just on how to keep data safe but also to spread awareness of exactly how the social engineer operates.
Correct procedures in paperwork and hardware (particularly hard drives and other data storage devices) disposal should be tightly controlled. Paperwork should be shredded and if possible retained within company walls until collection by a trusted contractor. Under no circumstances should unshredded paperwork be disposed of in outside unlocked bins – this will prevent methods of information gathering known in the security business as ‘dumpster diving’. If there is no alternative than to keep disposed paperwork outside it must be shredded, kept in a locked waste retainer and guarded by a security camera.
Passwords should never be written down on such mediums as post-it notes, files within the computer, and mobile devices such as laptops/blackberries/mobile phones et cetera – mobile devices are prone to theft and can contain sensitive information. A survey done in 2002 found that only 10% of companies restricted the use of such devices which were not specifically sanctioned by the IT staff. Policy should be that no one shares passwords with anyone else under any circumstance, when typing in passwords no one should be in the immediate vicinity and if this situation is unavoidable the password should be entered as quickly as possible.
To counter these problems policies should be introduced; no unauthorised devices to be attached to any computer within the company, filing cabinets should contain locks, personnel should have homogametic IDs, shredding should be required for all paperwork (mixing shredded non-sensitive and sensitive documents will make the job harder to rebuild a document!).
Identifying areas of risk is the key to prevention; making sure helpdesk operators know how to spot attempts is paramount and being trained not to fall to persuasion – “I urgently need you to reset my password and I need my new login details now”.
As discussed earlier phones are a key entry point, but stating the obvious - physical access is also a potential entry point. Unlocked externally facing doors, which is becoming more of a frequent occurrence since the smoking ban has been emplaced allows intruders to just walk into a building, even doors which are locked can be entered by following a member of staff in and entering on the same swipe card this is referred to as tailgating.
False information can be planted by an attacker once physical access has been gained – it is therefore in the company’s best interest to use watermarked paper (or official stamps) for all internal memos et cetera, this is not a fool proof plan but it will make the insertion of forged documents more difficult. An example of such a document would be getting staff to register at a phishing site – non security conscious people will often use the same password for everything! So mail rooms should be locked and monitored with security personnel in plain sight, these security personnel should enforce a tight badge security policy. Visitors should be issued with visitor badges and should never be left unescorted.
Company members should be made aware of security breaches, and to drive the message home they should be explained in terms of lost revenue, further still make it personal – it’s their bonuses their loosing out on. Also playing on the vanity and pride of employees can be highly beneficial in keeping these security policies going, making sure that they are aware of the importance and critical nature of the data that they hold in their jurisdiction. Establish a logging procedure for all information given out. Who, what, where, when and why?
The correct equipment is also a necessity – record calls at a touch of a button if an social engineering attempt is suspected – this can be valuable evidence that normally is not obtained which aids in prosecution of the perpetrator.
Conclusions
Unlike software which can be patched and upgraded, and hardware which can be replaced and improved upon we are faced with the dilemma that wetware can’t. Which has lead to the creation and most commonly cited security proverb to date - “There is no patch for human stupidity”. This means Social Engineers will most likely be the single biggest security problem for the foreseeable future as humans are limited to their version 1.0 cognitive skills.
Sensitive systems should be compartmentalized and information limited on a need-to-know basis. Externally facing firewalls should be reinforced with internal firewalls and an auditing system. Passwords (particularly for sensitive areas) should be a sequence of random alphanumerics & symbols changed periodically and enforced with password life spans. This will ensure that any compromised password hashes will have changed by the time the attacker has been able to crack them, rendering the cracked passwords useless. Any attempted use of an expired password could be flagged by the auditing system as a possible security breach. Auditing of login sessions should be exercised – has the same user account been logged in at the same time at two separate locations?
As we have just discussed attacks don’t just come in one form; attacks are blended. Many methods of exploit will be utilised, technical attacks merged with social manipulation. Overall the best approach is defence in depth; protect the information from inside the perimeter not just at the gate and at all levels.
References
Wikipedia
(http://en.wikipedia.org/wiki/Social_engineering_(security))
Security Focus
(www.securityfocus.com)
Social Engineering for the Good Guys (James E. Keeling, July 16, 2001)
(http://www.sans.org/reading_room/whitepapers/policyissues/486.php)
Making the Helpdesk a Security Asset. (SANS Institute 2001)
(http://www.sans.org/reading_room/whitepapers/basics/524.php)
Enhancing Defences Against Social Engineering (SANS Institute 2002)
(http://www2.giac.org/certified_professionals/practicals/gsec/570.php)
The Threat of Social Engineering and Your Defence Against It (SANS Institute 2003)
(https://www2.sans.org/reading_room/whitepapers/engineering/1232.php?portal=2f12317c05d3bcb3824509c370395952)
Be first to comment this article
