What is Social
Engineering?
Social engineering takes
advantage of the weakest link in any organization’s information security
defenses: people. Social engineering is “people hacking” and involves
maliciously exploiting the trusting nature of human beings to obtain
information that can be used for personal gain.
Social engineering is one of the
toughest hacks to perpetrate because it takes great skill to come across as
trustworthy to a stranger. It’s also by far the toughest hack to protect
against because people are involved. In this chapter,
I explore the ramifications of social
engineering, techniques for your own ethical hacking efforts, and specific
countermeasures to defend against social engineering.
Social Engineering 101
Typically, malicious attackers pose as
someone else to gain information they couldn’t access otherwise. They then take
the information they obtain from their victims and wreak havoc on network
resources, steal or delete files, and even commit industrial espionage or some
other form of fraud against the organization they attack. Social engineering is
different from physical security exploits, such as shoulder surfing and
dumpster diving, but they are related and often are used in tandem.
Here are some examples of social
engineering:
✓ False support personnel claim
that they need to install a patch or new version of software on a user’s
computer, talk the user into downloading the software, and obtain remote
control of the system.
✓ False vendors claim to need to
update the organization’s accounting package or phone system, ask for the
administrator password, and obtain full access.
✓ Phishing e-mails sent by
external attackers gather user IDs and passwords of unsuspecting recipients.
The bad guys then use those passwords to gain access to bank accounts and more.
✓ False employees notify the
security desk that they have lost their keys to the computer room, receive a
set of keys from security, and obtain unauthorized access to physical and
electronic information.
Sometimes, social engineers act as
forceful and knowledgeable employees, such as managers or executives. At other
times they might play the roles of extremely uninformed or naïve employees.
They also might pose as outsiders, such as IT consultants or maintenance
people. Social engineers often switch from one mode to the other, depending on
the people they speak to.
Effective information security —
especially the security required for fighting social engineering — begins and
ends with your users. Never forget that basic human communications and
interaction also affect the level of security. The candy-security adage
is “Hard, crunchy outside; soft, chewy inside.” The hard, crunchy outside
is the layer of mechanisms — such as firewalls, intrusion detection systems,
and encryption — that organizations rely on to secure their information. The soft,
chewy inside is the people and the systems inside the organization. If the
bad guys can get past the thick outer layer, they can compromise the (mostly)
defenseless inner layer.
Social Engineering Countermeasures
You have only a few good lines of defense against social
engineering. Even with strong security systems, a naïve or untrained user can
let the social engineer into the network. Never underestimate the power of
social engineers.
Policies
Specific policies help ward off social engineering in the
long term in the following areas:
✓ Classifying data
✓ Hiring employees and contractors and setting up user IDs
✓ Establishing acceptable computer usage
✓ Removing user IDs and employees, contractors, and
consultants who no longer work for the organization
✓ Setting and resetting passwords
✓ Responding to security incidents, such as suspicious
behavior
✓ Handling proprietary and confidential information
✓ Escorting guests
These policies must be enforceable and enforced for everyone
within the organization. Keep them up to date, and tell your end users about
them.
User awareness and training
The best line of defense against social engineering is
training employees to identify and respond to social engineering attacks. User
awareness begins with initial training for everyone and follows with security
awareness initiatives to keep social engineering defenses fresh in everyone’s
mind. Align training and awareness with specific security policies — you may
also want to have a dedicated security training and awareness policy.
Consider outsourcing security training to a seasoned
security trainer. Employees often take training more seriously if it comes from
an outsider. Outsourcing security training is worth the investment.
While you approach ongoing user training and awareness in
your organization, the following tips can help you combat social engineering in
the long term:
✓ Treat security awareness and training as a business
investment.
✓ Train users on an ongoing basis to keep security fresh in
their minds.
✓ Include information privacy and security tasks and
responsibilities in everyone’s job descriptions.
✓ Tailor your training content to your audience whenever
possible.
✓ Create a social engineering awareness program for your
business functions and user roles.
✓ Keep your messages as nontechnical as possible.
✓ Develop incentive programs for preventing and reporting
incidents.
✓ Lead by example.
Share these tips with your users to help prevent social
engineering attacks:
✓ Never divulge any information unless you can validate
that the people requesting the information need it and are who they say they
are. If a request is made over the telephone, verify the caller’s
identity and call back.
✓ Never click an e-mail link that supposedly loads a page
with information that needs updating. This is especially true for
unsolicited e-mails.
✓ Be careful when sharing personal information on social
networking sites, such as Facebook or LinkedIn. Also, be on the lookout for
people claiming to know you or wanting to be your “friend.” Their
intentions might be malicious.
✓ Escort all guests within a building.
✓ Never open e-mail attachments or other files from
strangers.
✓ Never give out passwords.
A few other general suggestions can ward off social
engineering:
✓ Never let a stranger connect to one of your network
jacks or wireless network — even for a few seconds. A hacker can place a
network analyzer, Trojan-horse program, or other malware directly onto
your network.
✓ Classify your information assets, both hard copy and
electronic. Train all employees how to handle each asset type.
✓ Develop and enforce computer media and document
destruction policies that help ensure data is handled carefully and stays
where it should be. A good resource for information on destruction
policies is www.pdaconsulting.com/datadp.htm.
✓ Use cross-shredding paper shredders. Better still,
hire a document shredding company that specializes in confidential document
destruction.
These techniques can reinforce the content of formal
training:
✓ New employee orientation, training lunches, e-mails, and
newsletters
✓ Social engineering survival brochure with tips and FAQs
✓ Trinkets, such as screen savers, mouse pads, sticky notes,
pens, and office posters that bear messages that reinforce security principles
✓ Improve security awareness and education in your
organization.
No comments:
Post a Comment