What is Social Engineering?

What is Social Engineering?

Social engineering takes advantage of the weakest link in any organization’s information security defenses: people. Social engineering is “people hacking” and involves maliciously exploiting the trusting nature of human beings to obtain information that can be used for personal gain.

Social engineering is one of the toughest hacks to perpetrate because it takes great skill to come across as trustworthy to a stranger. It’s also by far the toughest hack to protect against because people are involved. In this chapter,

I explore the ramifications of social engineering, techniques for your own ethical hacking efforts, and specific countermeasures to defend against social engineering.

Social Engineering 101

Typically, malicious attackers pose as someone else to gain information they couldn’t access otherwise. They then take the information they obtain from their victims and wreak havoc on network resources, steal or delete files, and even commit industrial espionage or some other form of fraud against the organization they attack. Social engineering is different from physical security exploits, such as shoulder surfing and dumpster diving, but they are related and often are used in tandem.

Here are some examples of social engineering:

✓ False support personnel claim that they need to install a patch or new version of software on a user’s computer, talk the user into downloading the software, and obtain remote control of the system.

✓ False vendors claim to need to update the organization’s accounting package or phone system, ask for the administrator password, and obtain full access.

✓ Phishing e-mails sent by external attackers gather user IDs and passwords of unsuspecting recipients. The bad guys then use those passwords to gain access to bank accounts and more.

✓ False employees notify the security desk that they have lost their keys to the computer room, receive a set of keys from security, and obtain unauthorized access to physical and electronic information.

Sometimes, social engineers act as forceful and knowledgeable employees, such as managers or executives. At other times they might play the roles of extremely uninformed or naïve employees. They also might pose as outsiders, such as IT consultants or maintenance people. Social engineers often switch from one mode to the other, depending on the people they speak to.

Effective information security — especially the security required for fighting social engineering — begins and ends with your users. Never forget that basic human communications and interaction also affect the level of security. The candy-security adage is “Hard, crunchy outside; soft, chewy inside.” The hard, crunchy outside is the layer of mechanisms — such as firewalls, intrusion detection systems, and encryption — that organizations rely on to secure their information. The soft, chewy inside is the people and the systems inside the organization. If the bad guys can get past the thick outer layer, they can compromise the (mostly) defenseless inner layer.

Social Engineering Countermeasures

You have only a few good lines of defense against social engineering. Even with strong security systems, a naïve or untrained user can let the social engineer into the network. Never underestimate the power of social engineers.

Policies

Specific policies help ward off social engineering in the long term in the following areas:

✓ Classifying data

✓ Hiring employees and contractors and setting up user IDs

✓ Establishing acceptable computer usage

✓ Removing user IDs and employees, contractors, and consultants who no longer work for the organization

✓ Setting and resetting passwords

✓ Responding to security incidents, such as suspicious behavior

✓ Handling proprietary and confidential information

✓ Escorting guests

These policies must be enforceable and enforced for everyone within the organization. Keep them up to date, and tell your end users about them.

User awareness and training

The best line of defense against social engineering is training employees to identify and respond to social engineering attacks. User awareness begins with initial training for everyone and follows with security awareness initiatives to keep social engineering defenses fresh in everyone’s mind. Align training and awareness with specific security policies — you may also want to have a dedicated security training and awareness policy.

Consider outsourcing security training to a seasoned security trainer. Employees often take training more seriously if it comes from an outsider. Outsourcing security training is worth the investment.

While you approach ongoing user training and awareness in your organization, the following tips can help you combat social engineering in the long term:

✓ Treat security awareness and training as a business investment.

✓ Train users on an ongoing basis to keep security fresh in their minds.

✓ Include information privacy and security tasks and responsibilities in everyone’s job descriptions.

✓ Tailor your training content to your audience whenever possible.

✓ Create a social engineering awareness program for your business functions and user roles.

✓ Keep your messages as nontechnical as possible.

✓ Develop incentive programs for preventing and reporting incidents.

✓ Lead by example.

Share these tips with your users to help prevent social engineering attacks:

✓ Never divulge any information unless you can validate that the people requesting the information need it and are who they say they are. If a request is made over the telephone, verify the caller’s identity and call back.

✓ Never click an e-mail link that supposedly loads a page with information that needs updating. This is especially true for unsolicited e-mails.

✓ Be careful when sharing personal information on social networking sites, such as Facebook or LinkedIn. Also, be on the lookout for people claiming to know you or wanting to be your “friend.” Their intentions might be malicious.

✓ Escort all guests within a building.

✓ Never open e-mail attachments or other files from strangers.

✓ Never give out passwords.

A few other general suggestions can ward off social engineering:

✓ Never let a stranger connect to one of your network jacks or wireless network — even for a few seconds. A hacker can place a network analyzer, Trojan-horse program, or other malware directly onto your network.

✓ Classify your information assets, both hard copy and electronic. Train all employees how to handle each asset type.

✓ Develop and enforce computer media and document destruction policies that help ensure data is handled carefully and stays where it should be. A good resource for information on destruction policies is www.pdaconsulting.com/datadp.htm.

✓ Use cross-shredding paper shredders. Better still, hire a document shredding company that specializes in confidential document destruction.

These techniques can reinforce the content of formal training:

✓ New employee orientation, training lunches, e-mails, and newsletters

✓ Social engineering survival brochure with tips and FAQs

✓ Trinkets, such as screen savers, mouse pads, sticky notes, pens, and office posters that bear messages that reinforce security principles

✓ Improve security awareness and education in your organization.