Social Engineering

Social Engineering from the outset may seem like a topic one might hear when talking about sociology or psychology, when in fact it is a form of identity theft. To an information technology (IT) professional, Social Engineering is a form of voluntary, unintentional identity theft.

Many victims fail to realize they are being victimized until it is too late, while many others may never know. This paper will provide a definition of social engineering as it applies to information technology while introducing some the pioneers of social engineering; those who have, essentially, written the book on social engineering. We will provide real world examples of how social engineers apply their trade and provide important points to consider with regards to social engineering attacks. In conclusion we will propose counter-measures, which individuals and organizations should take in order to guard against social engineering.

Who defined Social Engineering?

Social Engineering as defined by IT professionals is the practice of deceiving someone, either in person, over the phone or using a computer, with the express intent of breaching some level of security, either personal or professional (Ledford, 2011. ) Implementing quality risk analysis solutions while maintaining data integrity is a crucial element of successful system modeling; within the context of social engineering in the workplace, there are several factors that can make implementing those solutions rather challenging.

Social engineering is a type of intrusion, which relies heavily on human interaction and usually involves the tricking of other people to break normal, everyday security policies. Social engineers (SE) often prey on the natural helpfulness of other people. When analyzing and attempting to conduct a particular attack, a SE will commonly appeal to vanity or authority as well as simple eavesdropping to acquire the desired information. Social engineering, in a nutshell is a hacker’s clever manipulation of the natural human tendency to trust. This will provide the unauthorized access to the valued information, system or machine. Never interrupt your enemy when he is making a mistake” (Bonaparte, n. d. ) This is a mantra for all successful SE’s, as they take any and all information about and from a target for later use against said target. The SE will gather as much information as possible about their target in advance, most of which is readily available online, usually, with just a few keystrokes; anything from hobbies to their favorite lunchtime meal. This information helps build a connection and instills trust with the target. With this trust, seemingly innocuous information will come flooding out of the target.

Akin to fictional spies like James Bond and Michael Weston, SE’s assume a persona that is not their own and attempt to establish with their target a reasonable justification to fulfill a request. The aforementioned tactics allow the SE to maintain the facade and leave an out to avoid burning his or her information source. Bottom line; a good SE is a good actor. “All of the firewalls and encryption in the world will never stop a gifted social engineer from rifling a corporate database or an irate employee from crashing the system,” says pioneer Kevin Mitnick, the world’s most celebrated hacker who popularized the term.

Mitnick firmly states in his two books The Art of Deception and The Art of Intrusion that it’s much easier to trick someone into giving a password for a system than spending the time using a brute force hack or other more traditional means to compromise the integrity of sensitive data. Mitnick who was a world famous controversial computer hacker in the late 1980’s was sentenced to 46 months in prison for hacking into the Pacific Bell telephone systems while evading the Federal Bureau of Investigation (FBI).

The notorious hacker also allegedly wiretapped the California Department of Motor Vehicles (DMV), compromised the FBI and Pentagon’s systems. This led Mitnick to spend the majority of his time incarcerated in solitary confinement due to the government’s fear of him attempting to gain control of more sensitive information. Mitnick states in both of his aforementioned books that he compromised computers solely by using passwords and codes acquired as a result of social engineering. As a result, Mitnick was restricted from using any forms of technology upon his release from prison until approximately 5 years ago.

Kevin Mitnick is now the CEO of Mitnick Security Consulting, a computer security consultancy. Social engineering awareness is a being addressed at the enterprise level as a vital corporate security initiative. Security experts advise that a properly trained staff, not technology is the best asset against social engineering attacks on sensitive information. The importance placed upon security policies is imperative when attempting to combat this type of attack. Combat strategies require action on both physical and psychological levels.

This form appeals to hackers because the Internet is so widely used and it evades all intrusion detection systems. Social engineering is also a desirable method for hackers because of the low risk and low cost involved. There are no compatibility issues with social engineering; it works on every operating system. There’s no audit trail and if executed properly its effects can be completely devastating to the target. These attacks are real and staggering to any company, which is why strong corporate policies should be measured by access control and implementing specific procedures.

Advantages of having Social Engineering policie

One of the advantages of having such policies in place is that it negates the responsibility of an employee having to make a judgment call or using discretion regarding a social engineer’s request. Companies and their subsequent staffs have become much too relaxed as it pertains to corporate security initiative. These attacks can potentially be costly and unnerving to management as well as the IT department. Social engineering attacks commonly take place on two different levels: physical and psychological. Physical settings for these attacks can be anything from your office, your trash, over the telephone and even online.

A rudimentary, common form of a social engineering attack is social engineering by telephone. Clever social engineers will attempt to target the company’s help desk while fooling the help desk representative into believing they are calling from inside the company. Help desks are specifically the most vulnerable to social engineering attacks since these employees are trained to be accommodating, be friendly and give out information. Help desk employees are minimally educated and get paid a below average salary so it is common for these individuals to answer one question and move right along to the next.

This can potentially create an alarming security hole when the proper security initiative is not properly set into place. A classic example of this would be a SE calling the company operator and saying something like “Hi, I’m your AT&T rep; I’m stuck on a pole. I need you to punch a few buttons for me. ” This type of attack is directed at the company’s help desk environment and nearly always successful. Other forms attack target those in charge of making multi-million dollar decisions for corporations, namely the CEO’s and CFO’s.

A clever SE can get either one of these individuals to willingly offer information pertinent to hacking into a corporation’s network infrastructure. Though cases such as these are rarely documented, they still occur. Corporations spend millions of dollars to test for these kinds of attacks. Individuals who perform this specialized testing are referred to as Social Engineering Auditors. One of the premier SE Auditors in the industry today is Chris Hadnagy. Hadnagy states that on any given assignment, all he has to do is perform a bit of research on the key players in the company before he is ready to strike.

In most cases he will play a sympathy card, pretending to be a member of a charity the CEO or CFO may belong to and make regular donations to. In one case, he called a CEO of a corporation pretending to be a fundraiser for a charity the CEO contributed to in the past. He stated they were having a raffle drawing and named off prizes such as major league game tickets and gift cards to a few restaurants, one of which happened to be a favorite of the CEO. When he was finished explaining all the prizes available he asked if it would be alright to email a flier outlining all the prizes up for grabs in a PDF.

The CEO agreed and willingly gave Hadnagy his corporate email address. Hadnagy further asked for the version of Adobe Reader the company used under the guise he wanted to make sure he was sending a PDF the CEO could read. The CEO willingly gave this information up. With this information he was able to send a PDF with malicious code embedded that gave him unfettered access to the CEO’s machine and in essence the company’s servers (Goodchild, 2011). Not all SE attacks occur completely over the phone. Another case that Hadnagy reports on occurred at a theme park.

The back story on this case is he was hired by a major theme park concerned about software security as their guest check-in computers were linked with corporate servers, and if the check-in computers were compromised a serious data breach may occur (Goodchild, 2011). Hadnagy started this attack by first calling the park posing as a software salesman, peddling newer PDF-reading software which he was offering free on a trial basis. From this phone call he was able to obtain the version of PDF-reader the park utilized and put the rest of his plan in action.

He next headed to the park with his family, walking up to one of the employees at guest services asking if he could use one of their terminals to access his email. He was allowed to access his email to print off a coupon for admission to the park that day. What this email also allowed was to embed malicious code on to the servers and once again gained unfettered access to the parks servers. Hadnagy proposes six points to ponder in regards to social engineering attacks:

• No information, regardless of it personal or emotional nature, is off limits for a SE seeking to do harm. It is often the person who thinks he is most secure who poses the biggest vulnerability to an organization. Executives are the easiest SE marks.
• An organizations security policy is only as good as its enforcement.
• SE’s will often play to the employees good nature and desire to be helpful
• ocial Engineering should be a part of an organizations defense strategy.
• SE’s will often go for the low-hanging fruit. Everyone is a target if security is low. The first countermeasure of social engineering prevention begins with security policies.

Employee training is essential in combating even the most cunning and sly social engineers. Just like social engineering itself, training on a psychological and physical basis is required to alleviate these attacks. Training must begin at the top with management. All management must understand that social engineering attacks stem from both a psychological and physical angle therefore they must implement adequate policies that can mitigate the damage from an attacker while having a robust, enforceable penalty process for those that violate those policies.

Access control is a good place to start when applying these policies. A competent system administrator and his IT department should work cooperatively with management in hashing out policies that control and limit user’s permission to sensitive data. This will negate the responsibility on the part of an average employee from having to exercise personal judgment and discretion when a potential attack may occur. When suspicious calls for information occur within the company, the employee should keep three questions in mind:

1. Does the person asking deserve this information?
2. Why is she/he asking for it?
3. What are the possible repercussions of giving up the requested information? If there is a strong policy in place with enforceable penalties in place, these questions will help to reduce the potential for a SE attack (Scher, 2011).

Another countermeasure against a social engineering attack is to limit the amount of information easily available online. With Facebook, Twitter, Four-Square and the like, there is an overabundance of information readily available at any given moment online.

By just drastically limiting the amount of information available online it makes the SE’s task of information gathering that much more difficult. Throughout all of the tactics and strategies utilized when cultivating social engineering expertise, it’s extremely difficult to combat human error. So when implementing employee access control and information security, it is important to remember that everyone is human. This type of awareness can also be costly so it’s important to adopt a practical approach to fighting social engineering.

Balancing company morale and pleasant work environment is a common difficulty when dealing with social engineering prevention and awareness. It is vital to keep in perspective that the threat of social engineering is very real and everyone is a potential target.

References

1. Bonaparte, N. (n. d. ). BrainyQuote. com. Retrieved December 6, 2011, from BrainyQuote. com Web site: http://www. brainyquote. com/quotes/authors/n/napoleon_bonaparte_3. html
2. Goodchild, J. (2011). Social Engineering: 3 Examples of Human Hacking. Retrieved November 28, 2011 Retrieved from www. csoonline. om Web site: http://www. csoonline. com/article/663329/social-engineering-3-examples-of -human-hacking Fadia,
3. A. and Manu, Z. (2008). Networking Intrusion Alert: An Ethical Hacking Guide to Intrusion Detection. Boston, Massachusetts. Thompson Course Technology. 2008.
4. Ledford, J. (2011). Identity Theft 101, Social Engineering. Retrieved from About. com on December 1, 2011. Retrieved from: http://www. idtheft. about. com/od/glossary/g/Social_Enginneering. htm
5. Long, J. and Mitnick, K. (2008. ) No Tech Hacking: A Guide to Social Engineering, Dumpster Diving and Shoulder Surfing.
6. Burlington, Massachusetts. Syngress Publishing Inc. 2008.
7. Mann, I. Hacking the Human. Burlington, Vermont: Gower Publishing, 2008.
8. Mitnick, K. and Simon, W. The Art of Deception. Indianapolis, Indiana: Wiley Publishing Inc. 2002.
9. Mitnick, K. and Simon, W. (2006. ) The Art of Intrusion. Indianapolis, Indiana: Wiley Publishing Inc. 2006.
10. Scher, R. (2011). Is This the Most Dangerous Man in America? Security Specialist Breaches Networks for Fun & Profit. Retrieved from ComputerPowerUser. com on November 29, 2011.
11. Retrieved from: http://www. social-engineer. org/resources/CPU-MostDangerousMan. pdf