Social engineering is the art of tricking someone into giving you something he or she should not. Hackers skilled in social engineering target the help desk, onsite employees, and even contractors. Social engineering is one of the most potentially dangerous attacks, as it does not directly target technology. An organization can have the best firewalls, IDS, network design, authentication system, or access controls and still be successfully attacked by a social engineer. That's because the attacks target people. To gain a better understanding of how social engineering works, let's look at the different approaches these attacks use, discuss how these attacks can be person-to-person or computer-to-person, and look at the primary defense to social engineering policies.
Six Types of Social Engineering
Robert Cialdini describes in his book, The Science and Practice of Persuasion, six types of behaviors for a positive response to social engineering. These include the following:
Knowing the various techniques that social engineers use can go a long way toward defeating their potential hacks. Along with these techniques, it is important to know that they can attack person-to-person or computer-to-person.
Person-to-PersonBased Social Engineering
Person-to-personbased social engineering works on a personal level. It works by impersonation, posing as an important user, using a third-party approach, masquerading, and can be attempted in person or over the phone.
Computer-Based Social Engineering
Computer-based social engineering uses software to retrieve information. It works by means of pop-up windows, email attachments, and fake websites.
Reverse Social Engineering
Reverse social engineering involves sabotaging someone else's equipment and then offering to fix the problem. It requires the social engineer to first sabotage the equipment, and then market the fact that he can fix the damaged device, or pretend to be a support person assigned to make the repair.
One example of this occurred a few years back when thieves would cut the phone line and then show up inside claiming they had been called for a phone repair. Seeing that some phones were indeed down, the receptionist would typically let the thieves into a secured area. At this point, the thieves could steal equipment and disappear.
Reverse social engineering is considered the most difficult social engineering attack because it takes a lot of preparation and skill to make it happen successfully.
Policies and Procedures
There are a few good ways to deter and prevent social engineering: The best means are user awareness, policies, and procedures. User training is important as it helps build awareness levels. For policies to be effective, they must clarify information access controls, detail the rules for setting up accounts, and define access approval and the process for changing passwords. These policies should also deal with physical concerns such as paper shredding, locks, access control, and how visitors are escorted and monitored. User training must cover what types of information a social engineer will typically be after and what types of questions should trigger employees to become suspicious. Before we discuss user training, let's first examine some useful policy types and data classification systems.
Employee Hiring and Termination Policies
Employees will not be with the company forever, so the Human Resources department (HR) must make sure that good policies are in place for hiring and terminating employees. Hiring policies should include checking background and references, verifying educational records, and requiring employees to sign nondisclosure agreements (NDAs).
Termination procedures should include exit interviews, review of NDAs, suspension of network access, and checklists verifying that the employee has returned all equipment in his care, such as keys, ID cards, cell phones, credit cards, laptops, and software.
Help Desk Procedures and Password Change Policies
Help desk procedures should be developed to make sure that there is a standard procedure for employee verification. Caller ID and employee callback are two basic ways to verify the actual caller. This should be coupled with a second form of employee authentication. A cognitive password could be used. This requires that the employee provide a bit of arcane info such as, what was your first pet's name? If it's a highly secure organization, you might want to establish policy that no passwords are given out over the phone.
When employees do need to change their passwords, a policy should be in place to require that employees use strong passwords. The policy should have technical controls implemented that force users to change passwords at a minimum interval, such as once a month. Password reuse should be prohibited. User awareness should make clear the security implications should their password be stolen, copied, or lost.
Although nobody likes wearing a badge with a photo worse than their driver's license photos, ID badges make it clear who should and should not be in a given area. Guests should be required to register and wear temporary ID badges that clearly note their status.
What if individuals don't have a badge? Employees should be encouraged to challenge anyone without a badge or know the procedure for dealing with such situations. There should also be a procedure for employees to follow for reporting any violations to policy. Anytime there is a violation of policy, employees should know how to report such activity and that they will be supported by management.
Privacy is an important topic. Employees and customers have certain expectations with regard to privacy. Most organizations post their privacy policies on their company website. The United States has a history of privacy that dates back to the fourth amendment. Other privacy laws that your organization should be aware of include
Governmental and Commercial Data Classification
So what can be done to prevent social engineering or to reduce its damage? One primary defense is to make sure that the organization has a well-defined information classification system in place. An information classification system will not only help prevent social engineering, but will also help the organization come to grips with what information is most critical. When the organization and its employees understand how the release of critical information might damage or affect the organization, it is much easier to gain employee compliance.
Two primary systems are used to categorize information: governmental information classification system and commercial information classification system.
The governmental system is designed to protect the confidentiality of information. It is divided into categories of unclassified, confidential, secret, and top secret.
The commercial information classification system is the second major information classification type. Commercial entities usually don't have the same type of concerns as the government, so commercial standards are more focused on integrity. The commercial system is categorized as public, sensitive, private, and confidential.
Awareness programs can be effective in increasing the employees' understanding of security and the threat of social engineering. You might want to consider outsourcing security training to a firm that specializes in these services. Many times, employees take the message more seriously if it comes from an outsider. Security awareness training is a business investment. It is also something that should be ongoing. Employees should be given training when they start to work for the company and then at periodic intervals throughout their employment. Some tips to help reduce the threat of social engineering and increase security include
You have been hired as a consultant for Big Dog Inc., a local company. As you have read in this Chapter, physical security is as important as logical security. You have also seen that social engineering is a powerful attack methodology. To help reinforce these topics, the following case study was developed titled:
"The high bidder doesn't always pay"
You have been hired as a security consultant for a local company. Upon arrival, you were briefed by the facilities manager. Here is what you were told: "There had always been somewhat of a problem with equipment disappearing, but the scale has recently increased. At first, it was only small items: computer memory, expansion cards, used keyboards, and such. Then, three laptops were reported missing." Senior management is concerned and looking to you for answers.
Your research uncovered that laptop theft is second only to car theft in the United States. One in fourteen used computers sold are actually stolen goods. Most of the equipment that was stolen had been discovered missing by first shift employees. This peaked your interest in the cleaning crew and second shift IT employees, as they are the only ones who have access to the areas in which equipment had been reported missing. Personnel records from HR indicated nothing unusual, but Internet access by second shift employees uncovered that one employee was preoccupied with eBay One of the great things about eBay is that it lists the seller's history. Researching the employee's sold items revealed a match of the missing equipment. By quickly creating a new Hotmail email account, the security consultant can contact the seller and hide his true identity. The buyer, who was an employee, emailed requesting more information about the laptop and also its serial number. It matched the last missing laptop. In the end, this employee lost his job and was charged with theft of equipment.