Ethics and Legality

Social Engineering

Objective: Describe basic social engineering techniques

Social engineering is the art of tricking someone into giving you something he or she should not. Hackers skilled in social engineering target the help desk, onsite employees, and even contractors. Social engineering is one of the most potentially dangerous attacks, as it does not directly target technology. An organization can have the best firewalls, IDS, network design, authentication system, or access controls and still be successfully attacked by a social engineer. That's because the attacks target people. To gain a better understanding of how social engineering works, let's look at the different approaches these attacks use, discuss how these attacks can be person-to-person or computer-to-person, and look at the primary defense to social engineering policies.

Six Types of Social Engineering

Robert Cialdini describes in his book, The Science and Practice of Persuasion, six types of behaviors for a positive response to social engineering. These include the following:

• Scarcity Works on the belief that something is in short supply. It's a common technique of marketers, "buy now; quantities are limited."
• Authority Works on the premise of power. As an example, "hi, is this the help desk? I work for the senior VP, and he needs his password reset in a hurry!"
• Liking Works because we tend to do more for people we like than people we don't.
• Consistency People like to be consistent. As an example, ask someone a question, and then just pause and continue to look at them. They will want to answer; just to be consistent.
• Social validation Based on the idea that if one person does it, others will too. This one you have heard from your kids, "but Dad, everyone else is doing it. Why can't I?"
• Reciprocation If someone gives you a token or small gift, you feel pressured to give something in return.

Knowing the various techniques that social engineers use can go a long way toward defeating their potential hacks. Along with these techniques, it is important to know that they can attack person-to-person or computer-to-person.

Person-to-PersonBased Social Engineering

Person-to-personbased social engineering works on a personal level. It works by impersonation, posing as an important user, using a third-party approach, masquerading, and can be attempted in person or over the phone.

• Important user This attack works by pretending to be an important user. One big factor that helps this approach work is the underlying belief that it's not good to question authority. People will fulfill some really extraordinary requests for individuals they believe are in a position of power.
• Third-party authorization This attack works by trying to make the victim believe that the social engineer has approval from a third party. One reason this works is because people believe that most people are good and that, generally, they're being truthful about what they are saying.
• Masquerading This attack works when the social engineer pretends to be someone else. Maybe he buys a FedEx uniform from eBay so that he can walk the halls and not be questioned.
• In person This attack works by just visiting the person or his organization. Although many social engineers might prefer to call the victim on the phone, others might simple walk into and office and pretend to be a client or a new worker. If the social engineer has the courage to pull off this attack, it can be dangerous as he is now in the organization.

Computer-Based Social Engineering

Computer-based social engineering uses software to retrieve information. It works by means of pop-up windows, email attachments, and fake websites.

• Pop-up windows These can prompt the victim for numerous types of information. One might be that the network connection was lost so please reenter your username and password here.
• Email attachments You would think that as much as this has been used, it would no longer be successful; unfortunately, not true. Fake emails and email attachments flood most users' email accounts. Clicking on an attachment can do anything from installing a Trojan, executing a virus, to starting an email worm.
• Websites There are a host of ways that social engineers might try to get you to go to a fake site. Email is one of the more popular ways. The email might inform you that you need to reset your PayPal, eBay, Visa, MasterCard, or AOL password and ask the receiver to click on a link to visit the website. You are not taken to the real site, but a fake one that is set up exclusively to gather information.

Reverse Social Engineering

Reverse social engineering involves sabotaging someone else's equipment and then offering to fix the problem. It requires the social engineer to first sabotage the equipment, and then market the fact that he can fix the damaged device, or pretend to be a support person assigned to make the repair.

One example of this occurred a few years back when thieves would cut the phone line and then show up inside claiming they had been called for a phone repair. Seeing that some phones were indeed down, the receptionist would typically let the thieves into a secured area. At this point, the thieves could steal equipment and disappear.

Exam Alert

Reverse social engineering is considered the most difficult social engineering attack because it takes a lot of preparation and skill to make it happen successfully.

 

Policies and Procedures

Objective: Describe the role of policies and procedures

There are a few good ways to deter and prevent social engineering: The best means are user awareness, policies, and procedures. User training is important as it helps build awareness levels. For policies to be effective, they must clarify information access controls, detail the rules for setting up accounts, and define access approval and the process for changing passwords. These policies should also deal with physical concerns such as paper shredding, locks, access control, and how visitors are escorted and monitored. User training must cover what types of information a social engineer will typically be after and what types of questions should trigger employees to become suspicious. Before we discuss user training, let's first examine some useful policy types and data classification systems.

Employee Hiring and Termination Policies

Employees will not be with the company forever, so the Human Resources department (HR) must make sure that good policies are in place for hiring and terminating employees. Hiring policies should include checking background and references, verifying educational records, and requiring employees to sign nondisclosure agreements (NDAs).

Termination procedures should include exit interviews, review of NDAs, suspension of network access, and checklists verifying that the employee has returned all equipment in his care, such as keys, ID cards, cell phones, credit cards, laptops, and software.

Help Desk Procedures and Password Change Policies

Help desk procedures should be developed to make sure that there is a standard procedure for employee verification. Caller ID and employee callback are two basic ways to verify the actual caller. This should be coupled with a second form of employee authentication. A cognitive password could be used. This requires that the employee provide a bit of arcane info such as, what was your first pet's name? If it's a highly secure organization, you might want to establish policy that no passwords are given out over the phone.

When employees do need to change their passwords, a policy should be in place to require that employees use strong passwords. The policy should have technical controls implemented that force users to change passwords at a minimum interval, such as once a month. Password reuse should be prohibited. User awareness should make clear the security implications should their password be stolen, copied, or lost.

Employee Identification

Although nobody likes wearing a badge with a photo worse than their driver's license photos, ID badges make it clear who should and should not be in a given area. Guests should be required to register and wear temporary ID badges that clearly note their status.

What if individuals don't have a badge? Employees should be encouraged to challenge anyone without a badge or know the procedure for dealing with such situations. There should also be a procedure for employees to follow for reporting any violations to policy. Anytime there is a violation of policy, employees should know how to report such activity and that they will be supported by management.

Privacy Policies

Privacy is an important topic. Employees and customers have certain expectations with regard to privacy. Most organizations post their privacy policies on their company website. The United States has a history of privacy that dates back to the fourth amendment. Other privacy laws that your organization should be aware of include

• Electronic Communications Privacy Act of 1986 Protects email and voice communications.
• Health Insurance Portability and Accountability Act (HIPAA) Sets strict standards on what types of information hospitals, physicians, and insurance companies can exchange.
• Family Education Rights and Privacy Act Provides privacy rights to students over 18.
• European Union Privacy Law Provides detailed information on what types of controls must be in place to protect personal data.

Governmental and Commercial Data Classification

So what can be done to prevent social engineering or to reduce its damage? One primary defense is to make sure that the organization has a well-defined information classification system in place. An information classification system will not only help prevent social engineering, but will also help the organization come to grips with what information is most critical. When the organization and its employees understand how the release of critical information might damage or affect the organization, it is much easier to gain employee compliance.

Two primary systems are used to categorize information: governmental information classification system and commercial information classification system.

The governmental system is designed to protect the confidentiality of information. It is divided into categories of unclassified, confidential, secret, and top secret.

• Unclassified Information is not sensitive and needs not be protected. The loss of this information would not cause damage.
• Confidential This information is sensitive, and its disclosure could cause some damage; therefore, it should be safeguarded against disclosure.
• Secret Information that is classified as secret has greater importance than confidential data. Its disclosure would be expected to cause serious damage and might result in the loss of significant scientific or technological developments.
• Top Secret This information deserves the most protection. If it were to be disclosed, the results could be catastrophic.

The commercial information classification system is the second major information classification type. Commercial entities usually don't have the same type of concerns as the government, so commercial standards are more focused on integrity. The commercial system is categorized as public, sensitive, private, and confidential.

• Public Similar to unclassified information in that its disclosure or release would cause no damage.
• Sensitive This information requires controls to prevent its release to unauthorized parties. Some damage could result if this information is disclosed.
• Private Information in this category is usually of a personal nature. It can include employee information or medical records.
• Confidential Information rated as confidential has the most sensitive rating. This is the information that keeps a company competitive, and its release should be prevented at all costs.

User Awareness

Awareness programs can be effective in increasing the employees' understanding of security and the threat of social engineering. You might want to consider outsourcing security training to a firm that specializes in these services. Many times, employees take the message more seriously if it comes from an outsider. Security awareness training is a business investment. It is also something that should be ongoing. Employees should be given training when they start to work for the company and then at periodic intervals throughout their employment. Some tips to help reduce the threat of social engineering and increase security include

• Don't click on that email attachment. Anytime a social engineer can get you to click on a fake attachment or direct you to a bogus website, he is one step closer to completing his attack.
• Ensure that guests are always escorted. It's not hard for social engineers to find some reason to be in a facility; it might be to deliver a package, tour a facility, or interview for a job. Escorting guests is one way to reduce the possibility of a social engineering attack.
• Never give out or share passwords. Sure, the guy on the phone says that it's okay to give him your password; don't do it.
• Don't let outsiders plug in to the network without prior approval. You have been asked by a new sales rep if it's okay for him to plug in to the network and send a quick email; check with policy first. If it states that no outsiders are to be allowed access to the internal network, you had best say no.

Challenge You have been hired as a consultant for Big Dog Inc., a local company. As you have read in this Chapter, physical security is as important as logical security. You have also seen that social engineering is a powerful attack methodology. To help reinforce these topics, the following case study was developed titled: "The high bidder doesn't always pay" You have been hired as a security consultant for a local company. Upon arrival, you were briefed by the facilities manager. Here is what you were told: "There had always been somewhat of a problem with equipment disappearing, but the scale has recently increased. At first, it was only small items: computer memory, expansion cards, used keyboards, and such. Then, three laptops were reported missing." Senior management is concerned and looking to you for answers. Your research uncovered that laptop theft is second only to car theft in the United States. One in fourteen used computers sold are actually stolen goods. Most of the equipment that was stolen had been discovered missing by first shift employees. This peaked your interest in the cleaning crew and second shift IT employees, as they are the only ones who have access to the areas in which equipment had been reported missing. Personnel records from HR indicated nothing unusual, but Internet access by second shift employees uncovered that one employee was preoccupied with eBay One of the great things about eBay is that it lists the seller's history. Researching the employee's sold items revealed a match of the missing equipment. By quickly creating a new Hotmail email account, the security consultant can contact the seller and hide his true identity. The buyer, who was an employee, emailed requesting more information about the laptop and also its serial number. It matched the last missing laptop. In the end, this employee lost his job and was charged with theft of equipment. Questions 1. What actions should you suggest that the company take to prevent the theft of laptops in the future? 2. Auditing helped uncover the employee's Internet activity. Auditing is considered what type of activity? 3. Even though the employee had a criminal record, HR records didn't uncover this. What went wrong? 4. Beyond the loss of the laptop itself, how would you advise the company to deal with the loss of proprietary information and passwords stored within a stolen laptop? 5. What role did social engineering play in this case study? Answers 1. One possible answer would be to issue device locks with all laptops and make employees responsible for lost equipment. 2. Auditing is considered a detective control, as it doesn't deter an attack but can help uncover who did what, when. 3. HR might not have had a good preemployment policy. One of the things employers should check is a potential employee's criminal background. 4. The company might want to use encryption. This would help to ensure that even if laptops are stolen, the data is difficult for a hacker to access and use. 5. Social engineering was used by the security consultant when he set up an email account and contacted the employee requesting more information about the stolen laptop.

Summary