1.9 Social Engineering

The weakest link in security will always be people, and the easiest way to break into a system is to engineer your way into it through the human interface. Almost every hacker group has engaged in some form of social engineering over the years , and in combination with other activities, they have been able to break into many corporations as a result. In this type of attack, the attacker chooses a mark he or she can scam to gain a password, user ID, or other usable information. Because most administrators and employees of companies are more concerned with providing efficiency and helping users, they may be unaware that the person they are speaking to is not a legitimate user. And because there are no formal procedures for establishing whether an end user is legitimate , the attacker often gains a tremendous amount of information in a very short time, and often with no way to trace the information leak back to the attacker.

Social engineering begins with a goal of obtaining information about a person or business and can range in activities from dumpster diving to cold calls or impersonations. As acknowledged in the movies, many hackers and criminals have realized that a wealth of valuable information often lays in the trash bins waiting to be emptied by a disposal company. Most corporations do not adequately dispose of information, and trash bins often contain information that may identify employees or customers. This information is not secured and is available to anyone who is willing to dive into the dumpster at night and look for it ”hence, the term dumpster diving .

Other information is readily available via deception. Most corporations do not contain security measures that address deception adequately. What happens when the protocol is followed properly, but the person being admitted is not who he says he is? Many groups utilize members of their group in a fashion that would violate protocols to gather information about a corporate admittance policy. Often, the multiperson attack results in gaining admittance to the company and ultimately the information desired. Using the bathroom or going for a drink of water is always a great excuse for exiting from a meeting, and you often will not have an escort. Most corporations do not have terminal locking policies, and this is another way an attacker can gain access or load software that may pierce the company's firewall. So long as the people entering the corporation can act according to the role they have defined for their access and they look the part, it is unlikely that they will be detected .

Remotely, social engineering actually becomes less challenging. There are no visual expectations to meet, and people are very willing to participate with a little coaxing. As is often the case, giving away something free can always be a method for entry. Many social engineering situations involve sending along a free piece of software or something of value for free. Embedded within free software, Trojans, viruses, and worms can go undetected and can bypass system and network security. Because most security that protects the local machine has a hard time differentiating between real and fake software, it is often not risky for the attacker to deliver a keylogger or Trojan to the victim machine. Also equally effective, the customer support or employee support personnel can be duped into aiding a needy user with their passwords and access to information they do not necessarily know about.

1.9.1 Educate Staff and Security Personnel

According to NIST Publication SP800-12, [18] the purpose of computer security awareness, training, and education is to enhance security by

Improving awareness of the need to protect system resources
Developing skills and knowledge so computer users can perform their jobs more securely
Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems

By making computer system users aware of their security responsibilities and teaching them correct practices, it helps users change their behavior. It also supports individual accountability, which is one of the most important ways to improve computer security. Without knowing the necessary security measures (and how to use them), users cannot be truly accountable for their actions. The importance of this training is emphasized in the Computer Security Act, which requires training for those involved with the management, use, and operation of federal computer systems.

Awareness stimulates and motivates those being trained to care about security and reminds them of important security practices. By understanding what happens to an organization, its mission, customers, and employees when security fails, people are often motivated to take security more seriously. Awareness can take on different forms for particular audiences. Appropriate awareness for management officials might stress management's pivotal role in establishing organizational attitudes toward security. Appropriate awareness for other groups, such as system programmers or information analysts, should address the need for security as it relates to their jobs. In today's systems environment, almost everyone in an organization may have access to system resources and, therefore, may have the potential to cause harm.

Both dissemination and enforcement of policy are critical issues that are implemented and strengthened through training programs. Employees cannot be expected to follow policies and procedures of which they are unaware. In addition, enforcing penalties may be difficult if users can claim ignorance when they are caught doing something wrong. Training employees may also be necessary to show that a standard of due care has been taken in protecting information. Simply issuing policy, with no follow-up to implement that policy, may not suffice. Many organizations use acknowledgment statements that employees have read and understand computer security requirements.

Awareness is used to reinforce the fact that security supports the organization's mission by protecting valuable resources. If employees view security measures as just bothersome rules and procedures, they are more likely to ignore them. In addition, they may not make needed suggestions about improving security or recognize and report security threats and vulnerabilities. Awareness is also used to remind people of basic security practices, such as logging off a computer system or locking doors. A security awareness program can use many teaching methods , including videotapes, news- letters , posters , bulletin boards , flyers, demonstrations , briefings, short reminder notices at logon, talks, or lectures. Awareness is often incorporated into basic security training and can use any method that can change employees' attitudes. Effective security awareness programs need to be designed with the recognition that people tend to practice a tuning-out process (also known as acclimation ). For example, after a while, a security poster, no matter how well designed, will be ignored; it will, in effect, simply blend into the environment. For this reason, awareness techniques should be creative and frequently changed.

Security education is more in-depth than security training and is targeted for security professionals and those whose jobs require expertise in security. Security education is normally outside the scope of most organizational awareness and training programs. It is more appropriately a part of employee career development. Security education is obtained through college or graduate classes or through specialized training programs. Because of this, most computer security programs focus primarily on awareness. An effective Computer Security Awareness and Training (CSAT) program requires proper planning, implementation, maintenance, and periodic evaluation. The following seven steps constitute one approach for developing a CSAT program:

Step 1 : Identify program scope, goals, and objectives.

Step 2 : Identify training staff.

Step 3 : Identify target audiences.

Step 4 : Motivate management and employees.

Step 5 : Administer the program.

Step 6 : Maintain the program.

Step 7 : Evaluate the program.

1.9.2 Crafting Corporate Social Engineering Policy

When you begin the process of building a corporate policy for social engineering, several important considerations need to be included in the policy. Ensure that employees are aware of the data they are making available to others and what hackers might do with the knowledge they gain from that data. Train end users in the proper handling of social engineering tactics such as the following:

Dumpster diving
Phone calls
E-mail
Instant messaging
On-site visits

Prevention

Teach employees how to prevent intrusion attempts by verifying identification, using secure communications methods, reporting suspicious activity, establishing procedures, and shredding corporate documents. It is important to define a simple, concise set of established procedures for employees to report or respond to when they encounter any of these types of attacks.

Audits

It is a good idea to periodically employ external consultants to perform audits and social engineering attempts to test employees and the network security readiness of your organization. Define the regularity of audits conducted by external consultants in a manner that cannot become predictable, such as a rotation of the month in each quarter an audit would occur. For example, if your external audits are conducted semiannually, the first audit of the year may occur in month one of quarter one. The next audit may occur in month three of quarter three. Then, when the next year comes around, you have rotated to another month or even changed to quarters two and four. The point is not which months and quarters audits are conducted , but that they are done in an unpredictable fashion that only you and your trusted few will know.