9.2 Social Engineering

Social engineering is a term used to describe the act of convincing someone to give you something that they should not. Successful social engineering attacks occur because the target might be ignorant of the organization's information security policies or intimidated by an intruder's knowledge, expertise, or attitude. Social engineering is reported to be one of the most dangerous yet successful methods of hacking into any IT infrastructure. Social engineering has the potential of rendering even the most sophisticated security solution useless. Some favorite targets for social engineering attacks are the help desk, on-site contractors, and employees .

The help desk should be trained to know exactly which pieces of information related to the wireless network should not be given out without proper authorization or without following specific processes put in place by security policy. Items that should be marked for exclusion include the Service Set Identifier (SSID) of access points, WEP key(s), physical locations of Access Points (APs) and bridges, usernames and passwords for network access and services, and passwords and SNMP strings for infrastructure equipment. For example, if the process of defeating a WEP has stumped the hacker, he or she may try to trick an employee into providing this information. Once the correct WEP key has been obtained by the hacker, he or she will plug that key into his or her computer and use the various tools described previously to capture sensitive data in real time, just as if there was no security.

Two common tactics are often used when attempts at social engineering against help desk personnel are implemented: (1) forceful, yet professional language and (2) playing dumb. Both approaches have the same effect ”obtaining the requested information. Social engineers understand that help desk employees do not wish to have their supervisors and managers brought into a discussion when their assigned customers are not happy with the service they are receiving. Social engineers also know that some people are just inept at handling conflict, and some people are easily intimidated by anyone with an authoritative voice. Playing dumb is also a favorite tactic of social engineers . The help desk personnel are often distracted and disarmed by the "dumb caller," which causes them to stop paying attention to rigid security protocols when they assume the person they are speaking with knows very little to begin with.

IT contractors can be especially good targets for social engineers. They are brought onto a job with very little training in security and may not realize the value of information they are helpfully providing the authoritative caller on the other end of the phone. How could they know the authoritative voice on the other end of the phone is a hacker anyway? Remember, most contractors are knowledgeable of the inner workings and details of just about all network resources on a site because they are often on that site to design and/or repair the very network they built. In wanting to be helpful to their customer, contractors often give out too much information to people who are not authorized to have such information.

Wireless technology is still very new to many organizations. Employees who have not been properly educated about wireless security may not realize the dangers a wireless network can pose to the organization. Nontechnical employees who use a wireless network should be trained to know that their computers can be attacked at work, at home, or on any public wireless network. Social engineers take advantage of all of these weaknesses, and they even fabricate elaborate stories to fool almost anyone who is not specifically trained to recognize these types of attacks.