Social Engineering

Social Engineering

Good Morning Sir. This is Peter from ABC Bank. Due to server issues, I need to reset your internet banking password… can you tell me your old one?

Help Desk or Social Engineering?

Social Engineering is the unauthorized acquisition of sensitive information or inappropriate access privileges by a potential threat source, based upon the building of an inappropriate trust relationship with a legitimate user of an information technology system.

The goal of social engineering is to trick someone into providing valuable information or access to that information.

Few other definitions of Social Engineering

Bernz 2: Social engineering is the art and science of getting people to comply to your wishes. It is not a way of mind control, it will not allow you to get people to perform tasks wildly outside of their normal behavior and it is far from foolproof.

Palumbo: An outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.

Berg: Social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. Getting needed information (for example, a password) from a person rather than breaking into a system.

In an IT security survey, 90% of office workers gave away their password in exchange for a cheap pen. Can you believe this?

Users must be warned early and frequently not to divulge passwords or any other sensitive information to anyone for any purpose, even to legitimate system administrators. Do you know, in reality administrators of computer systems don’t need to know the user's password to perform administrative tasks.

Not all computer security problems are technological problems. Some are people problems. Just as talented hackers can use their programming skills to exploit applications, operating systems, and protocols to get inside your company’s network, talented social engineers can breach your network by using their “people skills” and powers of observation to exploit your company’s employees, partners, and others who have legitimate network access. They are adept at psychologically manipulating people into giving them access or the information necessary to get access using a variety of schemes.

Here's a look at some of the tactics and techniques commonly used by these intruders and what you can do to thwart them.

The one thing that everyone seems to agree upon is that social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system.

Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (shoulder surfing), or take advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed. Security experts propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes learning the value of information; understand the need and protecting them, and increasing people's awareness of how social engineers operate.

Another example: The housekeeping staffs have access to our entire organization overnight while they're cleaning and maintaining. How do you know that they don't have a Ph.D. in computer science and malicious intent? You don't.

Here's a great story, and it's true: A CEO of a company goes on vacation. The day after he leaves, a consultant, wearing a suit, carrying all the right references, walks in the door of the office and says, Mr. Johnson hired me and asked me to take a look at your engineering plans. Apparently, there was a technical problem. Someone says, Oh, he just went on vacation, he's not here. The consultant responds: Well, you know, I came from United States; I'm only here for basically the one day. This is pretty important, and, frankly, you guys already paid me a lot of money. Is there anyone I could talk to about this? So this person sits down, spends an entire day going over the engineering plan, and walks out with copies because there are some issues that he needs to work on later. Meanwhile, the CEO gets back from vacation and says: What consultant?

How much more of an issue are these kinds of attacks today than they were five or 10 years ago?

If there's a worse anything, it's just that organizations have a higher reliability on their electronic systems, and oftentimes, if you think about 20 years ago, more people have access to those systems than ever had access to them before. But social engineering is a very well-known issue in the security community. It's also one that's a bit more difficult to address than a lot of the traditional security issues because, you know, you can't stop people being from being people, and as much as you'd like, your users are going to make mistakes and they'll be manipulated and everything else. I think it's been a consistent problem.

Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is typically done over the telephone. It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
This technique is often used to trick a business into disclosing customer information, and is used by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager (e.g., to make account changes, get specific balances, etc).

Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well known and trustworthy Web sites. Web sites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America Online.

Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an email that appears to come from a legitimate business — a bank, or credit card company — requesting "verification" of information and warning of some dire consequence if it is not done. The letter usually contains a link to a fraudulent web page that looks legitimate — with company logos and content — and has a form requesting everything from a home address to an ATM card's PIN.

The prey is not just you but your children and elders as well