The term social engineering (SE) smacks of George Orwell’s 1984, and it can be just as perfidious as it sounds, especially as it relates to IT security. Of course, we all use social engineering every day. We use it when we try to get our kids to do their homework, cajole employees into doing a bit of extra work, or try to talk a traffic cop out of a ticket. However, hackers also use social engineering to get valuable information that allows them to penetrate IT systems.
Social engineering is a growing threat to IT security for two main reasons:
- Security consciousness is increasing and systems are being hardened, which makes standard hacking over the Internet more difficult.
- Social engineering is easier than it used to be because the current business environment involves many new employees and temp workers, who can easily be targeted by hackers impersonating fellow employees. From a more paranoid standpoint, some of these new hires or temps may even be hackers themselves, who will be around only long enough to gather information they can use to attack the IT infrastructure.
Understanding the social engineering threat
Although it may appear to be a recent trend, social engineering is actually one of the oldest successful hacking methods and was addressed by one of the earliest CERT Security Bulletins, CA-1991-04 Social Engineering.
Long before that, back when computers were young, hackers routinely talked their way into computer departments at major universities such as MIT and CalTech. Since this was before the widespread use of the Internet and predated the practice of connecting dial-up modems to most computers, social engineering was essentially the only way hackers could gain access to the hulking mainframe monsters that held such fascinating technology mysteries.
Today, social engineering attacks can take a number of different forms. Let’s take a look at some of the most common scenarios.
Help desk attacks
Help desks are the main target for a direct social engineering attack for a couple reasons. First, help desk personnel are supposed to be accommodating. Second, they have a lot of critical information to give out. These employees hear the same problems day after day and offer help based on some reference documentation, which probably includes a list of passwords and usernames. And the documentation will almost certainly cover how to log on to the network, spelled out in excruciating detail.
Here’s a simple procedure that will eliminate most of the problem: Have help desk workers take down the details of requests, and if the question is anything potentially more dangerous than, “Where’s the [Delete] key?” make sure that they don’t give the requested information immediately. Instead, have them call the person back at an authorized home or office number so that they know for sure who’s getting the information. It’s also a good idea to give all legitimate users a separate password to verify their identity and to have a special procedure for any requests involving passwords.
Anatomy of a phone attack
A phone attack will generally happen something like this:
A caller (hacker) asks, “Where’s Joe?”
“He’s not here today," replies an employee.
"Darn! He promised to send XYZ last night," says the hacker, "and I’ve got a final meeting on that big Baker contract in 10 minutes. Can you fax that information to me right away?”
Want to bet that if the hacker knew a few basic details (such as the name of the Baker contract in the example), he or she would be able to get confidential information from your company?
Here’s another kind of phone attack. “Hi, this is IT and we’re instituting a strict new security policy about passwords. I have to verify your identity and issue you a new ID. Give me your current username and password, and I’ll generate a new, easy-to-remember password and e-mail it to you.”
Obviously, the best time for this is five minutes before the end of the workday, when employees are focused on closing up and don't want to haggle over details. Would this type of SE attack work on anyone in your office?
More phone concerns
Employees need to be very careful about the phone numbers they call. Anyone can fake letterhead or even a laminated ID, but one thing you can always trust is a toll-free company number, right? Wrong. For $6, you can get an active toll-free number and have it answered with any greeting you want, from “CIA Action Desk, connecting you to agent X” to “XYZ Corporation, IT support center.”
The number is live, it doesn’t even have an extension, and it sounds mighty official. It can accept faxes or voice mail and even forward calls to another number or cell phone, yet the number didn’t exist a few days ago and will go out of service after its owner siphons information out of the victims. This sort of setup can be extremely useful in reverse SE attacks, where people are tricked into phoning for help, perhaps by fake help cards left on desks.
Send me your password
How about this? A legit-sounding Internet offer that doesn’t ask for any confidential information arrives in a company or even a home e-mail box. There’s nothing suspicious about it because it simply asks the person to create a free account by entering a username and a new password. It doesn’t ask for bank information, home address, or credit card number. This is just a simple, routine registration, which we all use every week to get access to various Web site services.
Sounds perfectly safe, doesn’t it? What if, like most people, that employee has made his or her life simpler by using the same username and password everywhere? In that case, a form that doesn’t even ask for confidential information tricks people into giving out their “standard” password.
Although not exactly social engineering, going through your garbage often provides all the background a hacker needs to penetrate your systems. Discarded calendars show who’s on vacation or attending trade shows. Company phone directories do more than contain internal phone numbers; they may also show who reports to whom, what department someone is in, or who a person's secretary is, which can be particularly useful if an employee is out of town.
Test your defenses
So how do you defeat these attacks? The biggest problem is balancing security with the need to have employees cooperate and work well together. I hope that sounds familiar because it mirrors the electronic security problem, where you need to balance ease of use with security.
The same principles used to secure systems electronically will help secure them from SE attacks. First, you need to determine the greatest threats to your systems. Next, you must test your defenses as they relate to the most critical systems and at-risk information. Here are a few ways to start:
- SE phone test—Enlist someone with an unfamiliar voice (or invest in an inexpensive voice changer) and have the person call your employees to see how much information they'll give out. You can even have someone pretend to be phoning for you.
- E-mail attacks—This is even easier than testing a phone attack. In particular, try to get employees to open a new account with a new password and username. Your Web development team should be able to help you set up a mock site to collect this information.
- Recycling data—Grab some gloves and see what’s in that dumpster. You’ll be amazed at how much information you can glean about your company and your employees.
You may think these tests are a bit stilted because you know people’s names and phone numbers, as well as details about internal office operations. Basically, you know what to look for and what questions to ask. However, you need to take advantage of all this information in designing your mock attack. A serious SE attack against your business will involve a lot of research, and the attacker may well know more about some of your employees than you do. If you can trick employees, it's likely that a good SE hacker can do the same.
If someone gives out critical information over the phone, remind the person of the call and point out the dangers in what he or she did. If a person gives out username and password information in response to the fake e-mail, explain why this is risky. Be sure to warn all of your employees that they should not use their corporate passwords as passwords on other systems such as e-commerce vendors. If you find confidential information in your dumpster, you'll need to reeducate employees and review your company's policy on shredding.
Follow these basic guidelines
If a stranger or a mild acquaintance is trying to rush you, or if some seemingly unrelated event tempts you to break a security procedure in any way, become highly suspicious of everything that’s happening.
Here’s an example: Suppose you have a policy requiring all outside vendors, repair people, and visitors to be escorted in your building at all times. What would happen if a distraction occurred, and the person you were escorting said, “Just go ahead, I know my way,” or something similar?
The distraction could be anything from a sudden rush of phone calls requiring your urgent attention to a fire alarm to a spilled cup of coffee. It might be a coincidence, but it could be part of the oldest con in the book. Whether it’s the pickpocket’s bump or the magician’s misdirection, this type of ploy is the hallmark of many cons (including social engineering experts) and should ring an alarm bell. If this sounds too far-fetched, remember that two-way radios with two-mile ranges cost only $20 and fit in a pocket, so it’s not difficult to coordinate “accidents” down to the second.
Another general rule that will protect you from many SE attacks is to beware of the routine. Is that really someone filling in for your dependable cleaner? Do you recognize the bottled water delivery person? One easy way for someone from the outside to steal something is to just walk into a warehouse or an office with a two-wheel dolly and a clipboard.
Want to know an easier way to steal something from most businesses? If they have a regular UPS pickup, just get a brown outfit, learn the time that the big brown truck shows up, then walk in a half-hour earlier, sign the book, and cart off anything the company ships. It only works once, but once is often enough.
Also, watch out for those free “gifts” that so many businesses receive. A plant can easily conceal a radio and a clock can contain a TV transmitter facing your monitor and keyboard. A lot of people don’t realize just how cheap and small these devices can be. I have a complete TV transmitter, including microphone and camera, that runs off a 9V battery. The battery is actually larger than the TV camera and costs less than a high-end pair of sneakers.
Finally, don't forget to secure the mailroom. At one company I worked for, I started at the very bottom, in the mailroom, so I know how much damage can be done there. No one, with the possible exception of the cleaning crew, gets less respect than the mail staff. This gives both groups an incentive to dislike and harm the company, as well as the perfect cover for a thief—it’s easy to steal when everyone ignores you.
I've provided you with some knowledge that should help you recognize some social engineering tactics and identify potential areas of weakness in your company. Again, as organizations become more conscious of securing their electronic systems, look for social engineering attacks to become more common. Make sure your organization is prepared by making social engineering protections a part of your IT security plan.