A consultant was hired by a business executive to test the security of the executive’s enterprise. The consultant was not hired to try to hack through the firewall or bypass the intrusion detection system. He was hired to see how easy it would be for a motivated intruder to gain physical access to the company’s mission-critical systems.

So the consultant created a fake company ID badge for himself. He even simulated a magnetic swiping strip on the back of the ID by using a piece of electrical tape. He used this fake ID to get into the company’s main building, then made his way up to the data center where he began swiping his fake ID badge through the scanner. After several failed attempts, a friendly employee walked up and said, “Sometimes, that thing doesn’t work.” The friendly fellow proceeded to swipe his own badge, letting the consultant into the data center.

At that point, the consultant walked to the center of the room, raised his arms, and said, “Okay everyone, I’m conducting a surprise security audit. I need everyone to leave the room immediately.” Although there were a few surprised faces, all the employees in the data center filed out.

The consultant pulled out his cell phone, called the executive who hired him, and said, “Guess where I am?”

Why people are the weakest link
Gartner analyst Rich Mogull used this example to show how motivated attackers can have much more success by manipulating people rather than trying to hack through various levels of sophisticated security technologies. Mogull addressed this subject in detail in his presentation, “Human Security Issues: Managing People and Defending Against Social Engineering,” on May 15 at the Gartner Information Security (InfoSec) conference in Chicago.

Mogull explained that people are, by nature, unpredictable and susceptible to persuasion and manipulation. Attackers that utilize social engineering techniques take advantage of what Mogull calls “primal motivators” such as fear, greed, and sexuality to manipulate employees into releasing information (usually unwittingly) or providing access to information systems.

“Social engineering is the single greatest threat to enterprise security,” Mogull said, adding that many of the most damaging security breaches are due to social engineering and not electronic hacking.

He also described social engineering as “the most difficult [security] issue to manage” and said that most IT departments do a poor job of combating the threat.

Understanding social engineering attacks
Social engineering is essentially a way to bypass technology-based security mechanisms by manipulating people, as illustrated in Figure A.

Figure A
Social engineering bypasses technology-based security.

Mogull said social engineering attacks typically originate from one of three zones:

  • Internal
  • Trusted
  • External

Internal threats come from employees who manipulate other employees to gather sensitive information and access to IT systems. These offenders can include disgruntled employees, temporary employees, employees with criminal tendencies, and ancillary workers such as housekeeping and maintenance staff. Enterprises grant a certain amount of trust to all of these individuals, which can make it easier for them to execute attacks.

Trusted threats come from other individuals who are formally associated with your organization on a regular basis but are not on your payroll. These can include contractors and consultants, as well as partner organizations. Often, these individuals have a very high level of trust, and thus have access to sensitive data and systems. Yet such potential risks are rarely incorporated into security plans.

External threats come from people who are not associated with your organization. This category can include recreational hackers, competitors wanting to uncover confidential information, or criminals wanting to steal something. These people have no established trust with your organization, so they look to create short-term trust by using various social engineering techniques.

Some examples of these techniques are:

  • Playing the role of an authority, such as an IT administrator.
  • Playing the role of an end user.
  • Playing the role of someone from a partner organization.
  • Playing the role of a telecom technician or another individual who would have physical access to the company’s data systems.
  • Tricking an employee into planting malicious software on internal systems.
  • Stealing the identity of someone with inside access to IT systems.

Individuals who use social engineering techniques usually follow a common pattern of activity that Mogull calls the Social Engineering Attack Cycle, as illustrated in Figure B.

Figure B
The Social Engineering Attack Cycle

In the first phase, information gathering, an attacker uses various techniques to track down detailed information that can be used to gain the trust of an individual connected to the targeted organization. The attacker will then use this information to develop a relationship with the individual in phase 2 of the attack cycle. This can take one phone call or it can happen over a period of weeks or even months.

After the relationship is established, the attacker will exploit the relationship (phase 3) to get the target to reveal information or perform an action that would not otherwise take place. Phase 3 either accomplishes the attacker’s objective or opens the door to achieving the final objective in phase 4.

Guarding against social engineering
As you’ve probably already figured out, social engineering attacks are elusive and underhanded. However, they are not impossible to combat. “This is a business process issue,” Mogull emphasized. As such, organizations need to implement processes that undermine the effects of social engineering and, beyond that, establish a culture of security and accountability within the company.

One way you can test the current security culture of your organization is to do a simple self-quiz. Think about how the employees in your organization would react if an unfamiliar person who looked out of place sat down in a cubicle and started working on a computer. Now, ask yourself three questions:

  • Would one of your employees become suspicious about this event?
  • Would any employee choose to report it?
  • Would any employee know how to report it and who to report it to?

If you don’t feel confident that your employees would be able to intervene in this potential security breach, you need to take several concrete actions to improve your organization’s security culture.

Assuming you already have a well-conceived security policy in place, the first and most important action is to educate users about your company’s security policy, or at least the parts of it that potentially affect them. You should also raise employee awareness of the threat of social engineering. Figure C shows how education can address the three questions in the security self-test.

Figure C
Education is the key to enabling employees to combat social engineering.

Many organizations will also need to improve the physical security of their facilities. Mogull made some other recommendations for preventing social engineering attacks, including:

  • Do background checks when hiring employees.
  • Screen temporary and ancillary workers.
  • Set up a clear reporting process for security problems.
  • Open the lines of communication between physical security and the IT department.
  • Monitor employee behavior patterns for abnormal activities and access violations.
  • Lock out terminated employees immediately.
  • Create a positive work environment, which will cut down on disgruntled employees.
  • Publish a formal written company policy stating that the IT department will never ask for a user’s password.
  • Require ID badges for employees and mandate that an employee with a badge accompany visitors.

Be on the lookout
Social engineering attacks are elusive and can have very damaging consequences for an organization, but you can take a number of steps to mitigate such attacks. By increasing your users’ awareness of social engineering techniques and setting up commonsense business processes, you can change the culture of your organization to guard against these attacks.