Social Engineering
Attacks
Before an attacker attempts to gain access to a
secured system, he must first know certain things about the target
system. The process of gathering information about a target system,
usually to find a way in, is known as foot printing. Although an
attacker often uses technology, he may simply try to ask for the
information. If the right person asks, he or she will often
get it all too easily.
A social engineering attack usually involves
an attacker impersonating a seemingly harmless person to deceive
company personnel to obtain information. Obtaining that information
may be the actual goal itself, or it may be used to aid the attacker
in penetrating a secured system. The information can be a user ID,
password, access code and other type of sensitive information, but
can also be information that seems harmless to share. A company
phoned by a student conducting a survey about which operating systems
and software they use may actually be giving valuable information
to a malicious attacker. The motives of a social engineer are identical
to technology-based attacks; examples are money, politics, curiosity,
and terrorism. Malevolent competitors and ex-employees who want
to settle a score, sabotage a business, or steal a company secret
often use social engineering techniques to reach their malicious
goals.
A simple example of a social engineering attack
is an attacker calling the help desk of a company pretending to
be an employee who forgot his password. Social engineering attacks
are often more complicated cons that require careful preparation,
and acting and persuasion skills. A social engineer collects bits
and pieces of information that will lead him to his goal, typically
using its most valuable tool, a phone. Calling a company and bluntly
ask for the information may alarm the employee on the other side
of the phone and ruin the entire attack before it really got started.
So before the attacker can persuade a victim to simply hand out
information, he needs to crawl into the skin of someone the victim
will gladly give the information to, someone who works in the same
company for example. To do that he needs to know the company’s
lingo, department structure, internal phone numbers, and anything
else that will make him an “insider”. Once the attacker
talks the talk, knows who to impersonate and who to ask what, it
is just a matter of asking the right questions without raising any
suspicion to get everything he wants.
Another method an attacker uses to gather such
information, and possibly even more sensitive information, is dumpster
diving. This term refers to going through trash bins to search
for papers with employee and department names, administration codes,
specifics about the companies network environment, and other useful
information. Information that may seem worthless to most people,
but may just be what a social engineer needs to make himself seem
trustworthy.
Social engineering is also a threat to physical security in which
case an attacker tries to gain physical access to for example a
building or office. An example frequently used in movies is the
so-called 10-attack; an attractive individual distracts security
personnel while an accomplice sneaks in. An attacker may also try
to mislead security personnel and other employees by pretending
to be a maintenance repairperson or a bug exterminator for example.
Social engineers have found a relatively new way
to attempt to obtain sensitive information from naïve people,
without having to pay them a visit or call them by phone: email.
The attacker sends malicious e-mail messages that seem to be legit
and even have a valid sender address. The message may contain a
link that takes the victim to a website that looks exactly like
a site where he or she frequently buys online products with a credit
card number. Or the message may seem to have been sent by the IT
department, and includes an attachment that is supposedly the latest
anti-virus update that must be installed immediately. In reality,
the attachment could be a Trojan horse creating a backdoor
for the attacker or logging keystrokes that are sent to the attacker
by e-mail. The best defense against social engineering attacks by
e-mail is using certificates for encrypting and signing e-mail messages,
allowing a recipient to positively identify the sender.
Many companies acknowledged the necessity of technology
such as firewalls, intrusion detection systems, and advanced authentication
systems to secure their information. However, this technology does
not make them less vulnerable to a savvy social engineer. It may
actually lead to a false sense of security, which may make them
an even easier target. To prevent successful social engineering
attacks security policies must be implemented and enforced.
All employees must be informed and trained to recognize and
appropriately respond to a potential social engineering attack.
One of the most important policies that should
be implemented is verification of requests. Not only the identity
of the requestor should be verified, but also the request he or
she is making. A simple method to verify the caller’s ID is
to call the person back at the phone number listed in the company’s
phone directory. If someone outside the company asks for inside
information, he or she should be forwarded to a manager or the Information
Security department. When a copier maintenance person enters a building,
the receptionist should verify the appointment and ask for an ID.
By following some basic rules and using common
sense, most social engineering attacks can be prevented. It is essential
to educate employees about these types of attacks and the methods
of a social engineer, because in any security system people are
really the weakest link.
|
