The greatest computer security threat your organization faces is not from the Web but from social engineering. Any organization is vulnerable to these types of attacks. The best defenses against social engineering attacks are policy and education.
What is social engineering? In computer security circles, social engineering can be defined as a nontechnical kind of intrusion, relying on human interaction and behavioral patterns. Oftentimes this involves tricking people to break normal security procedures. This is what used to be called a con game. Or, why work hard using technical exploits to hack into a network when you can just ask for the password?
In any large organization, there is a technology department that has to handle employee computer problems. An easy way to get a password is to call employees, pretend to be from their tech department, and ask them for their passwords. Don’t laugh. It works.
The following are the three most common social engineering attacks:
- Direct request: The social engineer simply asks for the information or for access. This attack often doesn’t succeed because the request is challenged and refused.
- Contrived situation: Confusion or playing on people’s instincts to want to help contributes to the success of this attack: “I forgot a password” or “the manager is on vacation,” or “I have a looming deadline.” The more factors the target must consider, the more likely he or she is to be persuaded.
- Personal persuasion: Many social engineers are adept at using personal persuasion to overcome initial resistance. The goal is not to force compliance but to get voluntary action. They convince the victims they are making the decision.
Social engineers rely on the fact that employees often do not know the value of the information they possess so they are lax in protecting it. Dumpster diving, watching people type in passwords (shoulder surfing), or taking advantage of people who are using passwords that mean something to them are good examples. With the rise of the Internet age, your mother’s maiden name is not very confidential; where you went to junior high school can be found easily; and your birthday should not be included in your password.
A few years ago, a network security firm was hired to assess computer security vulnerabilities at a large credit union. The client asked to really investigate social engineering techniques. The business had been having problems with employees sharing passwords and easily giving up confidential information. USB thumb drives were also cited by the client as vehicles for potential information leaks.
Even with the employees on alert, as a test, the security firm succeeded when trying out a simple hacker technique. The firm scattered on the ground outside the company 20 cheap USB drives containing a hidden Trojan horse program that would gather passwords and send them to the security firm. The credit union employees picked up the USB drives as they came in to work and plugged them in to their computers. Passwords started coming in to the security firm via e-mail within the hour. Eventually, 15 out of the 20 USB drives were found, and all 15 were plugged in to the credit union computers, compromising all of them.
The attack was accomplished easily and was done completely transparent to users, the network, and the management. This attack made use of humans’ innate curiosity. Ever notice the multiple techniques junk mail marketers use to get you to open their envelopes? Same thing.
John C. Shovic is a partner in Coeur d’Alene, Idaho–based MiloCreek Consulting.