Social Engineering Attacks
Before an attacker attempts to gain access
to a secured system, he must first know certain things about
the target system. The process of gathering information about
a target system, usually to find a way in, is known as foot
printing. Although an attacker often uses technology, he may
simply try to ask for the information. If the right person
asks, he or she will often get it all too easily.
A social engineering attack usually
involves an attacker impersonating a seemingly harmless person
to deceive company personnel to obtain information. Obtaining
that information may be the actual goal itself, or it may
be used to aid the attacker in penetrating a secured system.
The information can be a user ID, password, access code and
other type of sensitive information, but can also be information
that seems harmless to share. A company phoned by a student
conducting a survey about which operating systems and software
they use may actually be giving valuable information to a
malicious attacker. The motives of a social engineer are identical
to technology-based attacks; examples are money, politics,
curiosity, and terrorism. Malevolent competitors and ex-employees
who want to settle a score, sabotage a business, or steal
a company secret often use social engineering techniques to
reach their malicious goals.
A simple example of a social engineering
attack is an attacker calling the help desk of a company pretending
to be an employee who forgot his password. Social engineering
attacks are often more complicated cons that require careful
preparation, and acting and persuasion skills. A social engineer
collects bits and pieces of information that will lead him
to his goal, typically using its most valuable tool, a phone.
Calling a company and bluntly ask for the information may
alarm the employee on the other side of the phone and ruin
the entire attack before it really got started. So before
the attacker can persuade a victim to simply hand out information,
he needs to crawl into the skin of someone the victim will
gladly give the information to, someone who works in the same
company for example. To do that he needs to know the company’s
lingo, department structure, internal phone numbers, and anything
else that will make him an “insider”. Once the
attacker talks the talk, knows who to impersonate and who
to ask what, it is just a matter of asking the right questions
without raising any suspicion to get everything he wants.
Another method an attacker uses to gather
such information, and possibly even more sensitive information,
is dumpster diving. This term refers to going through
trash bins to search for papers with employee and department
names, administration codes, specifics about the companies
network environment, and other useful information. Information
that may seem worthless to most people, but may just be what
a social engineer needs to make himself seem trustworthy.
Social engineering is also a threat to physical security in
which case an attacker tries to gain physical access to for
example a building or office. An example frequently used in
movies is the so-called 10-attack; an attractive individual
distracts security personnel while an accomplice sneaks in.
An attacker may also try to mislead security personnel and
other employees by pretending to be a maintenance repairperson
or a bug exterminator for example.
Social engineers have found a relatively
new way to attempt to obtain sensitive information from naïve
people, without having to pay them a visit or call them by
phone: email. The attacker sends malicious e-mail messages
that seem to be legit and even have a valid sender address.
The message may contain a link that takes the victim to a
website that looks exactly like a site where he or she frequently
buys online products with a credit card number. Or the message
may seem to have been sent by the IT department, and includes
an attachment that is supposedly the latest anti-virus update
that must be installed immediately. In reality, the attachment
could be a Trojan horse creating a backdoor
for the attacker or logging keystrokes that are sent to the
attacker by e-mail. The best defense against social engineering
attacks by e-mail is using certificates for encrypting and
signing e-mail messages, allowing a recipient to positively
identify the sender.
Many companies acknowledged the necessity
of technology such as firewalls, intrusion detection systems,
and advanced authentication systems to secure their information.
However, this technology does not make them less vulnerable
to a savvy social engineer. It may actually lead to a false
sense of security, which may make them an even easier target.
To prevent successful social engineering attacks security
policies must be implemented and enforced. All
employees must be informed and trained to recognize and appropriately
respond to a potential social engineering attack.
One of the most important policies that should
be implemented is verification of requests. Not only the identity
of the requestor should be verified, but also the request
he or she is making. A simple method to verify the caller’s
ID is to call the person back at the phone number listed in
the company’s phone directory. If someone outside the
company asks for inside information, he or she should be forwarded
to a manager or the Information Security department. When
a copier maintenance person enters a building, the receptionist
should verify the appointment and ask for an ID.
By following some basic rules and using common
sense, most social engineering attacks can be prevented. It
is essential to educate employees about these types of attacks
and the methods of a social engineer, because in any security
system people are really the weakest link.