Social Engineering
People are too helpful
Would you think twice about holding the door open for someone you were smoking outside with? Or how about helping a lost new
employee find an office? Well, you should think twice. Being nice and helpful is great, but not so great when it compromises
your company's security. Smoking areas might be located outside locked doors, requiring a security badge to get back in. By
holding the door, the other person doesn't need to show his/her badge to enter. They may never have been employeed by your
company in the first place. And that lost employee could have slipped in to find an empty office and unattended computer
terminal. Be kind to each other, but be safe.
Art and science combined
Most dictionaries list social engineering as the art of getting people to do what you want. Car salesmen are exceptionally
good at the concept. Social engineering, in relation to computers and security, is quite a bit more dangerous than paying
retail on a vehicle. Basic human trust, being willing to take a person at his/her word, is a massive security vulnerability
in a business. Those who use social engineering to break into a company are masters at their craft.
Planning and attack
Goals of social engineering are almost the same as hacking- gain unauthorized access to information or systems to commit
fraud, network or system damage, industrial espionage, or identity theft. Attackers can spend days observing their taget,
carefully stalking vulnerabilities for the best place to strike. Typical targets are usually bigger corporations and companies,
military and government agencies, and hospitals. Attackers use both physical and psychological tactics to break their target.
Phones, trash cans, and basic observation are all an 'in' for an attacker.
Example Tactics
- PHONES- an attacker will call unsuspecting employees, asking for the CEO. The employee will tell
the attacker that Mr. Doe is out on vacation. Now the attacker knows that Doe won't be a problem, and can call back,
pretending to be Mr. Doe in desperate need of his network password. The ever so helpful and trusting tech will gladly
either ramble off the password or reset it for the fake Mr. Doe. The attacker now has all the rights he/she would need
to access the company's mainframe and download or destroy data.
- TRASH CANS- after an attacker convinces an employee to let them inside the building, trash cans are an excellent
source of information. All sort of interesting passwords and documents end up thrown away. Calendars could point out days
that key staff will be out of the building or unavailable. Phone lists are a one-stop-shop for information and accessibility.
Memos provide background information that an attacker can manipulate to add authenticity. Your trash can end up worth its weight
in gold.
- INTERNET- a wonderful source of information for both you and an attacker. Also known as 'phishing', an attacker
can send out an authentic-looking email about a fake sweepstakes, you only have to create a user ID and a password to
enter. Since most people use a simple password for all their accounts, not paying attention to where the link is pointing
would be like handing a stranger your entire keychain. Trojans also can be sent to the unwary user via the internet.
An attacker could send around a 'company' email about a network problem, stating that he/she needed logon information to
test or fix the problem.
Security in short
No matter how much money a company can spend on technology to make their little technological island unbreachable, human weakness
is the one uncontrollable. Security training and testing go a long way to inform employees of attack tactics, but they're far from
perfect. Humans want to believe another person, and are taught at an early age to be as helpful as possible. Attackers capitalize on
that training to waltz in and take whatever they want. Keep aware, and when in doubt call a supervisor. NEVER EVER give out your
logon information unless you are talking face-to-face with an employee you recognize, and only then if there's a valid tangiable
need. Most company IT personnel have the capability to change your password themselves for testing or repair, so there should be
very little need for you to repeat your current password.
Keep informed
Make sure to know your chain of command, and if something if fishy, you
know who to call for verification. If your boss were to really call for privilaged information, (one- you should never know his
password, and two- he should really be calling the IT department for this) find his cell or home phone within the company and
call him back. If it's an attacker pretending to be your boss, simply calling a contact number that you have would end his
tricks. Put a little effort and thought into preserving your security.
. : --- : : --- : .
|
