Avoiding Social Engineering Attacks
"Social engineering" is hacker-speak for conning legitimate computer users into providing useful information that helps the hacker gain unauthorized access to their computer system.
The attacker using social engineering usually poses as a legitimate person in the organization and tricks computer users into giving useful information. This is usually done by telephone, but it may also be done by forged e-mail messages or even an in-person visit.
Most people think computer break-ins are purely technical, the result of technical flaws in computer systems that the intruders are able to exploit. The truth is, however, that social engineering often plays a big part in helping an attacker slip through the initial security barriers. Lack of security awareness or gullibility of computer users often provides an easy stepping stone into the protected system in cases when the attacker has no authorized access to the system at all.
In testimony before Congress after he was released from jail, our country's most notorious computer hacker, Kevin Mitnick, told the lawmakers that the weakest element in computer security is the human element. "I was so successful in [social engineering] that I rarely had to resort to a technical attack," Mitnick explained. He added that "employee training to recognize sophisticated social engineering attacks is of paramount importance."
As an example of how it is done, here is a quick summary of Case 2, a successful hacking operation based almost entirely on social engineering:
- Posing as someone from the public relations department, the hackers called an executive's secretary and succeeded in obtaining the executive's employee number. A second call exploited the knowledge of the executive's employee number in order to obtain the executive's cost center number, which was then used to receive overnight courier service delivery of the company's internal phone directory.
- The hackers called the office in charge of new employees and were able to obtain a list of new employees.
- Posing as information systems employees, the hackers told the new employees that they wanted to give them a computer security awareness briefing over the phone. During this process, the hackers obtained "basic" information including the types of computer systems used, the software applications used, the employee number, the employees computer ID, and their password.
- Using a "war dialer" together with a call to the company's computer help desk, the hackers obtained the phone numbers of the company modems.
- They then called the modems and used the compromised computer IDs and passwords to gain access to the system.
Case 2 contains a detailed explanation of how this was accomplished -- the cover stories and other manipulations that were used.
Some of the more common social engineering scenarios are:
- The attacker pretends to be a legitimate end-user who is new to the system or is simply not very good with computers. The attacker may call systems administrators or other end-users for help. This "user" may have lost his password, or simply can't get logged into the system and needs to access the system urgently. The attacker may sound really lost so as to make the systems administrator feel that he is, for example, helping a damsel in distress. This often makes people go way out of their way to help.
- The attacker pretends to be a VIP in the company, screaming at administrators to get what he wants. In such cases, the administrator (or it could be an end-user) may feel threatened by the caller's authority and give in to the demands.
- The attacker takes advantage of a system problem that has come to his attention, such as a recently publicized security vulnerability in new software. The attacker gains the user's trust by posing as a system administrator or maintenance technician offering help. Most computer users are under the mistaken impression that it is okay to reveal their password to computer technicians.
- The attacker posing as a system administrator or maintenance technician can sometimes persuade a computer user to type in computer commands that the user does not understand. Such commands may damage the system or create a hole in the security system that allows the attacker to enter the system at a later time.
Computer security experts recommend the following measures to outsmart a hacker:
- If you cannot personally identify a caller who asks for personal information about you or anyone else (including badge number or employee number), for information about your computer system, or for any other sensitive information, do not provide the information. Insist on verifying the caller's identity by calling them back at their proper telephone number as listed in your organization's telephone directory. This procedure creates minimal inconvenience to legitimate activity when compared with the scope of potential losses.
- Remember that passwords are sensitive. A password for your personal account should be known ONLY to you. Systems administrators or maintenance technicians who need to do something to your account will not require your password. They have their own password with system privileges that will allow them to work on your account without the need for you to reveal your password. If a system administrator or maintenance technician asks you for your password, be suspicious.
- Systems maintenance technicians from outside vendors who come on site should be accompanied by the local site administrator (who should be known to you). If the site administrator is not familiar to you, or if the technician comes alone, it is wise to give a call to your known site administrator to check if the technician should be there. Unfortunately, many people are reluctant to do this because it makes them look paranoid, and it is embarrassing to show that they do not trust a visitor.
If you feel you have thwarted or perhaps been victimized by an attempt at social engineering, report the incident to your manager and to security personnel immediately.