Social Engineering Fundamentals, Part II: Combat Strategies
by Sarah Granger
|Social Engineering Fundamentals, Part II: Combat Strategies
last updated January 9, 2002
This is the second part of a two-part series devoted to social engineering. In Part One, we defined social engineering as a hacker’s clever manipulation of the natural human tendency to trust, with the goal of obtaining information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. To review: the basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network.
My first attempt at social engineering came before I even knew what the term meant. In my junior and senior years of high school, I was the student representative on my school district’s pilot technology committee. The district wanted to test having a district-wide computer network at my school my senior year, before implementing the network across the district the following year. They requested bids and selected the hardware and software for the pilot network, and my job senior year was to help test the network. One day, I noticed that the new machines and peripherals were not locked down, so I grabbed a monitor and mouse and started strolling down the hall to see if anyone noticed. No one did. Then I decided to take them outside. I made it to the back of the parking lot and turned around, then decided that was a good enough test and returned the items.
The fact that no one noticed or stopped me disturbed my sense of what network security ought to mean, so I reported the test to the principal. The following year, all of the new computers and peripherals in the district were physically locked. My experience shows how simple, straightforward and effective social engineering attacks can be. To this day, I wonder how many computers school districts have lost due to nonexistent prevention of social engineering attacks. This article will examine some ways that individuals and organizations can protect themselves against potentially costly social engineering attacks. I refer to these practices as combat strategies.
Where to Begin? Security Policies
Social engineering attacks can have two different aspects: the physical aspect or the location of the attack, such as in the workplace, over the phone, dumpster diving, on-line, and the psychological aspect, which refers to the manner in which the attack is carried out, such as persuasion, impersonation, ingratiation, conformity, and friendliness. Combat strategies, therefore, require action on both the physical and psychological levels. Employee training is essential. The mistake many corporations make is to only plan for attack on the physical side. That leaves them wide open from the social-psychological angle. So to begin, management must understand the importance of developing and implementing well-rounded security policies and procedures. Management must understand that all of the money they spend on software patches, security hardware, and audits will be a waste without adequate prevention of social engineering and reverse social engineering attacks (Nelson). One of the advantages of policies is that they remove the responsibility of employees to make judgement calls regarding a hacker's requests. If the requested action is prohibited by policy, the employee has no choice but to deny the hacker's request.
Strong policies can be general or specific, but I recommend somewhere in between. This gives the policy enforcers some flexibility in how procedures will develop in the future, but limits staff from becoming too relaxed in their daily practices. (See Security Focus’s Introduction to Security Policies series.) The security policy should address information access controls, setting up accounts, access approval, and password changes. Modems should never be permitted on the company intranet. Locks, IDs, and shredding should be required. Violations should be posted and enforced.
Preventing Physical Attacks
In theory, good physical security seems like a no-brainer, but in order to truly keep trade secrets from escaping the building, extra caution is required. Anyone who enters the building should have his/her ID checked and verified. No exceptions. Some documents will need to be physically locked in file drawers or other safe storage sites (and their keys not left out in obvious places). Other documents may require shredding – especially if they ever go near the dumpster. Also, all magnetic media should be bulk erased as “data can be retrieved from formatted disks and hard drives.” (Berg). Lock the dumpsters in secure areas that are monitored by security.
Back inside the building, it should go without saying that all machines on the network (including remote systems) need to be well protected by properly implemented passwords. (For some helpful hints, please see SecurityFocus’s article Password Crackers, - Ensuring the Security of Your Password.) Screen saver passwords are also recommended. PGP and other encryption programs can be used to encrypt files on hard drives for further security.
Phone & PBX
One common scam is to illicitly place toll calls through an organization’s PBX, or private branch exchange, a private telephone network used within an organization. Hackers can call in and do their impersonation routine, ask to be transferred to an outside line, and then make multiple calls around the world, charging them to that corporation. This can be prevented by instituting policies that disallow transfers, controlling overseas and long-distance calls, and by tracing suspicious calls. And if anyone calls saying that they are a phone technician who needs a password to gain access, he/she is lying. According to Verizon Communications, phone technicians can conduct tests without customer assistance, therefore requests for passwords or other authentication should be treated with suspicion (Verizon). All employees should be made aware of this so that they are not susceptible to this tactic.
As was stated in the first article in this series, the Help Desk is a major target for social engineering attacks, primarily because their job is to disclose information that will be helpful to users. The best way to protect the Help Desk against social engineering attacks is through training. The Help Desk should absolutely refuse to give out passwords without authorization. (In fact, it should be organizational policy that passwords should never be disclosed over the phone or by e-mail; rather, they should only be disclosed in person to trusted, authorized personnel.) Callbacks, PINs, and passwords are a few recommended ways to increase security. When in doubt, Help Desk workers are encouraged to “withhold support when a call does not feel right” (Berg). In other words, just say no.
Training, Training, Retraining
The importance of training employees extends beyond the Help Desk across the entire organization. According to Naomi Fine, expert in corporate confidentiality and President and CEO of Pro-Tec Data, employees must be trained on “how to identify information which should be considered confidential, and have a clear understanding of their responsibilities to protect it” (Pro-Tec Data). In order to be successful, organizations must make computer security part of all jobs, regardless of whether the employees use computers (Harl). Everyone in the organization needs to understand exactly why it is so crucial for the confidential information to be designated as such, therefore it benefits organizations to give them a sense of responsibility for the security of the network. (Stevens)
All employees should be trained on how to keep confidential data safe. Get them involved in the security policy (Harl). Require all new employees to go through a security orientation. Annual classes provide refreshers and updated information for employees. Another way to increase involvement, recommended by Ms. Fine, is through a monthly newsletter. Pro-Tec Data, for example, provides newsletters with real world examples of security incidents and how those incidents could have been prevented. This keeps employees aware of the risks involved in relaxing security. According to SANS, organizations use “some combination of the following: videos, newsletters, brochures, booklets, signs, posters, coffee mugs, pens and pencils, printed computer mouse pads, screensavers, logon banners, notepads, desktop artifacts, T-shirts and stickers” (Arthurs). Wow, I can just picture Dilbert in his cubicle with all of that stuff. The important point made, however, is that these things be changed regularly, or the employees will lose sight of their meaning.
Spotting a Social Engineering Attack
Obviously, in order to foil an attack, it helps to be able to recognize one. The Computer Security Institute notes several signs of social engineering attacks to recognize: refusal to give contact information, rushing, name-dropping, intimidation, small mistakes (misspellings, misnomers, odd questions), and requesting forbidden information. “Look for things that don’t quite add up.” Try thinking like a hacker. Bernz recommends that people familiarize themselves with works such as the Sherlock Holmes stories, How to Make Friends and Influence People, psychology books, and even Seinfeld (he and George Costanza do have a knack for making-up stories) (Bernz). To understand the enemy, one must think like him.
Companies can help to ensure security by conducting ongoing security awareness programs. Organizational intranets can be a valuable resource for this approach, particularly if on-line newsletters, e-mail reminders, training games, and strict password changing requirements are included. The biggest risk is that employees may become complacent and forget about security. Continued awareness throughout the organization is the key to ongoing protection - some organizations even create security awareness programs, such as the distribution of trinkets mentioned above.
Responding to Social Engineering Attacks
In the event that an employee detects something fishy, he or she will need procedures in place for reporting the incident. It is important for one person to be responsible for tracking these incidents – preferably a member of the Incident Response Team (IRT), if the organization has one. Also, that employee should notify others who serve in similar positions as they may be threatened as well. From there, the IRT or individual in charge of tracking (a member of the security team and/or system administrator) can coordinate an adequate response.
Kevin Mitnick made an interesting point in his article entitled "My First RSA Conference". Mitnick stated that the decision by conference organizers to not hold any social engineering sessions was a mistake, saying: “You could spend a fortune purchasing technology and services from every exhibitor, speaker and sponsor at the RSA Conference, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” This is important. To increase awareness, more security organizations should make social engineering a priority for their programs and conferences. Also, organizations should routinely conduct security audits so that security doesn’t become stale.
The following table lists some common intrusion tactics and strategies for prevention:
Yes, real prevention is a daunting task. Let’s be realistic, most companies don’t have the financial or human resources to do all of what’s listed above. However, some of the money spent on plugging network holes can be redirected. The threat is as real, if not more real than most network holes; however, we don’t want to create militant help desk staff. Just be smart and reasonable. It is possible to keep morale high and have a fun company culture without sacrificing security. By slightly changing the rules of the game, the intruders no longer take the wheel.
Arthurs, Wendy: “A Proactive Defence to Social Engineering,” SANS Institute, August 2, 2001. http://www.sans.org/infosecFAQ/social/defence.htm
Berg, Al: “Cracking a Social Engineer,” LAN Times, Nov. 6, 1995. http://packetstorm.decepticons.org/docs/social-engineering/soc_eng2.html
Fine, Naomi: “A World-Class Confidential Information and Intellectual Property Protection Strategy”, Pro-Tec Data, 1998. http://www.pro-tecdata.com/articles/world-class.html
Harl: “People Hacking: The Psychology of Social Engineering” Text of Harl’s Talk at Access All Areas III, March 7, 1997. http://packetstorm.decepticons.org/docs/social-engineering/aaatalk.html
Nelson, Rick: “Methods of Hacking: Social Engineering,” the Institute for Systems Research, University of Maryland http://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html
Stevens, George: “Enhancing Defenses Against Social Engineering” SANS Institute, March 26, 2001 http://www.sans.org/infosecFAQ/social/defense_social.htm
Verizon “PBX Social Engineering Scam” 2000 http://www.bellatlantic.com/security/fraud/pbx_scam.htm
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.