If users in your organization who have legitimate access to your network can be manipulated into revealing their passwords or allowing an unauthorized person to use their computers, all of your technological attack prevention methods are for naught. Every burglar knows that the easiest way to break into a building is to unlock the door with the key, rather than spend hours trying to jimmy the lock or use brute force to break out a window.
In the context of computer security, the process of getting that key is called social engineering. Social engineers don't even need to be particularly technically savvy; it's their "people skills" that get them in where they aren't supposed to be. They use charm, intimidation or trickery to convince others to disclose information that compromises the security of the network. Kevin Mitnick became famous (and went to jail) because of his mastery of the art. He's even written a book on the subject, along with co-authors Steve Wozniak and William L. Simon: The Art of Deception: Controlling the Human Element of Security (published by John Wiley and Sons).
How Does Social Engineering Work?
Social engineering is defined as a "non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures." (from searchsecurity.techtarget.com). Common social engineering scenarios include:
Telephoning a user and posing as a member of the IT team, who needs the user's password and other information in order to troubleshoot problems with the network or the user's account.
Telephoning the IT department and posing as a high ranking executive in the company, pretending to have forgotten his/her password and demanding that information immediately because of a pressing business urgency.
Developing a personal relationship with a user or IT team member with the intent of "sweet talking" the person out of confidential information that can be used to break into the network.
A good social engineer is not only a good actor, but is also good at "reading" people to determine what type of ploy will work best with a particular person. When a hacker combines social engineering skills with technical expertise, it becomes easy to breach almost any network. Many common Internet scams, such as e-mails purporting to be from a user's bank or credit card company and asking them to go to a Web site where they're directed to fill in account information, are forms of social engineering.
Some social engineers base their success on research abilities. Such activities as "dumpster diving" (going through discarded paperwork to find credentials and other useful information) can also be considered a form of social engineering. Some hackers may develop elaborate schemes to pose as building repair personnel or even temporarily take jobs as janitors to gain initial access, while others do all of their work from afar and never set foot near the physical site. A determined hacker may put days or weeks of effort into gaining the trust of a target employee. This may be done in person, over the telephone or via e-mail or IM.
"Reverse social engineering" is a term used to refer to hackers who create some sort of problem on the network or the user's computer and then come to the rescue (like the cases we occasionally read about where a person sets a fire and then rushes in to put it out, becoming an instant hero to the victims). This helps the social engineer gain trust quickly, and makes it easier for him/her to get desired information out of the victim. For example, the social engineer might then send an e-mailed attachment that contains malicious code through which he can gain control of the victim's computer. Because the victim now "knows" (and trusts) the engineer, the victim doesn't exercise the same caution about opening the attachment as would be the case if the attachment were from someone else.
How Can You Defend Against Social Engineers?
Defending against social as well as technical threats should be part of your "defense in depth" strategy, but it's often ignored. Don't assume that your users "know better" than to give out their passwords. Unless explicitly instructed otherwise, the average employee has no reason to question someone who seems to have a legitimate reason for asking. Even IT team members who are security-conscious might be hesitant to ask for proof of identity from an irate person claiming to be a member of upper management.
Protecting the network from social engineering attacks requires, first and foremost, a set of security policies that lay out the reasons and procedures for responding to these types of requests. Just developing the policies is not enough. In order to be effective:
- All members of management must agree to the policies and understand the need to properly prove their identities when making requests for passwords, etc.
- The policies must be disseminated to all users of the network, with education and training provided as to why compliance is essential.
- There should be explicitly defined consequences for violating the policies.
Your security policies should be specific and should address such issues as:
- Strong password policies: minimum length, complexity requirements, requirements to change passwords at specified intervals, prohibition on dictionary words, easily guessed numbers such as birthdates and social security numbers, etc., prohibitions on writing down passwords.
- Prohibitions against disclosing passwords, to whom (if anyone) passwords can be disclosed and under what circumstances, procedure to follow if someone requests disclosure of passwords.
- Requirement that users log off or use password protected screensavers when away from the computer, cautionary instructions on ensuring that no one is watching when you type in logon information, etc.
- Physical security measures to prevent visitors and outside contractors from accessing systems to place key loggers, etc.
- Procedure for verifying identity of users to IT department and IT personnel to users (secret PINs, callback procedures, etc.).
- Policies governing destruction (shredding, incineration, etc.) of paperwork, disks and other media that hold information a hacker could use to breach security.
Social Engineering Prevention and Detection Checklist
To prevent social engineers from succeeding in gaining the information they need to do their dirty work on your network, and to help detect when a possible social engineering attempt is occurring, the following steps should be taken:
- Physically secure the computers and network devices.
- Develop a detailed security policy addressing social engineering issues and enforce it throughout the company.
- Provide all users with training in how to recognize a social engineering attempt.
- Lock up paperwork and magnetic media containing confidential information and destroy it when it is no longer needed.
A good practice is to create a centralized database that logs social engineering attempts. For example, if a secretary receives a call from someone pretending to be the IT manager and asking for her password, she should be able to report the incident to a designated person or department, where it would be logged. This allows you to detect patterns and to be on guard for security breaches because you know someone is trying to get information that can be used to get into your network.
Social engineering is the easiest way for a hacker to gain access to your network, and one of the most common - yet many companies spend thousands of dollars on thwarting technical attacks and do nothing to prevent exploitation of "the human factor." Establishing policies is the first step in preventing socially engineered attacks, but perhaps the most important step is educating employees to make them aware of the danger of social engineering. The people who fall prey to social engineering scams - whether it's a ruse by an outsider pretending to be a company manager who needs a password changed or an e-mail from a stranger pretending to be a wealthy Nigerian with money to give away - are those who haven't heard about the scam. Security awareness should be part of the training of every employee who uses the network, and in order to be effective, it should be ongoing. Forewarned is forearmed, especially when it comes to social engineering.