Security Awareness: Social Engineering Part Two

This is the last article in this two part series on Social Engineering. The term “social engineering” can be defined in various ways, relating to both physical and cyber aspects of that activity. For the purposes of this article, social engineering is referred to as an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals. It involves the conscious manipulation of people to obtain information without the individual realizing that a security breach is occurring. Most users are familiar with email phishing scams (a form of social engineering) and have been taught not to open attachments from unknown or un-trusted sources or to visit un-trusted web sites. There are other ways that a perpetrator may prey on the trusting human nature to gain access to information or systems.

Below are several examples of social engineering methods, many of which rely on direct contact with an individual, along with suggestions to minimize the likelihood that such methods will be successful.

IMPERSONATION

In this situation, the perpetrator pretends to be someone else (i.e., impersonating a senior official or someone from the help desk. The impersonation may occur over the telephone, in person, or via email. The perpetrator may try to make you feel obligated to assist, or under pressure to follow their directions. They may use intimidation or a false sense of urgency to seek your cooperation – prompting you to react before you’ve fully thought through the consequences.

Remember be cautious when responding to requests for sensitive or confidential information. Never give out your password to anyone, even if they claim that’s the only way they can assist.

PIGGYBACKING or TAILGATING

All too often, people will hold the door open for someone entering a secure area or the building without even knowing who the individual is or asking where they are going. The unauthorized individual may pre-tend to be a delivery person, a visitor, or even a fellow employee. This is referred to as “piggybacking” or “tailgating.”

Be cautious if an unknown or unauthorized individual is trying to follow you through access doors.

SHOULDER SURFING

This scenario refers to the ability of an attacker to gain access to information by simply watching what you are typing or seeing what is on your computer screen. This is known as “shoulder surfing”, and can also be done by looking through a window, doorway, or simply listening in on conversations. Be aware of your work environment and who is around you when you are working with confidential information, or even when you are typing in your password. Do not let others see you type your password, and protect your computer screen from unauthorized viewing. Computers in public areas should not have the monitors facing outward.

BAITING

This scenario involves an attacker asking a variety of seemingly innocuous questions designed to “catch” the right answers. The attack is often done over the telephone but can also be done in person. Items of conversation can also be introduced based upon replies received. Small amounts of facts are interjected at the right time into the conversation to make requests for information sound legitimate. Information you know could be valuable to an attacker-whether that information is about your work environment, fellow employees, projects, or personal information-must be handled with extreme care. Be mindful of what you say to whom.

SURVEYS

Many of us have no doubt been recipients of requests to participate in surveys—whether online, via telephone or otherwise. The surveys may be for legitimate purposes or might be a scam. In either case, be aware of unwittingly disclosing information that may be used inappropriately. For example, disclosure of details about your company, its network or infrastructure could prove extremely useful to someone with malicious intent. If you receive a survey request, you should contact the sponsoring organization to ensure the survey is legitimate, and make sure you are not sharing sensitive or confidential information with unauthorized individuals or organizations.

DUMPSTER DIVING

Do you shred all unneeded confidential or sensitive documents? Searching through trash (“dumpster diving”) is a method used by perpetrators to obtain sensitive information. When confidential and sensitive documents are no longer needed, be sure to shred or properly destroy these items appropriately.

Putting It All Together

The scenarios above represent just a few types of social engineering attempts you may encounter. By following some common sense rules and using your best judgment, you can defend against these attacks and better protect yourself and your information.

Before releasing any information to anyone, it is essential to at least establish: the sensitivity of the information your authority to exchange or release the information the real identity of the third party (positive identification) the purpose of the exchange.
Be aware of your surroundings. Make sure you know who is in range of hearing your conversation or seeing your work. Computer privacy screens are a great way to deter shoulder surfing in public places.
Before you throw something in the trash, ask yourself, ?Is this something I would give to an unauthor-ized person or want to become publicly available?? If you are not certain, always err on the side of caution and shred the document or deposit it in a secure disposal container.
If you don’t know someone who is in a restricted area, look for a badge or a visitor pass. If you are unsure about their authorization or access permission, report the situation to the appropriate staff.

Social Engineering – Are You At Risk? Part 2

The term “social engineering” can be defined in various ways, relating to both physical and cyber aspects of that activity. For the purposes of this article, social engineering is referred to as an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals. It involves the conscious manipulation of people to obtain information without the individual realizing that a security breach is occurring. Most users are familiar with email phishing scams (a form of social engineering) and have been taught not to open attachments from unknown or un-trusted sources or to visit un-trusted web sites. There are other ways that a perpetrator may prey on the trusting human nature to gain access to information or systems.

Below are just a few examples of social engineering methods, many of which rely on direct contact with an individual, along with suggestions to minimize the likelihood that such methods will be successful.

IMPERSONATION

In this situation, the perpetrator pretends to be someone else (i.e., impersonating a senior official or someone from the Help Desk. The impersonation may occur over the telephone, in person, or via email. The perpetrator may try to make you feel obligated to assist, or under pressure to follow their directions. They may use intimidation or a false sense of urgency to seek your cooperation – prompting you to react before you’ve fully thought through the consequences.

PIGGYBACKING or TAILGATING

All too often, people will hold the door open for someone entering a secure area or the building without even knowing who the individual is or asking where they are going. The unauthorized individual may pretend to be a delivery person, a visitor, or even a fellow employee. This is referred to as “piggybacking” or “tailgating.”

Be cautious if an unknown or unauthorized individual is trying to follow you through access doors.

SHOULDER SURFING

This scenario refers to the ability of an attacker to gain access to information by simply watching what you are typing or seeing what is on your computer screen. This is known as “shoulder surfing,” and can also be done by looking through a window, doorway, or simply listening in on conversations. Be aware of your work environment and who is around you when you are working with confidential information, or even when you are typing in your password. Do not let others see you type your password, and protect your computer screen from unauthorized viewing. Computers in public areas should not have the monitors facing outward.

Putting It All Together

Before releasing any information to anyone, it is essential to at least establish:
- the sensitivity of the information
- your authority to exchange or release the information
- the real identity of the third party (positive identification)
- he purpose of the exchange
Be aware of your surroundings. Make sure you know who is in range of hearing your conversation or seeing your work.

What is Social Engineering? Part 1 of 2

Like fraudsters generally, social engineers take advantage of human gullibility.

Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. – Wikipedia

Social engineers manipulate people into revealing or allowing access to information assets by taking advantage of psychological traits (i.e., trust). Social engineering attacks play directly on the most vulnerable part of our information security framework: you and me. We are the weakest link in information security’s chain mail.

In a corporate context, social engineering is a factor in many information security incidents, including (perhaps especially) those perpetrated by insiders. Users have plenty of opportunities to use social engineering on each other, whether under the guise of casual inquiries or even jokes. An example might be (“Oh go on – I bet your password is something easy to guess like your cat’s name…”). They have the perfect cover story and plenty of opportunities to exploit their co-workers if desired.

Social Engineering Impacts

Social engineering techniques give unauthorized access to information.

‘ [1] Pretext calls’ by users can be particularly convincing as they have ready access to vast amounts of internal information to build their credibility. They can browse the email address book for telephone numbers and job titles to pick out suitable targets. Picking up the name of sensitive systems and projects is a breeze for insiders as well.

Finally, we come to the personal impacts of social engineering. Identity theft, for instance, is a fact of modern life. Some identity thieves use social engineering methods such as pretexting as part of their repertoire and [2] phishing methods to actively exploit our gullibility though social engineering.

Pretext — An effort or strategy to conceal something.

Phishing — An attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by email or instant messaging, and often directs users to enter details at a website, although phone contact has also been used.

Example of Social Engineering

Two security consultants walk into an office wearing “Computer Doctors” jumpsuits. They tell the administrative assistant that they have an order to fix the system. The assistant says, “Mr. Smith did not tell me about this, and he’s on vacation today and can’t be reached.” They reply, “We’re booked for the next two weeks. The system is overheating and could melt down at any moment. If it burns up because we were not allowed to work on it, somebody’s going to get fired. Are you sure you didn’t forget the order?” The assistant nervously lets them in.

- Dr. John Orlando

Network World

In part two of this series, we will wrap up social engineering by discussing the risks, threats, and what we can do to help detect and avoid social engineering.