Social Engineering and the unseen enemy

Security is only ever as strong as its weakest link, and the majority of the time, an organisation’s users become the weakest point. No matter how much money is invested in IT security, installing firewalls, intrusion prevention systems, complex remote access systems, security guards, physical access passes or a myriad of other solutions that combine to form strong layered security, if users are not educated in the basic principles of security, it is all pointless.

Social Engineering

One of the greatest risks to an organisation is the possibility that one of its users could be manipulated or deceived into performing some action or disclosing confidential information to someone outside the business. Information Security terminology defines this manipulation as “social engineering”.

While the term social engineering is a fairly new term, this type of attack is as old as the human race itself. Two of the most famous social engineering attacks are those of the story of the wooden horse of Troy from Homer’s “The Odyssey”, and dating even further back to the start of the Bible with Adam and Eve and the Devil’s manipulation of Eve to persuade her to take a bite from the apple in the Garden of Eden. While not IT related, the story of Troy is a perfect example of strong security defeated via the weakest link, something people do not necessarily even see as security-related. Troy had withstood the attacks of the Greeks for over a decade. They had guards and soldiers, strong impenetrable walls and food to sustain them for countless years. It was only via the weakest link in their security model, their residents, that the Greeks were able to succeed.

In the present day, social engineering attacks are aimed at users in an attempt to reach a number of specific outcomes.

The most common objectives are:

• Gaining access to restricted data;
• Gaining access to restricted areas;
• Monetary gain and profit; and
• Identity theft

The first two in the list, gaining access to restricted data and areas, are most commonly aimed at gaining unauthorised access to an organisation. Identity theft is generally aimed at individuals, whereas monetary gain targets both areas. While the initiation and execution of these attacks follow different methods and paths, they all follow the same principle: manipulate the user without them knowing.

While an organisation may have implemented strong layered security, in a lot of environments, all that is required to access the network from anywhere in the world is knowing how to connect to the organisation’s remote access system, along with a valid username and password. In the past, this required the phone number of the organisation’s remote access modem, but with the commonplace use of sophisticated Virtual Private Network (VPN) devices in most organisations, all that is required is an IP address or a URL. There are countless methods for acquiring organisational information such as modem numbers, VPN access information usernames and possible passwords. Wardialing, the act of dialling consecutive numbers in an area looking for modems, was commonplace when modems were the chief method of remote access.

Trashing is the act of going through an individual’s or organisation’s trash looking for information such as account details for users and sometimes finding corresponding passwords. Google hacking is the act of using the Google search engine to extract as much usable information about a user or organisation as possible. And finally, the organisation’s Help Desk. If an attacker has the names of legitimate users within the organisation, including other information that may help to establish credibility, it is not difficult to impersonate a user and request an action such as a password reset or request information such as the VPN access details or modem number. A successful attack such as this would enable an attacker to access the organisation’s network from anywhere in the world. Depending on the access rights of the user they are impersonating, this could lead to vast compromises of critical systems.

Access to IT systems and the data contained within these systems is not the only goal of social engineers. Most media to large organisations have now implemented some form of physical access token to allow access to buildings, offices and restricted areas. These come in various forms, be they magnetic swipe cards, HID, RFID or just simple identification badges validated by other users or security guards. Social engineers have dozens of methods for bypassing these systems without the need to even touch the technology. By targeting the users of these systems, there is no need. Social engineering is a low tech solution for a high tech problem. All that is required is that the attacker fits into the environment, that he or she looks like she belongs in the organisation or is performing a valid task. Tailgating, the act of following close behind an individual, is a common method to bypass physical access controls. This method allows the attacker to follow another person through a restricted door after they have provided the required authentication. Impersonation, the act of pretending to be someone else, is extremely effective. How often have you seen tradesmen, cleaners or other individuals within your organisation? How often have you actually looked at their pass or asked to verify who they are? Have you ever held a door open for them while they wheeled in their trolley, or tools or carried a cumbersome box? These are all common methods of skilled social engineering.

Organisations are not the only prey of the social engineer. The vast amounts of SPAM and Phishing attacks everyone receives in their email are just another form of social engineering. Phishing attacks, the act of attempting to gain sensitive information by masquerading as a trusted individual, is a perfect example. The only differences between the attacks described above and Phishing are the targets and the methods. Phishing tends to aim at individuals on a personal level, rather than aimed at an individual in an attempt to compromise an organisation. Also, while the above methods are manual attacks, Phishing is generally automated and aimed at hundreds, thousands or even millions of users. This method provides the attacker with a much higher success rate and correspondingly, considerably more profit.

The only defence against social engineering is education. Organisations should implement a security awareness program that becomes a requirement when new staff begin, including annual refresher courses for established staff. Security awareness is an integral part of an organisation’s overall security implementation, and as such, is a mandatory requirement in the Payment Card Industry Data Security Standards (PCI:DSS), section 12.6. Security awareness and training are also specified in section 5.2.2 of the ISO 27001 security standards. While security awareness training should include such areas as password policies and acceptable use, the following areas specific to social engineering should be discussed:

1. Always wear identification badges – Identification badges should be worn and visible at all times by all staff, contractors and visitors. These should be easily identifiable to all staff. Visitor IDs should be returned at the end of their visit and disposed of properly.
2. Question unknown people – If staff see someone within their area that they do not recognise, or someone trying to tailgate, question them. Ask to see their ID or who they are visiting and escort them to that staff member.
3. Remove or turn around identification badges when outside the office – Staff who wear identification in full view when outside the office are providing more than enough information for an attacker to start a social engineering attack. While some passes only display a photo, most have valuable information for a social engineer. Common information displayed on corporate ID passes includes their full name, company and even the department the user belongs to within that company. When leaving the premises, remove the badge and place it in your pocket or handbag, or at the very least, turn the badge around so no information is visible.
4. Never write down passwords – Passwords should never be written down, period. Choose passwords that can be easily remembered without the need to write them down. Users commonly write down passwords and stick them to monitors, under keyboards, on their cubicle walls or place them in their desk drawer. A social engineer, contractor, visitor, cleaner or even other staff can easily see these when walking by a desk or by taking a few seconds to look for them. Paper, especially post-it notes that easily stick to other items, is commonly thrown out in the trash accidentally. This allows easy access for social engineers performing trashing attacks.
5. Help Desk staff should always validate users fully before disclosing any information – When talking to users on the telephone, any request to disclose or modify information should require the Help Desk to fully validate the user on the other end. Validation questions should always include some form of “non-wallet question”. A non-wallet question is something about a user that cannot be discovered from reading the contents of their wallet. If questions like DOB, address or driver’s license number are used, a social engineer who has stolen a wallet or been through a user’s trash will have easily obtained this information. Non-wallet questions should be something that the user knows and is not easily found out via trashing, Googling or simple social engineering of the user to obtain the information.
6. Shred all documents – All documents with any form of sensitive information should be shredded or placed in secure disposal bins that are shredded by a trusted third-party company. No documents with any confidential data should ever be thrown in the trash or recycling bins.
7. Do not open email attachments or visit URLs from unknown people or from suspicious emails – Users should be educated in basic phishing attacks and how they can identify a phishing attack versus a real email from a valid source.

A few examples include:

• Banks and other financial institutions will never send emails asking for your credentials or to log in to your account by using a link in the email.
• If a suspicious email is sent requesting you to visit a URL to a company you know, do not click on the link. Instead, open your web browser manually type the known URL for the company and visit the site that way.
• Never open an attachment sent by someone you do not know.
• Be wary of executable type attachments, for example, .exe, .com, .scr, sent by friends unless you are expecting this type of document. They may not realise that they are sending you a malicious file.

If a security awareness program is developed and implemented, the chances of successful social engineering attacks become far less likely. If an organisation’s users are no longer the weakest link, attacks against the company become a lot harder. Not only does security awareness help protect an organisation, but it also helps defend users in their personal lives.

Understanding common attacks and how to recognise and defend against them will help users protect themselves against attacks such as phishing, aimed at stealing their bank account or other personal details.