Submitted by: Claudio LoCicero(174) Claudio LoCicero Log in to become a member of Claudio LoCicero's Fan Club!
Social engineering has become, due to the advent of more
intelligent and comprehensive technological security controls that guard
against viruses and the like, the greatest non-technological risk to the security
of personal and corporate information.
Although there are as many forms of social engineering attacks as there
are books on the topic of information security, the aim of this article is to
provide a general overview of a few of the most common scenarios, the
principles of which can be extrapolated and applied as a litmus test to other
situations an employee may be exposed to.
In its strictest form, social engineering is a category of
security attacks in which someone manipulates another individual, either
directly or indirectly, to acquire sensitive information or unauthorized
access. An attack is performed by
tricking an unsuspecting individual by building, in some manner, a trust
relationship. An example of social
engineering is where an attacker telephones an employee then pretends to be from
the IT department and asks the user to download and install a system update. Unbeknownst to the employee, this “update” is
actually a Trojan horse which will open a backdoor to the computer for the
attacker to gain full access to corporate network resources.
Phishing
Phishing is type of scam that often leads to theft of
personal details such as passwords or credit card numbers. In one example, an attacker sends an email to
an employee of a business that appears to come from a legitimate website used
by that employee that requires the use of a user name and password to access
his/her account. The email may ask the employee to reply with their account
user name and password to update/verify account details or, more probably, ask the
employee to a follow a website link to an especially created fake site which has
the look and feel of the real site, but has been specifically set up for
stealing personal information. Unsuspecting individuals are then fooled into entering
user names, passwords, credit card numbers, or other private and confidential
personal or corporate details on this fake website. After the required information is entered the
fake website will then redirect the individual to the real site and may even
automatically pass the previously entered credentials to allow them seamless
access. The employee would then be
completely unaware that they have been compromised.
Hoaxes
Hoaxes usually fall into two categories, the first is a
virus hoax and the second is an urban myth.
Although not usually considered a social engineering attack by
mainstream information security specialists, these need to be considered as
such due to the structure of the attacks themselves and their intended
purposes.
a. Virus
Hoaxes
A virus hoax is
an email message prank that warns readers about a supposed virus that has
either already infected their computer or is about to through various
means. Recipients of this type of hoax
are usually tricked into downloading a file that is supposed to “fix” their
computers but in actuality infects the computer with some type of Trojan or
virus causing further chaos.
Additionally this type of attack may be used as a diversionary tactic by
hackers if directed to a particular organization to engage their IT personnel
in a flood of support calls from internal users while the hacker tries to gain
access into the organization’s network via alternate means.
b. Urban
Myths
This is the type
of hoax that inevitably wastes an individual’s time by having them chase
something that doesn’t exist perhaps in addition to having personal information
compromised. Recipients may be informed
that they can receive some type of prize for following instructions contained
in an email or even warn of bad luck for not following the instructions. One such hoax promised a free pair of Nike
running shoes for filling out a questionnaire which asked for personal
information such as name and address then forwarding the email to ten other
individuals to perpetuate the compromise of personal information.
Dumpster Diving
Dumpster diving, again not usually considered social
engineering in a traditional sense, allows attackers to make use of certain
societal taboos such as sifting through the garbage of others and the
collective belief that no one would.
This collective belief has, over the years, allowed attackers to obtain
for large amounts of confidential information by sifting through corporate waste. Organizations dispose of policy manuals,
meeting notes, memos, organizational charts, vacation schedules, and much more
in their dumpsters. Sensitive documents
should be shredded and the type of shedder used depends on how difficult a
document reconstruction task should be. Corporate
data can be restored from hard drives retrieved from dumpsters, thus all
electronic devices should have any stored data permanently erased with tools that
are available to accomplish this. This
method of attack has been so harmful that many organizations now keep their
waste in secured areas and utilize only bonded waste removal companies that certify
waste disposal and provide chain of custody reports.
Employees have to be given the tools to understand and
identify risks to corporate and personal confidential information. Organizations that provide an information
security awareness program for their employees with ongoing refresher training
have a competitive advantage to their business rivals that do not have such a
program in place. The reason for this is
because they are much less likely to face the publicity, associated
embarrassment, and loss of goodwill brought on by an information security
breach that exposes confidential data, consumer or otherwise. Understanding information security risks, how
it can affect your organization, and following industry standard best practices
to safeguard information assets just makes good business sense.
Written by Claudio LoCicero, M.S.
Over his career he has held several technical and management
positions both in the United
States and overseas within the private and
government sectors.Claudio LoCicero
holds a Master of Science in Information Technology with an Information
Security Specialization.He also holds
numerous professional certifications such as the PMP, CISM, CISSP, ITILF, along
with several certifications from Cisco, Microsoft, and the NSA.
Disclaimer: All information on this site is
provided for informational purposes only! By no means is any
information presented herein intended to substitute for the advice
provided to you by any health care or other professional or
organization.
