By Kate Mackenzie
May 30 2006
Holding a security door open for someone laden with cups of coffee or
a big stack of documents may seem the polite thing to do. But you may
have fallen for a classic trick deployed by hackers.
The person might have been smartly dressed and looked legitimate, but
that is a key part of the deception of "social engineering", which
uses simple, everyday situations to deceive individuals into giving
out physicial or technical access to facilities that can be a mine of
Whether getting into a building, eliciting a password over the
telephone or persuading a phishing victim to e-mail their banking
details, "social engineering" is responsible for more than half of
security breaches, and some estimates claim the proportion is as high
as 90 per cent.
Deploying a powerful firewall or maintaining up-to-date software
patches on thousands of desktop machines is easy compared with raising
employees' awareness of their own risky behaviour.
Last year, for example, three call centre staff at Mphasis, an Indian
outsourcer, tricked several Citibank customers into revealing their
Pin numbers and then stole hundreds of thousands of dollars, in an
incident that rocked the outsourcing industry.
Bob Blakley, chief scientist for security and privacy at IBM's Tivoli
division, says it is partly because there is no "standard set of
social behaviours" for tasks such as resetting a password over the
phone, so many people are easily persuaded to go along with risky
The problem is worsening, as hacking attempts and malware are
increasingly used by organised criminals, rather than fame-hungry or
Despite a consensus that it is always people who are the weakest point
in any security system, workplace prevention tactics are often
neglected or relegated to a set of acceptable use policies that are
largely ignored by staff.
By contrast, meticulous and detailed documents on the dishonest use of
"social engineering" techniques are easily available on the internet.
One such document details a vast number of techniques, ranging from
"dumpster diving" to shoulder surfing - looking over someone's
shoulder as they key in a password or Pin - to "conformity": for
example, telling the target that everyone else has given out their
password over the phone.
Appealing to people's better nature by phoning up and pretending to be
an out-of-town colleague who urgently needs to access the network is
In spite of all the experimentation and refinement of techniques to
persuade and confuse potential "social engineering" targets, the
security industry's response is almost exclusively focused on
technology rather than psychology.
What can be done about it? The first thing is to take a wider view of
security, says Jan Babiak, Head of Information Security at Ernst &
"For example in certain countries, you have a very good chance of
kidnapping senior executives. The physical security [team] take
enormous precautions, but the IT people might have left something like
a calender somewhere where it's easy to hack into."
Cisco, meanwhile, urges executives to create a "top-down" culture of
security awareness instead of palming off all security to a separate
Dave Shackleford, the director of security solutions and assessment
services at Vigilar, a US security consultancy, says that executives
are often the softest target for "social engineering" experiments.
They tend to think they are "above the law" and have access to high
level information. They are also used to associating with other
top-level people, says Shackleford, so their trust levels are higher.
Mr Shackleford frequently puts clients' security defences to the test
by, for example, photographing staff IDs with a telephoto lens to copy
them. No attempted physical test undertaken by Vigilar has failed, he
Mr Shackleford says companies need policies in place: "If they don't
have explicit policies laid out for their employees, then they may not
know any better."
Vigilar's clients act on the information gleaned from the tests in
different ways, but punishing employees who fell for a "social
engineering" trick is not usually one of them.
"It's human nature to be helpful," says Mr Shackleford. Instead, they
tend to respond by improving training and awareness procedures.
Some of Mr Shackleford's techniques are frighteningly simple: "Just
phoning someone's extension can reveal if they are out of town, for
example, and for how long."
Robert Chapman, chief executive of The Training Camp, which runs
security awareness courses for non-IT staff, says: "All the talk and
all the money really is on technology. People in a sense brag about
how much they spent on their Cisco firewalls." But they overlook the
His company recently ran the well-publicised "CD test" in London in
which 100 CDs were handed out to workers in the City, promising a free
Valentine's Day gift if they installed it. Once installed the CD
reported back to Chapman; he says the majority of recipients did so.
Bruce Schneier, the cryptographer who also works as a security
consultant, is not so sure.
He believes technical security must take into account behaviours, but
does not believe "social engineering" can be adequately guarded
against by training: "Have you ever met a user?" he replies when asked
about efforts to improve staff awareness.
Technology, Mr Schneier says, must be more tailored to each user's
needs and risk levels. Does a typical office worker, for example, need
to have access to a USB port or even a CD drive?
"This is not just a 'get some guys on and solve it' problem," says
Schneier. "It's like murder, burglary - all of these things, they've
been around for ever."
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.