TUCoPS :: Wetware Hacking :: Others

TUCoPS :: Wetware Hacking :: Others :: 1533.txt
Social Engineering Fundamentals Part II

Social Engineering Fundamentals, Part II: Combat Strategies
by Sarah Granger
last updated January 9, 2002
-----------------------------------------------------------------
All Access

This is the second part of a two-part series devoted to social
engineering. In Part One, we defined social engineering as a hacker’s
clever manipulation of the natural human tendency to trust, with the
goal of obtaining information that will allow him/her to gain
unauthorized access to a valued system and the information that resides
on that system. To review: the basic goals of social engineering are the
same as hacking in general: to gain unauthorized access to systems or
information in order to commit fraud, network intrusion, industrial
espionage, identity theft, or simply to disrupt the system or network.

My first attempt at social engineering came before I even knew what the
term meant. In my junior and senior years of high school, I was the
student representative on my school district’s pilot technology
committee. The district wanted to test having a district-wide computer
network at my school my senior year, before implementing the network
across the district the following year. They requested bids and selected
the hardware and software for the pilot network, and my job senior year
was to help test the network. One day, I noticed that the new machines
and peripherals were not locked down, so I grabbed a monitor and mouse
and started strolling down the hall to see if anyone noticed. No one
did. Then I decided to take them outside. I made it to the back of the
parking lot and turned around, then decided that was a good enough test
and returned the items.

The fact that no one noticed or stopped me disturbed my sense of what
network security ought to mean, so I reported the test to the principal.
The following year, all of the new computers and peripherals in the
district were physically locked. My experience shows how simple,
straightforward and effective social engineering attacks can be. To this
day, I wonder how many computers school districts have lost due to
nonexistent prevention of social engineering attacks. This article will
examine some ways that individuals and organizations can protect
themselves against potentially costly social engineering attacks. I
refer to these practices as combat strategies.

Where to Begin? Security Policies

Social engineering attacks can have two different aspects: the physical
aspect or the location of the attack, such as in the workplace, over the
phone, dumpster diving, on-line, and the psychological aspect, which
refers to the manner in which the attack is carried out, such as
persuasion, impersonation, ingratiation, conformity, and friendliness.
Combat strategies, therefore, require action on both the physical and
psychological levels. Employee training is essential. The mistake many
corporations make is to only plan for attack on the physical side. That
leaves them wide open from the social-psychological angle. So to begin,
management must understand the importance of developing and implementing
well-rounded security policies and procedures. Management must
understand that all of the money they spend on software patches,
security hardware, and audits will be a waste without adequate
prevention of social engineering and reverse social engineering attacks
(Nelson). One of the advantages of policies is that they remove the
responsibility of employees to make judgement calls regarding a hacker's
requests. If the requested action is prohibited by policy, the employee
has no choice but to deny the hacker's request.

Strong policies can be general or specific, but I recommend somewhere in
between. This gives the policy enforcers some flexibility in how
procedures will develop in the future, but limits staff from becoming
too relaxed in their daily practices. (See Security Focus’s Introduction
to Security Policies series.) The security policy should address
information access controls, setting up accounts, access approval, and
password changes. Modems should never be permitted on the company
intranet. Locks, IDs, and shredding should be required. Violations
should be posted and enforced.

Preventing Physical Attacks

In theory, good physical security seems like a no-brainer, but in order
to truly keep trade secrets from escaping the building, extra caution is
required. Anyone who enters the building should have his/her ID checked
and verified. No exceptions. Some documents will need to be physically
locked in file drawers or other safe storage sites (and their keys not
left out in obvious places). Other documents may require shredding –
especially if they ever go near the dumpster. Also, all magnetic media
should be bulk erased as “data can be retrieved from formatted disks and
hard drives.” (Berg). Lock the dumpsters in secure areas that are
monitored by security.

Back inside the building, it should go without saying that all machines
on the network (including remote systems) need to be well protected by
properly implemented passwords. (For some helpful hints, please see
SecurityFocus’s article Password Crackers, - Ensuring the Security of
Your Password.) Screen saver passwords are also recommended. PGP and
other encryption programs can be used to encrypt files on hard drives
for further security.

Phone & PBX

One common scam is to illicitly place toll calls through an
organization’s PBX, or private branch exchange, a private telephone
network used within an organization. Hackers can call in and do their
impersonation routine, ask to be transferred to an outside line, and
then make multiple calls around the world, charging them to that
corporation. This can be prevented by instituting policies that disallow
transfers, controlling overseas and long-distance calls, and by tracing
suspicious calls. And if anyone calls saying that they are a phone
technician who needs a password to gain access, he/she is lying.
According to Verizon Communications, phone technicians can conduct tests
without customer assistance, therefore requests for passwords or other
authentication should be treated with suspicion (Verizon). All employees
should be made aware of this so that they are not susceptible to this
tactic.

As was stated in the first article in this series, the Help Desk is a
major target for social engineering attacks, primarily because their job
is to disclose information that will be helpful to users. The best way
to protect the Help Desk against social engineering attacks is through
training. The Help Desk should absolutely refuse to give out passwords
without authorization. (In fact, it should be organizational policy that
passwords should never be disclosed over the phone or by e-mail; rather,
they should only be disclosed in person to trusted, authorized
personnel.) Callbacks, PINs, and passwords are a few recommended ways to
increase security. When in doubt, Help Desk workers are encouraged to
“withhold support when a call does not feel right” (Berg). In other
words, just say no.

Training, Training, Retraining

The importance of training employees extends beyond the Help Desk across
the entire organization. According to Naomi Fine, expert in corporate
confidentiality and President and CEO of Pro-Tec Data, employees must be
trained on “how to identify information which should be considered
confidential, and have a clear understanding of their responsibilities
to protect it” (Pro-Tec Data). In order to be successful, organizations
must make computer security part of all jobs, regardless of whether the
employees use computers (Harl). Everyone in the organization needs to
understand exactly why it is so crucial for the confidential information
to be designated as such, therefore it benefits organizations to give
them a sense of responsibility for the security of the network.
(Stevens)

All employees should be trained on how to keep confidential data safe.
Get them involved in the security policy (Harl). Require all new
employees to go through a security orientation. Annual classes provide
refreshers and updated information for employees. Another way to
increase involvement, recommended by Ms. Fine, is through a monthly
newsletter. Pro-Tec Data, for example, provides newsletters with real
world examples of security incidents and how those incidents could have
been prevented. This keeps employees aware of the risks involved in
relaxing security. According to SANS, organizations use “some
combination of the following: videos, newsletters, brochures, booklets,
signs, posters, coffee mugs, pens and pencils, printed computer mouse
pads, screensavers, logon banners, notepads, desktop artifacts, T-shirts
and stickers” (Arthurs). Wow, I can just picture Dilbert in his cubicle
with all of that stuff. The important point made, however, is that these
things be changed regularly, or the employees will lose sight of their
meaning. [Image]

Spotting a Social Engineering Attack

Obviously, in order to foil an attack, it helps to be able to recognize
one. The Computer Security Institute notes several signs of social
engineering attacks to recognize: refusal to give contact information,
rushing, name-dropping, intimidation, small mistakes (misspellings,
misnomers, odd questions), and requesting forbidden information. “Look
for things that don’t quite add up.” Try thinking like a hacker. Bernz
recommends that people familiarize themselves with works such as the
Sherlock Holmes stories, How to Make Friends and Influence People,
psychology books, and even Seinfeld (he and George Costanza do have a
knack for making-up stories) (Bernz). To understand the enemy, one must
think like him.

Companies can help to ensure security by conducting ongoing security
awareness programs. Organizational intranets can be a valuable resource
for this approach, particularly if on-line newsletters, e-mail
reminders, training games, and strict password changing requirements are
included. The biggest risk is that employees may become complacent and
forget about security. Continued awareness throughout the organization
is the key to ongoing protection - some organizations even create
security awareness programs, such as the distribution of trinkets
mentioned above.

Responding to Social Engineering Attacks

In the event that an employee detects something fishy, he or she will
need procedures in place for reporting the incident. It is important for
one person to be responsible for tracking these incidents – preferably a
member of the Incident Response Team (IRT), if the organization has one.
Also, that employee should notify others who serve in similar positions
as they may be threatened as well. From there, the IRT or individual in
charge of tracking (a member of the security team and/or system
administrator) can coordinate an adequate response.

Kevin Mitnick made an interesting point in his article entitled "My
First RSA Conference". Mitnick stated that the decision by conference
organizers to not hold any social engineering sessions was a mistake,
saying: “You could spend a fortune purchasing technology and services
from every exhibitor, speaker and sponsor at the RSA Conference, and
your network infrastructure could still remain vulnerable to
old-fashioned manipulation.” This is important. To increase awareness,
more security organizations should make social engineering a priority
for their programs and conferences. Also, organizations should routinely
conduct security audits so that security doesn’t become stale.

The following table lists some common intrusion tactics and strategies
for prevention:

Area of Risk Hacker Tactic Combat Strategy
Train employees/help
desk to never give out
Phone (Help Desk) Impersonation and passwords or other
persuasion
confidential info by
phone
Tight badge security,
Building entrance Unauthorized physical employee training, and
access security officers
present
Don’t type in passwords
Office Shoulder surfing with anyone else
present (or if you
must, do it quickly!)
All employees should be
Phone (Help Desk) Impersonation on help assigned a PIN specific
desk calls
to help desk support
Wandering through
Office halls looking for Require all guests to
open offices be escorted

Mail room Insertion of forged Lock & monitor mail
memos room
Attempting to gain
access, remove Keep phone closets,
Machine room/Phone equipment, and/or server rooms, etc.
closet attach a protocol locked at all times and
analyzer to grab keep updated inventory
confidential data on equipment
Control overseas &
Phone & PBX Stealing phone toll long-distance calls,
access trace calls, refuse
transfers
Keep all trash in
secured, monitored
Dumpsters Dumpster diving areas, shred important
data, erase magnetic
media
Creation & insertion Continual awareness of
Intranet-Internet of mock software on system and network
intranet or internet changes, training on
to snarf passwords password use
Mark documents as
Office Stealing sensitive confidential & require
documents those documents to be
locked
Keep employees on their
General-Psychological Impersonation & toes through continued
persuasion awareness and training
programs

Realistic Prevention

Yes, real prevention is a daunting task. Let’s be realistic, most
companies don’t have the financial or human resources to do all of
what’s listed above. However, some of the money spent on plugging
network holes can be redirected. The threat is as real, if not more real
than most network holes; however, we don’t want to create militant help
desk staff. Just be smart and reasonable. It is possible to keep morale
high and have a fun company culture without sacrificing security. By
slightly changing the rules of the game, the intruders no longer take
the wheel.

Resources

Arthurs, Wendy: “A Proactive Defence to Social Engineering,” SANS
Institute, August 2, 2001.
http://www.sans.org/infosecFAQ/social/defence.htm

Berg, Al: “Cracking a Social Engineer,” LAN Times, Nov. 6, 1995.
http://packetstorm.decepticons.org/docs/social-engineering/soc_eng2.html

Fine, Naomi: “A World-Class Confidential Information and Intellectual
Property Protection Strategy”, Pro-Tec Data, 1998.
http://www.pro-tecdata.com/articles/world-class.html

Harl: “People Hacking: The Psychology of Social Engineering” Text of
Harl’s Talk at Access All Areas III, March 7, 1997.
http://packetstorm.decepticons.org/docs/social-engineering/aaatalk.html

Nelson, Rick: “Methods of Hacking: Social Engineering,” the Institute
for Systems Research, University of Maryland
http://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html

Stevens, George: “Enhancing Defenses Against Social Engineering” SANS
Institute, March 26, 2001
http://www.sans.org/infosecFAQ/social/defense_social.htm

Verizon “PBX Social Engineering Scam” 2000
http://www.bellatlantic.com/security/fraud/pbx_scam.htm

Relevant Links

Social Engineering, Part One: Hacker Tactics
Sarah Granger, SecurityFocus

NLP-Powered Social Engineering
Anton Chuvakin and Gothstain