People Hacking: The Art of Social Engineering
Social engineering is one of the most overlooked aspects of information security and yet it is the easiest way for someone usually an employee - to gain access to restricted information on a computer network. Attacks can be either physical or psychological; each can be equally effective in acquiring confidential information. Methods used to get information can be either human- or computer-based, with different psychological reasons why each method works. Protecting against social engineers boils down to policies that guard against their attacks, but these policies must also be complemented with an effective security awareness program in order to be successful.
Imagine a local banking company. The CIO is out of town on business. A group of strangers walks in early one morning, and by lunchtime they walk out with access to anything they want on the company's network. How did this happen? First of all, these so-called "strangers" researched the company and probably knew more about it than most employees. The intruders showed up at the front door and just followed other employees into secured areas of the building. Each smiled when they searched for their "lost" security badge when trying to enter the top floor where the VIPs were located; a friendly employee smiled back as he let them in. Since these strangers knew the CIO was out of town (something that the HR department revealed when they called earlier in the week), they were able to get into his office, call the Help Desk, and get his password changed because his current one "wasn't working." After they got access to the network, the intruders were able to successfully hack into the system and become a super-user with access to valuable resources. They then sorted through the CIO's files and even his trash and were able to find all kinds of useful information. These strangers then walked out of the building a few hours later with "the keys to the kingdom" and no one at the bank had any idea what just happened. Scenarios such as the one above may not be as common as your everyday hacker trying to punch a hole through a corporate firewall, but they do happen. Although the intruders above used typical hacking tools once they were on the network, it took several days of preparation to get access to the right information in order to get into the building and start hacking. The process of acquiring this information is what is known as social engineering also known as "people hacking."
SOCIAL ENGINEERING BASICS
Social engineering can be defined as the process of deceiving someone into giving away confidential information or inappropriate access. A social engineer works to gain the trust of the intended victim and then uses this trust to get whatever data he needs. Basically, it is a confidence game that exploits a person's natural desire to help other people. Of all of the hardware and software that comprise a security system, the weakest of all links is the human being (Arthurs, 2001). Firewalls and intrusion detection systems cannot defend against such an attack; it is one of the most successful ways to get information from a secure computer network. It is human nature to want to help others. This is a weakness that can be exploited by the social engineer the people hacker. Most companies are aware of the internal threat that social engineering poses, but do not focus on this aspect of information security as much as they do intrusion detection and prevention through hardware and software means. Since the majority of threats to a company's data are internal, there needs to be a greater emphasis on educating employees on how to protect against these threats.
THE GREATEST COMPUTER THREAT -- EMPLOYEES
The importance of protecting company assets has become much more of a priority in recent years,...
References: Allen, Malcolm
(2001). The Use of ‘Social Engineering ' as a means of Violating Computer Systems. Retrieved November 22, 2003, from http://www.sans.org/rr/papers/index.php?id=529
Arthurs, Wendy (2001). A Proactive Defence to Social Engineering. Retrieved November 22, 2003, from http://www.sans.org/rr/papers/index.php?id=511
Golomb, Gary (2003). IDS vs. IPS Commentary. Retrieved December 3, 2003, from http://www.linuxsecurity.com/articles/forums_article-7476.html
Gragg, David (2002). A Multi-Level Defense Against Social Engineering. Retrieved November 22, 2003, from http://www.sans.org/rr/papers/index.php?id=920
Gulati, Radha (2002). The Threat of Social Engineering and Your Defense Against It. Retrieved December 3, 2003, from http://www.sans.org/rr/papers/index.php?id=1232
Kessler International (2000, January 4). Employees, Not Hackers, Greatest Computer Threat. Retrieved December 13, 2003, from http://www.investigation.com/articles/library/2000articles/articles18.htm
Stevens, George (2002). Enhancing Defenses Against Social Engineering. Retrieved November 22, 2003, from http://www.giac.org/practical/gsec/George_Stevens_GSEC.pdf
Please join StudyMode to read the full document