John Berti, CISSP and Marcus Rogers, Ph.D., CISSP
Information security practitioners are keenly aware of the major goals of information technology: availability, integrity, and con?dentiality (the AIC triad). However, none of these goals is attainable if there is a weak link in the defense or security “chain.” It has often been said that with information security, one is only as strong as one’s weakest link. When we think of information and information technology security, we tend to focus collective attention on certain technical areas of this security chain. There are numerous reference sources available to information security practitioners that describe the latest operating system, application, or hard-ware vulnerabilities. Many companies have built their business plans and are able to survive based on being the ?rst to discover these vulnerabilities and then provide solutions to the public and to the vendors themselves. It is quite obvious that the focus of the security industry has been primarily on the hardware, software, ?rmware, and the technical aspects of information security.
The security industry seems to have forgotten that computers and technology are merely tools, and that it is the human who is using, con?guring, installing, implementing, and abusing these tools. Information security is more than just implementing a variety of technologically complex controls. It also encompasses dealing with the behavior or, more appropriately, the misbehavior of people. To be effective, information security must also address vulnerabilities within the “wetware,” a term used to describe “people.” One can spend all the money and effort one wants on technical controls and producing better, more secure code, but all of this is moot if our people give away the “keys to the kingdom.” Recent research on network attacks clearly indicates that this is exactly what people are doing — albeit unintentionally. We seem to have done a good job instilling the notions of teamwork and cooperation in our workplace. So much so that in our eagerness to help out, we are falling prey to unscrupulous people who gain unauthorized access into systems through attacks categorized as “social engineering.”
This chapter attempts to shed some light on social engineering by examining how this attack works, what are the common methods used, and how we can mitigate the risk of social engineering by proper education, awareness training, and other controls. This is not intended to be a “how-to” chapter, but rather a discussion of some of the details of this type of attack and how to prevent becoming a victim of social engineering. None of this information is secret; it is already well-known to certain sectors of society. Therefore, it is also important for information security professionals to be aware of social engineering and the security controls to mitigate the risk.
De?ning Social Engineering
To understand what social engineering is, it is ?rst important to clearly de?ne what is being discussed. The term “social engineering” is not a new term. It comes from the ?eld of social control. Social engineering can refer to the process of rede?ning a society — or more correctly, an engineering society — to achieve some desired outcome. The term can also refer to the process of attempting to change people’s behavior in a predictable manner, usually in order to have them comply with some new system. It is the latter social
psychological de?nition of social engineering that is germane to this discussion. For our purposes, social engineering will refer to:
Successful or unsuccessful attempts to in?uence a person(s) into either revealing information or
acting in a manner that would result in unauthorized access, unauthorized use, or unauthorized
disclosure, to an information system, network or data.
From de?nition, social engineering is somewhat synonymous with conning or deceiving someone. Using deception or conning a person is nothing new in the ?eld of criminal activity; and despite its longevity, this kind of behavior is still surprisingly effective.
It would be very interesting at this point to include some information on the apparent size of the social engineering problem. Unfortunately, there is very little data to use for this purpose. Despite the frequent references to social engineering in the information security ?eld, there has not been much direct discussion of this type of attack. The reasons for this vary; some within the ?eld have suggested that social engineering attacks the intelligence of the victim and, as such, there is a reluctance to admit that it has occurred. Despite this reluctance, some of the most infamous computer criminals have relied more on social engineering to perpetrate their crimes than on any real technical ability. Why spend time researching and scanning systems looking for vulnerabilities and risk being detected when one can simply ask someone for a password to gain access? Most computer criminals, or any criminal for that matter, are opportunists. They look for the easy way into a system, and what could be easier than asking someone to let them in.
Why Does Social Engineering Work?
The success of social engineering attacks is primarily due to two factors: basic human nature and the business environment.
Human Nature
Falling victim to a social engineering attack has nothing to do with intelligence, and everything to do with being human, being somewhat naïve, and not having the proper mind set and training to deal with this type of attack. People, for the most part, are trusting and cooperative by nature. The ?eld of social psychology has studied human interactions, both in groups and individually. These studies have concluded that almost anyone who is put in the right situation and who is dealing with a skilled person can be in?uenced to behave in a speci?c manner or divulge information he or she usually would not in other circumstances. These studies have also found that people who are in authority, or have the air of being in authority, easily intimidate other people.
For the most part, social engineering deals with individual dynamics as opposed to group dynamics, as the primary targets are help desks and administrative or technical support people, and the interactions are usually one-on-one but not necessarily face-to-face (i.e., the relationship is usually virtual in nature, either by phone or online). As discussed in this chapter, attackers tend to seek out individuals who display signs of being susceptible to this psychological attack.
Business Environment
Combined with human nature, the current business trend of mergers and acquisitions, rapid advances in technology, and the proliferation of wide area networking has made the business environment conducive to social engineering. In today’s business world it is not uncommon to have never met the people one deals with on a regular basis, including those from one’s own organization, let alone suppliers, vendors, and customers. Face-to-face human interaction is becoming even more rare with the widespread adoption of telecommuting technologies for employees. In today’s marketplace, one can work for an organization and, apart from a few exceptions, rarely set foot in the of?ce. Despite this layer of abstraction we have with people in our working environment, our basic trust in people, including those we have never actually met, has pretty much remained intact.
Businesses and organizations today have also become more service oriented than ever before. Employees are often rated on how well they contribute to a “team” environment, and on the level of service they provide to customers and other departments. It is rare to see a category on an evaluation that measures the degree to which someone used common sense, or whether an employee is conscious of security when performing his
or her duties. This is a paradigm that needs to change in order to deal effectively with the threat of social engineering.
Social Engineering Attacks
Social engineering attacks tend to follow a phased approach and, in most cases, the attacks are very similar to how intelligence agencies in?ltrate their targets.
For the purpose of simplicity, the phases can be categorized as:
-
Intelligence gathering
-
Target selection
-
The attack
Intelligence Gathering
One of the keys to a successful social engineering attack is information. It is surprisingly easy to gather suf?cient information on an organization and its staff in order to sound like an employee of the company, a vendor representative, or in some cases a member of a regulatory or law enforcement body. Organizations tend to put far too much information on their Web sites as part of their marketing strategies. This information often describes or gives clues as to the vendors they may be dealing with, lists phone and e-mail directories, and indicates whether there are branch of?ces and, if so, where they are located. Some organizations even go as far as listing their entire organizational charts on their Web pages. All this information may be nice for potential investors, but it can also be used to lay the foundation for a social engineering attack.
Poorly thought-out Web sites are not the only sources of open intelligence. What organizations throw away can also be a source of important information. Going through an organization’s garbage (also known as dumpster diving) can reveal invoices, correspondence, manuals, etc. that can assist an attacker in gaining important information. Several convicted computer criminals confessed to dumpster diving to gather information on their targets.
The attacker’s goal at this phase is to learn as much information as possible in order to sound like he or she is a legitimate employee, contractor, vendor, strategic partner, or, in some cases, a law enforcement of?cial.
Target Selection
Once the appropriate amount of information is collected, the attacker looks for noticeable weaknesses in the organization’s personnel. The most common target is help desk personnel, as these professionals are trained to give assistance and can usually change passwords, create accounts, re-activate accounts, etc. In some orga-nizations, the help desk function is contracted out to a third party with no real connection to the actual organization. This increases the chances of success, as the contracted third party would usually not know any of the organization’s employees. The goal of most attackers is to either gather sensitive information or to get a foothold into a system. Attackers realize that once they have access, even at a guest level, it is relatively easy to increase their privileges, launch more destructive attacks, and hide their tracks.
Administrative assistants are the next most common victims. This is largely due to the fact that these individuals are privy to a large amount of sensitive information that normally ?ows between members of senior management. Administrative assistants can be used as either an attack point or to gather additional information regarding names of in?uential people in the organization. Knowing the names of the “movers and shakers” in an organization is valuable if there is a need to “name drop.” It is also amazing how many administrative assistants know their executive managers’ passwords. A number of these assistants routinely perform tasks for their managers that require their manager’s account privileges (e.g., updating a spreadsheet, booking appoint-ments in electronic calendars, etc.).
The Attack
The actual attack is usually based on what we would most commonly call a “con.” These are broken down into three categories: (1) attacks that appeal to the vanity or ego of the victim, (2) attacks that take advantage of feelings of sympathy or empathy, and (3) attacks that are based on intimidation.
Ego Attacks
In the ?rst type of attack — ego or vanity attacks — the attacker appeals to some of the most basic human characteristics. We all like to be told how intelligent we are and that we really know what we are doing or how to “?x” the company. Attackers will use this to extract information from their victims, as the attacker is a receptive audience for victims to display how much knowledge they have. The attacker usually picks a victim who feels under-appreciated and is working in a position that is beneath his or her talents. The attacker can usually sense this after only a brief conversation with the individual. Often, attackers using this type of an attack will call several different employees until they ?nd the right one. Unfortunately, in most cases, the victim has no idea that he or she has done anything wrong.
Sympathy Attacks
In the second category of attacks, the attacker usually pretends to be a fellow employee (usually a new hire), a contractor, or a new employee of a vendor or strategic partner who just happens to be in a real jam and needs assistance to get some tasks done immediately. The importance of the intelligence phase becomes obvious here because attackers will have to create some level of trust with the victim that they are who they say they are. This is done by name dropping, using the appropriate jargon, or displaying knowledge of the organization. The attacker pretends that he or she is in a rush and must complete some task that requires access but cannot remember the account name or password, was inadvertently locked out, etc. A sense of urgency is usually part of the scenario because this provides an excuse for circumventing the required procedures that may be in place to regain access if the attacker was truly the individual he or she was pretending to be. It is human nature to sympathize or empathize with who the attacker is pretending to be; thus, in the majority of cases, the requests are granted. If the attacker fails to get the access or the information from one employee, he or she will just keep trying until a sympathetic ear is found, or until he or she realizes that the organization is getting suspicious.
Intimidation Attacks
In the third category, attackers pretend to be authority ?gures, either an in?uential person in the organization or, in some documented cases, law enforcement. Attackers will target a victim several levels within the orga-nization below the level of the individual they are pretending to be. The attacker creates a plausible reason for making some type of request for a password reset, account change, access to systems, or sensitive information (in cases where the attacker is pretending to be a law enforcement of?cial, the scenario usually revolves around some “hush-hush” investigation or national security issue, and the employee is not to discuss the incident). Again, the attackers will have done their homework and pretend to be someone with just enough power to intimidate the victim, but not enough to be either well-known to the victim or implausible for the scenario.1 Attackers use scenarios in which time is of the essence and that they need to circumvent whatever the standard procedure is. If faced with resistance, attackers will try to intimidate their victims into cooperation by threatening sanctions against them.
Mitigating the Risk
Regardless of the type of social engineering attack, the success rate is alarmingly high. Many convicted computer criminals joke about the ease with which they were able to fool their victims into letting them literally “walk” into systems. The risk and impact of social engineering attacks are high. These attacks are often dif?cult to trace and, in some cases, dif?cult to identify. If the attacker has gained access via a legitimate account, in most cases the controls and alarms will never be activated because they have done nothing wrong as far as the system is concerned.
If social engineering is so easy to do, then how do organizations protect themselves against the risks of these attacks? The answer to this question is relatively simple but it entails a change in thinking on behalf of the entire organization. To mitigate the risk of social engineering, organizations need to effectively educate and train their staff on information security threats and how to recognize potential attacks. The control for these attacks can be found in education, awareness, training, and other controls, the discussion of which follows.
Social engineering concentrates on the weakest link in the information security chain — people. The fact that someone could persuade an employee to provide sensitive information means that the most secure systems
become vulnerable. The human part of any information security solution is the most essential. In fact, almost all information security solutions rely on the human element to a large degree. This means that this weakness — the human element — is universal, independent of hardware, software, platform, network, age of equipment, etc.
Many companies spend hundreds of thousands of dollars to ensure effective information security. This security is used to protect what the company regards as its most important assets, including information. Unfortunately, even the best security mechanisms can be bypassed when social engineering techniques are used. Social engineering uses very low-cost and low-technology means to overcome impediments posed by information security measures.
Protection against Social Engineering
To protect ourselves from the threat of social engineering, there must be a basic understanding of information security. In simple terms, information security can be de?ned as the protection of information against unau-thorized disclosure, transfer, modi?cation, or destruction, whether accidental or intentional. In general terms, information security denotes a state that a company reaches when its data and information, systems and services, are adequately protected against any type of threat. Information security protects information from a wide range of threats to ensure business continuity, minimize business damage, and maximize return on investment and business opportunities. Information security is about safeguarding a business money, image, and reputation — and perhaps its very existence.
Protection mechanisms usually fall into three categories, and it is important to note that to adequately protect an organization’s information security assets, regardless of the type of threat, and including social engineering attacks, a combination of all three is required; that is:
-
Physical security
-
Logical (technical) security
-
Administrative security
Information security practitioners have long understood that a balanced approach to information security is required. That “balance” differs from company to company and is based on the system’s vulnerabilities, threats, and information sensitivity, but in most instances will require a combination of all three elements mentioned above. Information security initiatives must be customized to meet the unique needs of the business. That is why it is very important to have an information security program that understands the needs of the corporation and can relate its information security needs to the goals and missions of the organization. Achieving the correct balance means implementing a variety of information security measures that ?t into the three categories above, but implementing the correct balance so as to meet the organization’s security requirements as ef?ciently and cost effectively as possible. Effective information security is the result of a process of identifying an organization’s valued information assets; considering the range of potential risks to those assets; implementing effective policies to those speci?c conditions; and ensuring that those policies are properly developed, implemented, and commu-nicated.
Physical Security
The physical security components are the easiest to understand and, arguably, the easiest to implement. Most people will think of keys, locks, alarms, and guards when they think of physical security. While these are by no means the only security precautions that need to be considered when securing information, they are a logical place to begin. Physical security, along with the other two (logical and administrative), are vital components and fundamental to most information security solutions. Physical security refers to the protection of assets from theft, vandalism, catastrophes, natural disasters, deliberate or accidental damage, and unstable environmental conditions such as electrical, temperature, humidity, and other such related problems. Good physical security requires ef?cient building and facility construction, emergency preparedness, reliable electrical power supplies, reliable and adequate climate control, and effective protection from both internal and external intruders.
Logical (Technical) Security
Logical security measures are those that employ a technical solution to protect the information asset. Examples include ?rewall systems, access control systems, password systems, and intrusion detection systems. These controls can be very effective, but usually rely on human element or interaction to work successfully. As mentioned, it is this human element that can be exploited rather easily.
Administrative Security
Administrative security controls are those that usually involve policies, procedures, guidelines, etc. Adminis-trative security examples include information security policies, awareness programs, and background checks for new employees. These examples are administrative in nature, do not require a logical or technical solution to implement, but they all address the issue of information security.
Coverage
To be effective, information security must include the entire organization — from the top to the bottom, from the managers to the end users. Most importantly, the highest level of management present in any organization must endorse and support the idea and principles of information security. Everyone from top to bottom must understand the security principles involved and act accordingly. This means that high-level management must de?ne, support, and issue the information security policy of the organization, which every person in the organization must then abide by. It also means that upper management must provide appropriate support, in the way of funding and resourcing, for information security. To summarize, a successful information security policy requires the leadership, commitment, and active participation of top-level management.
Critical information security strategies primarily rely on the appropriate and expected conduct on the part of personnel, and secondly on the use of technological solutions. This is why it is critical for all information security programs to address the threat of social engineering.
Securing against Social Engineering Attacks
Policies, Awareness, and Education
Social engineering attacks are very dif?cult to counter. The problem with countering social engineering attacks is that most logical security controls are ineffective as protection mechanisms. Because social engineering attacks target the human element, protective measures need to concentrate on the administrative portion of information security. An effective countermeasure is to have very good, established information security policies that are communicated across the entire organization. Policies are instrumental in forming a “rules of behavior” for employees. The second effective countermeasure is an effective user awareness program. When one com-bines these two administrative information security countermeasure controls effectively, the result is an inte-grated security program that everyone understands and believes is part of his or her own required job duties. From a corporate perspective, it is critical to convey this message to all employees, from top to bottom. The result will be an organization that is more vigilant at all levels, and an organization comprised of individuals who believe they are “contributing” to the well-being of the overall corporation. This is an important perception that greatly contributes to the employee satisfaction level. It also protects from the threat of disgruntled employees, another major concern of information security programs. It may be these disgruntled employees who willingly give sensitive information to unauthorized users, regardless of the social engineering methods.
Most people learn best from ?rst-hand experience. Once it has been demonstrated that each individual is susceptible to social engineering attacks, these individuals tend to be more wary and aware. It is possible to make an organization more immune to social engineering attacks by providing a forum for discussions of other organizations’ experiences.
Continued awareness is also very important. Awareness programs need to be repeated on a regular basis in order to re-af?rm policies regarding social engineering. With today’s technology, it is very easy to set up effective ways to communicate with one’s employees on a regular basis. A good way to provide this type of forum is to
use an intranet Web site that will contain not only the organization’s policies, but also safety tips and infor-mation regarding amusing social engineering stories. Amusing stories tend to get the point across better, especially if one takes into account that people love to hear about other people’s misfortunes.
Recognition of “Good Catches”
Sometimes, the positive approach to recognition is the most effective one. If an employee has done the appropriate thing when it comes to an information security incident, acknowledge the good action and reward him or her appropriately. But do not stop there; let everyone else in the organization know. And as a result, the entire organization’s preparedness will be improved.
Preparedness of Incident Response Teams
All companies should have the capability to deal effectively with what they may consider an incident. An incident can be de?ned as any event that threatens the company’s livelihood. From an information security perspective, dealing with any outside threat (including social engineering) would be considered an incident. The goals of a well-prepared incident response team are to detect potential information security breaches and provide an effective and ef?cient means of dealing with the situation in a manner that reduces the potential impact to the corporation. A secondary but also very important goal would be to provide management with suf?cient information to decide on an appropriate course of action. Having a team in place, comprised of knowledgeable individuals from key areas of the corporation who would be educated and prepared to respond to social engineering attacks, is a key aspect of an effective information security program.
Testing Readiness
Penetration testing is a method of examining the security controls of an organization from an outsider’s point of view. To be effective, it involves testing all controls that prevent, track, and warn of internal and external intrusions. Companies that want to test their readiness against social engineering attacks can use this approach to reveal their weaknesses that may not have been previously evident. One must remember, however, that although penetration testing is one of the best ways to evaluate an organization’s controls, it is only as effective as the efforts of the individuals who are performing the test.
Immediate Noti?cation to Targeted Groups
If someone reports or discovers a social engineering attempt, one must notify personnel in similar areas. It is very important at this point to have a standard process and a quick procedure to do this. This is where a well-prepared incident response team can help. Assuming that a procedure is already in place, the incident response team can quickly deal with the problem and effectively remove it before any damage is done.
Apply Technology Where Possible
Other than making employees aware of the threat and providing guidance on how to handle both co-workers and others asking for information, there are no true solid methods for protecting information and employees from social engineering. However, a few options to consider may be the following:
-
Trace calls if possible. Tracing calls may be an option, but only if one has the capability and is prepared for it. What one does not want in the midst of an attack is to ask oneself, “how do we trace a call?” Again, be prepared. Have some incident response procedures in place that will allow you to react accordingly in a very ef?cient manner.
-
Ensure good physical security. As mentioned, good physical security is a must in order to provide ef?cient protection. There are many ways to effectively protect one’s resources using the latest technology. This may mean using methods that employ biometrics or smart cards.
-
Mark sensitive documents according to data classi?cation scheme. If there is a well-established information classi?cation scheme in place, it may protect one from revealing sensitive information in the event of a social engineering attack. For example, if someone is falling for an attack, and he or she pulls out a document that is marked “con?dential,” it may prevent him or her from releasing that information.
Similarly, if a ?le is electronically marked according to one’s classi?cation schemes, the same would apply.
Conclusion
Social engineering methods, when employed by an attacker, pose a serious threat to the security of information in any organization. There are far too many real-life examples of the success of this type of attack. However, following some of the basic principles of information systems security can mitigate the risk of social engineer-ing. Policies need to be created in order to provide guidelines for the correct handling and release of information considered critical and sensitive within an organization. Information security awareness also plays a critical role. People need to be aware of the threats; and more importantly, they need to know exactly how to react in such an event. Explaining to employees the importance of information security and that there are people who are prepared to try and manipulate them to gain access to sensitive information is a wise ?rst step in any defense plan. Simply forewarning people of possible attacks is often enough to make them alert to be able to spot them and react accordingly. The old saying that “knowledge is power” is true; or in this case, it increases security.
It is far easier to hack people than to hack some technically sound security device such as a ?rewall system. However, it is also takes much less effort to educate and prepare employees so that they can prevent and detect attempts at social engineering than it takes to properly secure that same ?rewall system. Organizations can no longer afford to have people as the weakest link in the information security chain.
Notes
1. CEOs are usually relatively well-known to employees, either from the media or from annual general meetings. Also, most CEOs would not be calling after-hours regarding a forgotten password. On the other hand, their assistant might.
