Vælg et sprog
Contact us
Partnering with SoftScan
Support
Jobs
News
Products
About Us
28 August 2008, 02:06 UTC(GMT)

Social Engineering – how can your company be manipulated?

 Printvenlig version

As mentioned in our last newsletter, IT security is a combination of product and processes. As a result of this, today's companies need to undergo constant change and renewal. But unfortunately in this world, it is impossible to remove all uncertainty with just one system. When a company decides to protect itself against unauthorised users, hackers, crackers and anyone else with an ulterior motive it embarks upon a lifelong race for survival.

One of the most widely used tactics when it comes to gaining unauthorised access to IT systems is social engineering, a simple tool which all possess already. To learn this technique all you require is training and research.

In everyday life, most people will recognise some of these techniques. For instance, what happens when we suspect a partner of being unfaithful - it is amazing the creativity some people are capable of to dig out the right information. Or what about the loyal employee who suddenly gets an offer from a competitor which he or she simply cannot refuse - what creativity they are capable of if they are also asked to take a client database along with them when they leave!

As a general rule, in life there are two things which can bring out a person's creative and shadier sides - one is enough money and the other is emotion. Becoming the object of or hostage to situations where we are innocently affected by one or both of these things really stimulates our creative abilities. This also happens to employees when they are tempted, lured, seduced, let down, fired or wronged. Here you have all the ingredients needed to bring out creativity in the raw.

One of the more recent most famous, or infamous, masters of the social engineering technique is the American Kevin Mitnick. He came to world fame in the 1980s and 90s, when, among other things, he was wanted by the FBI. Today he works as a security consultant and has published a book entitled "The Art of Deception". Kevin believes that everyone possesses a special ability to manipulate. It's just that some are better at it than others. As we have gradually been inundated by IT technology it has become more and more difficult to keep up, and as a result we have been engulfed in a natural ignorance vacuum, which is an obvious target of abuse.

Below we describe some of the most widely used social engineering techniques.

Imitations
 Research has shown that a company's procedures may be easy to imitate. If one starts off by doing the research, gathering information and drawing up a plan, rapid access can be gained to all parts of a company's organisation by imitating its work procedures. Just think about what happens when you open a door with your code, and a couple of your colleagues slip in at the same time, a procedure that can result in the failure of an expensive security system.

Important users - VIPs
It is not always enough just to pretend to be a user, but making out that you are the CEO on the other hand, or maybe the chairman of the board or somebody similar, often creates the sort of respect which may open direct access to places which are normally out of bounds. Our natural respect for authority can be exploited to get into difficult-to-access places. In other words, being bare-faced enough allays all suspicions.

Third party authorisation - getting a third party to access sensitive information
This method usually involves referring to a person in a position of power, a person who is a trusted employee, who can provide access to important parts of the system. "Greasing palms" and cold cash are of great help here. Persons who wish to appear trustworthy and have the right information often start their research by gathering information about the company. This they usually do by dumpster diving, in other words by going through waste paper and rubbish to find key words, important personnel, extension numbers, professional terms and maybe relevant dates or other important information about the company.

Technical support
 This is an easy and frequently used source for obtaining useful information. Pretending to be from the support centre has proved to be the key into many companies. In these computerised times, unsolicited calls from the support centre, with inquiries about technical problems, are not unusual Everything coming from here comes from the "heart of the company", and if you pretend to be from the support centre you have already allayed incipient doubts, and you can get users to do almost anything.

Turning up in person
Finally, as in the world of espionage, people can turn up in person, pretending to be an employee, a guest or a service worker. Surveys show that certain people, such as caretakers and doorkeepers, often have a disproportionate knowledge of company security, and they can normally move close to the company heart without obstacles. In essence, everyone can be bought, it is merely a question of at what price. Therefore close consideration should be given to which people are most vital in security issues. Recognising this factor makes it easier to take precautions.

Dumpster diving
An extremely easy source of information about a company. Even the most sensitive of information may often be thrown out unshredded. Company security and thus also the gaps in it can often be revealed by simply going through the company's refuse. And unfortunately, it is all to easy to penetrate companies through what they throw out, precisely because they have no security policy about shredding confidential or important documents. One good piece of advice is to carry out risk assessments to learn of possible risks.

Shoulder surfing
 Shoulder surfing is the easiest way of all, as all it involves is looking over other people's shoulders, for instance to discover their passwords. Shoulder surfing has much to do with the behaviour adopted by users. What do they do, how do they do it and when? All too often one finds employees working in public where they forget all about time and place while handling confidential information, which may often be gleaned or overheard by others around.

Pop-up windows
 What typically happens is that a pop-up appears telling users that the connection has been broken and asking them to re-enter logins and passwords, thus sending both logins and passwords by email to the attacker, who has already installed a little program for this purpose.

Mail attachments
Mail attachments or attached files are a very dangerous source of social engineering. Small scripts, viruses, worms, Trojan horses or programs are sent to the recipient. Think back on some of the first viruses, "I love you" or "Anna Kournikova", both headings capable of getting the inquisitive to act inappropriately from the point of view of security. In the run-up to all major public holidays these attacks increase in intensity, and you really have to be on your guard about what may be concealed among all the best wishes and glad tidings - Christmas, Whitsun, Easter and personal red-letter days are particularly dangerous.

Spam, chain letters and hoaxes
All of these depend on social engineering, and involve information sent out in order to confuse and mislead. They do not result in immediate damage or loss of information, but they cause major productivity losses. They also take up huge amounts of space in company networks. A hoax is a false virus the only purpose of which is to be spread as spam, thus stealing both time and bandwidth.


Websites
A method frequently used is to offer games and gambling, lotteries and other entertainment via a website. To participate users are normally requested to enter their email addresses and a password in order to maintain site security. And since security is not always at the top of many people's minds, they often have the same password at home and at work, and suddenly without realising, they have given their login and password away.

What can be done?
It's all a matter of acting proactively and recognising that there is a real need/problem. There is no universal solution or quick fix. Besides a necessary IT policy, rules and other guidelines, here are a few good tips:

1. Use your common sense, it's the best weapon (test the water - is this logical?).
2. Give employees up-to-date training (preferably continuous and dynamic).
3. Be careful not to get into inappropriate situations (unsolicited telephone calls, mails, post, personal approaches etc).
4. Avoid inviting problems (think about ads, calls etc).
5. Do not be embarrassed about asking twice (when being asked to perform an action, whether physically or electronically, maybe ask the sender for validation. For example, if someone contacts you by phone, ask if you can call them back. Remember there are no stupid questions - only stupid answers!).
6. Test your emergency measures (in the same way as you hold fire drills, test your social engineering precautions).
7. Once the damage has been done, debrief those concerned in order to learn from it (what happened, how, why, what methods, preconditions and targets?).
8. Introduce staff to social engineering events so they can be recognised (it is difficult to combat a problem if no one knows what it is).
9. Be realistic! Espionage is the world's second oldest profession (so why think it doesn't happen to you today?).
10. Education, education and education.

The above list is not exhaustive but a guideline for getting off to a good start. A good security policy, a high level of preparedness and a common sense realism are good foundations. Base your work on the motto "It is not if, but when we are attacked" - in which case we do as follows, and then test it before other circumstances test it for you.

Jesper Lundorf
Security Consultant

Copyright 2008 SoftScan - All rights reserved