Before you start
Objectives: learn about different social engineering techniques and about different protection measures.
Prerequisites: no prerequisites.
Key terms: information, social, sensitive, user, person, attacker, network, administrator, approach, password, authority
What is Social Engineering
Social engineering is an attempt to deceitfully acquire sensitive information from users. It exploits human nature by convincing someone to reveal information, gain access or perform some activity. This could include information such as usernames, passwords, credit card numbers, bank statement numbers, social security numbers, birth dates or other sensitive information about the organization that the user works for. Social engineering is done by a person who masquerades as a credible person. He or she approaches some user and asks him for various information. Sometimes our users want to help others or they simply fear the consequences if they don’t do something, so they give sensitive information away. This way the attacker tries to bypass the advanced security implementations, since sometimes users are easier to break than technical security implementations.
Different Social Engineering Techniques
There are different social engineering techniques. Attackers often impersonate support staf or even management to try and convince someone to do something or to reveal information.
Holding open secure doors enables an attacker to walk into secure premises without requiring them to authenticate themselves before entering.
Dumpster diving is the process of looking in the trash for sensitive information that has not been properly disposed of.
Shoulder surfing involves looking over the shoulder of someone working on a computer.
Piggybacking refers to an attacker entering a secured building by following an authorized employee. For example, asking for someone to hold open the door rather than using a key for entrance.
Masquerading refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who requires that access. In this scenario the attacker usually pretends that he needs help with something. For example, the attacker approaches the end user, usually over the phone or sometimes email, and he asks the user for help. The common issue is lost password. He says that he lost his password and that he needs it right now because he needs to do something very important, otherwise he might loose his job. He says his name, and that he works in some department of the company, so everything seems OK at first hand. Sometimes end users want to help in those situations, so they give their usernames and passwords without actually confirming that they are giving that information to the right person. At the same time there’s a little bit of fear because the end user doesn’t want to be blamed if that person is not able to do something important for the company.
Another common approach is the authority figure approach. The attacker usually poses as a member of management or support staff. Also, the common scenario is the network administrator approach. The person who’s engaging in social engineering will contact a user in some organization, present himself as network administrator for that organization, and ask for that user credentials, because there is some problem with servers and his user account, and he needs to check if something will work with his credentials, or some other similar reason. The person poses as an authority figure, the network administrator, and tells the end user that they must provide him or her with the information that they requested. Some organizations are so large that users don’t know if that person’s really is a network administrator or not, they simply sound like they are. This exploit is commonly done over the phone. End users sometimes don’t understand that a network administrator never needs the end user’s password and username to do anything. Network administrator should be able to do anything they want on the network. They should be able to create a new user accounts, and change passwords for users. Another approach that’s commonly used with the authority figure is the boss. Most organizations have many layers of management, and using this feature of most modern organizations, the social engineer pretends to be a boss and asks for his or someone else’s username and password. The user gives him that information because of the fear of facing consequences if he doesn’t.
Eavesdropping refers to an unauthorized person listening to conversations of employees or other authorized personnel discussing sensitive topics.
An attack that happens frequently is the phishing attack. In a phishing attack we usually get an email that looks like it came from a legitimate source, like from PayPal, our bank, our company, eBay, Facebook, Microsoft, our firend, etc. In mail it says that we need to click on some link to go to some website to fix some problem with our account. We click on the link and it brings up a page that looks like a legitimate web page for the organization who sent the email. On that page we have to put in our username and password or some other sensitive information. When we hit submit, our information actually goes to the person who sent the email, not to the institution. This approach is very successful.
The usual problem and the usual weakest link are our end users. End users don’t have the same degree of IT knowledge that we have. Because of that they’re easily tricked with social engineering attempts. Ordinary users need to be trained on how to respond to social engineering. That’s the best defense against social engineering. For example, we can train our users to demand proof of identity, over the phone and in person. If someone requests privileged information, we should find out why they want it and whether they are authorized to obtain it. We should dispose of sensitive documents securely, such as shredding or incinerating. We should dispose of disks and devices securely by shredding floppy disks, hard disks and destroying CDs, DVDs and BluRay disks. We should alsways verify information from suspicious e-mails by visiting well-known malicious code threat management Web sites.
Social engineering can be used by an attacker to reveal sensitive information or to perform some kind of activity. Social engineering techniques include dumpster diving, shoulder surfing, piggybacking, masquerading, eavesdropping and phishing. The best defense against social engineering is education of users.