Social Engineering:
What's it all about?

Below are some questions that came up a while back when I did a Webcast interview for Microsoft's Security 360 (http://www.microsoft.com/seminar/events/series/mikenash.mspx), and my answers.

 

Ø         What are the perpetrators of social engineering generally after?

 

In a word, information. But more specifically, information that can be used to help them gain access to computer systems or networks for which they’re not authorized. The “big prize” is usually a valid user account name and password – especially an administrative account. That allows the social engineer to log on and gain immediate access without using any special technical skills at all. Other useful information could be internal names of critical servers or valid IP addresses for the network.
 

Ø         What are some of the common techniques they use to get what they want?

 

Social engineers have been around since long before computers were invented. We’ve just given them a new name. A social engineer is nothing more or less than a con artist, and in this case, he – or she – is trying to con you out of your account information or other information that he can use to break into the computer or network.

 

Regular hackers rely on their technical skills and knowledge of how operating systems, applications and protocols work to break into the network. Social engineers rely their people skills and knowledge of human nature. A social engineer might pretend to be someone else, such as a co-worker, someone from an outside firm that provides computer maintenance, or a higher-up in the company.

 

Ø         What are the most prevalent types of social engineering attacks?

 

Social engineers may attack in person, over the phone, via e-mail or via instant messaging.

 

The most common attacks attempt to convince you to provide account information or personal information. Other attacks attempt to get you to download and run a program (for example, an attacker claims to be from the IT department and says your computer has a virus and the program will “clean” the machine). Attackers might simply try to get you to visit a Web site, where scripts or ActiveX controls will run and install “back door” programs or make your computer a so-called “zombie” that can be used as an intermediary to attack other systems.

 

Some social engineering attacks don’t involve personal interaction. Dumpster diving refers to retrieving information from the trash. Shoulder surfing refers to watching as someone types a password and noting the characters. “Phishing” usually involves sending an e-mail message directing you to a Web site where you’re asked to enter information. Or a malicious program might pop up a window saying that your network connection has been lost and asking you to reenter your user name and password, then email the information back to the attacker.

 

The common element is the attempt to convince you to do something.

 

Ø         What are some of the common psychological mechanisms that social engineers employ? Why do they work?

 

The most common include charm, intimidation and exploitation of other people’s uncertainty and confusion. They work because of human nature: people like to be flattered; they like to be helpful, and they don’t like to get in trouble or to say “no” to someone who comes on as nice or as intimidating.

 

Ø         How does “phishing” work? Is it a threat to organizations or just to individual consumers?

 

Phishing refers to a type of social engineering usually perpetuated through e-mail. The message is designed to look as if it’s from your bank, credit card company, or another organization with which you do business (such as PayPal or eBay). The message usually tells you that your account information needs to be updated, or even that there has been an attack that compromised the security of your account and it had to be shut down. You’re then instructed to log onto a Web site (or less frequently, to reply via e-mail or even call a phone number) to “verify” your account information. The e-mail addresses are forged to look as if they come from the legitimate company and the Web sites are constructed to look identical to the company’s legitimate site, with a “spoofed” (forged) URL.

 

Of course, when you enter the personal information, which can include not just account credentials but also your social security number, driver’s license number and such, the attacker uses them to log onto your accounts and steal your identity.

 

Phishing is a threat to organizations as well as businesses. Organizations also have credit cards, bank accounts and business relationships with other companies. A phisher can pretend to be one of the organization’s vendors, top customers or partners and use the same types of ploys to gather inside information about the organization that can be used against it.

 

Phishing is a form of spam, since the message is usually mass-mailed to hundreds or thousands of potential victims – but much more insidious than the usual unwanted advertising. A particularly popular phishing ploy right now pretends to originate from a mortgage company and promises you fantastically low rates. If you go to the site, you’re required to fill out a “loan application” with detailed financial and personal information. People are fooled by this because they know that loan applications really do require such information.

 

 

Ø         Can you describe for us, in detail, how a social engineer might go about getting access to a company network by using social engineering?

 

For example, a social engineer pretends to be a new IT employee who has “messed up” and needs the other employee’s password to “fix” the account. The social engineer pretends to be distressed and afraid that if the boss finds out about the “mistake,” he’ll be fired. This plays on the other employee’s sympathy.

        Or the social engineer might pretend to be the chairman of the company’s Board of Directors and demand that the employee provide the information, implying that the employee will be in big trouble if she doesn’t.

 

Ø         Who or what are the common targets of social engineering attacks?

 

Like most con artists, social engineers prey on those they perceive to be weak. This would include those who are new to computing or who are not technically savvy. It might include employees who are new to an organization and not yet familiar with all the personnel or all the company policies. Social engineers who rely on their charms target those who seem amenable to flattery and attention, and they may spend weeks or months building a relationship. Social engineers may also target younger people or elderly people, on the premise that they are easier to deceive, more sympathetic to a stranger’s plight, and so on.

 

Ø         Why are certain types of people targeted by social engineers?

 

Social engineers are predators, and like all predators, they choose their prey based on whom they think will be easiest to influence, based on their past experience.

 

Ø         What role does psychological manipulation play in an attack?

 

In many cases, it’s the crux of the attack. Some social engineering attacks involve “shoulder surfing” – watching while a person types a password – or “dumpster diving” – retrieving information from the trash. However, most social engineers are more interactive, and their success depends on being able to psychologically manipulate a person into giving them the information they want. For example, a social engineer pretends to be a new IT employee who has “messed up” and needs the other employee’s password to “fix” the account. The social engineer pretends to be distressed and afraid that if the boss finds out about the “mistake,” he’ll be fired. This plays on the other employee’s sympathy.

 

Ø         What advice do you have for executives who want to prevent social engineering problems at their companies?

 

1.       Educate employees and anyone else who has legitimate access to the network (sometimes companies forget about temp workers, partners and others who don’t work directly for the company). Make them aware of social engineering tactics and provide them with clear instructions on what to do if someone seems to be trying to obtain information. This isn’t necessarily limited to computer-related information. Social engineers may go about their business in a roundabout way. For instance, they know that many people use names of their children or pets as passwords, so they may feign interest in you and try to find out personal information. Or they may be looking for information about the physical layout of the building, or names and phone numbers of managers or IT personnel (which they can later use to impersonate those people in a social engineering ploy). Have detailed, written policies addressing social engineering.

2.       Use technology to thwart social engineering attempts. For example, two-factor authentication which requires a smart card or biometric scan in addition to providing a password or PIN will make it more difficult for the social engineer to successful use information he obtains.

 

Ø         What policies can companies put into place to prevent problems with social engineering?

Policies should prohibit employees from giving account information to anyone. Network administrators should not need to know employees’ personal passwords; if an administrator needs to access an employee’s account, the administrator should be able to change the employee’s password without knowing the old one. 

Policies should prohibit writing down the password and should require shredding of any sensitive information that is printed.  

Policies should require that passwords be complex, but not so complex that employees can’t remember them and thus are tempted to write them down. 

Policies should require that passwords be changed periodically. They should also require changing the password anytime an employee has any reason to suspect it has been compromised. 

Policies should prohibit using the “save password” features in applications, since a social engineer who can get physical access to the employee’s computer would then be able to access accounts, protected Web sites, and so forth. Likewise, policies should mandate that workstations be locked when an employee leaves them, even for a short time. 

Policies should require employees to report any suspected social engineering attempts. 

There should be clearly outlined penalties for violating policies. 

For best security, policies should require multi-factor authentication, using smart cards or biometrics in addition to the password or PIN.

 

Ø         What kinds of skills or information do employees need to combat the threat of social engineering?

Employees need to know what a social engineering attack involves, with concrete examples. Most employees who give out confidential information do so innocently, because they have been tricked by the social engineer. 

Employees need the confidence and ability to “just say no” when asked for confidential information, and the knowledge that the organization will stand behind them when they do so.