2.7. Understanding Social Engineering

In the previous sections, you learned how attacks work. You also learned about TCP/IP and some of its vulnerabilities. And you were exposed to the issues that your users will face so you can help them from a technical perspective. A key method of attack that you must guard against is called social engineering.

Social engineering is a process in which an attacker attempts to acquire information about your network and system by social means, such as talking to people in the organization. A social engineering attack may occur over the phone, by e-mail, or in person. The intent is to acquire access information, such as user IDs and passwords.

Always think of a social engineering attack as one that involves people who are unwitting.


These types of attacks are relatively low-tech and are more akin to con jobs. Take the following example: Your help desk gets a call at 4:00 a.m. from someone purporting to be the vice president of your company. She tells the help desk personnel that she is out of town to attend a meeting, her computer just failed, and she is sitting in a Kinko's trying to get a file from her desktop computer back at the office. She can't seem to remember her password and user ID. She tells the help desk representative that she needs access to the information right away or the company could lose millions of dollars. Your help desk rep knows how important this meeting is and gives the vice president her user ID and password over the phone. You've been hit!

Another common approach is initiated by a phone call or e-mail from someone claiming to be your software vendor, telling you that they have a critical fix that must be installed on your computer system. If this patch isn't installed right away, your system will crash, and you'll lose all your data. For some reason, you've changed your maintenance account password, and they can't log on. Your systems operator gives the password to the person. You've been hit again.

NOTE

Users are bombarded with e-mails and messages on services such as AOL asking them to confirm the password they use. These attacks appear to come from the administrative staff of the network. The attacker already has the user ID or screen name; all they need to complete the attack is the password. Make sure your users never give their user IDs or passwords. Either case potentially completes an attack.

With social engineering, the villain doesn't always have to be seen or heard to conduct the attack. The use of e-mail was mentioned earlier, and in recent years, the frequency of attacks via instant messaging has also increased. Attackers can send infected files over Instant Messaging (IM) as easily as they can over e-mail. A recent virus on the scene accesses a user's IM client and uses the infected user's buddy list to send messages to other users and infect their machines as well.

Phishing is a form of social engineering in which you simply ask someone for a piece of information that you are missing by making it look as if it is a legitimate request. An e-mail might look as if it is from a bank and contain some basic information, such as the user's name. In the e-mail, it will often state that there is a problem with the person's account or access privileges. They will be told to click a link to correct the problem. After they click the link—which goes to a site other than the bank's—they are asked for their username, password, account information, and so on. The person instigating the phishing can then use the values entered there to access the legitimate account.

One of the best counters to phishing is to simply mouse over the Click Here link and read the URL. Almost every time it is pointing to an adaptation of the legitimate URL as opposed to a link to the real thing.


The only preventive measure in dealing with social engineering attacks is to educate your users and staff to never give out passwords and user IDs over the phone or via e-mail, or to anyone who isn't positively verified as being who they say they are. Social engineering is a recurring topic that will appear several times throughout this book as it relates to the subject being discussed.

A Security Analogy

In this chapter, a number of access methods were discussed. Sometimes it can be confusing to keep them all straight. To put the main ones somewhat in perspective think of it in terms of a stranger who wants to gain access to your house. There are any number of types of individuals who may want to get in your house without your knowing it:

  • A thief wanting to steal any valuables you may have

  • Teenagers wanting to do something destructive on a Saturday night

  • Homeless people looking to get in out of the cold and find some food

  • A neighbor who has been drinking and accidentally pulls in the wrong driveway and starts to come in, thinking it is their house

  • A professional hit man wanting to lie in wait for you to come home

There are many more, but these represent a good cross section of individuals, each of whom has different motives and motivational levels for trying to get in.

To keep the thief out, you could post security signs all around your house and install a home alarm. He might not know if you really have ABC Surveillance active monitoring—as the signs say—but he might not want to risk it and go away looking for an easier target to hit. In the world of computer security, encryption acts like your home alarm and monitoring software, alerting you (or your monitoring company) to potential problems when they arise.

The teenagers are just wanting to do damage anywhere, and your house is as good as the next one. Installing motion lights above the doors and around the side of the house is really all you need to make them drive farther down the road. In the world of computer security, good passwords—and policies that are enforced—will keep these would-be intruders out.

The homeless also have no particular affection for your home as opposed to the next. You can keep them out by using locks on your doors and windows and putting a fence around your yard. If they can't get in the fence, they can't approach the house, and if they do manage that, they are confronted by the locks. Firewalls serve this purpose in the world of computer security.

The neighbor just made a legitimate error. That happens. I once went into the wrong person's tent when camping because they all look the same. To make yours look different, you can add banners and warnings to the login routines stating, for example, that this is ABC server and you must be an authorized user to access.

This leaves the hit man. He has been paid to do a job, and that job entails gaining access to your home. No matter how good the locks are on your house, no matter how many motion lights you put up, if someone's sole purpose in life is to gain access to your house, they will find a way to do it. The same is true of your server. You can implement measures to keep everyone else out, but if someone spends their entire existence dedicated to getting access to that server, they will do it if it entails putting on a heating and air conditioning uniform and walking past the receptionist, pointing two dozen computers to hashing routines that will crack your passwords, or driving a tank through the side of the building. Your job is to handle all the reasonable risks that come your way. Some, however, you have to acknowledge have only a very slim chance of ever truly being risks, and some, no matter what precautions you take, will not go away.


..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.149.29.112