In the previous sections, you learned how attacks work. You also learned about TCP/IP and some of its vulnerabilities. And you were exposed to the issues that your users will face so you can help them from a technical perspective. A key method of attack that you must guard against is called social engineering.
Social engineering is a process in which an attacker attempts to acquire information about your network and system by social means, such as talking to people in the organization. A social engineering attack may occur over the phone, by e-mail, or in person. The intent is to acquire access information, such as user IDs and passwords.
|
These types of attacks are relatively low-tech and are more akin to con jobs. Take the following example: Your help desk gets a call at 4:00 a.m. from someone purporting to be the vice president of your company. She tells the help desk personnel that she is out of town to attend a meeting, her computer just failed, and she is sitting in a Kinko's trying to get a file from her desktop computer back at the office. She can't seem to remember her password and user ID. She tells the help desk representative that she needs access to the information right away or the company could lose millions of dollars. Your help desk rep knows how important this meeting is and gives the vice president her user ID and password over the phone. You've been hit!
Another common approach is initiated by a phone call or e-mail from someone claiming to be your software vendor, telling you that they have a critical fix that must be installed on your computer system. If this patch isn't installed right away, your system will crash, and you'll lose all your data. For some reason, you've changed your maintenance account password, and they can't log on. Your systems operator gives the password to the person. You've been hit again.
NOTE
Users are bombarded with e-mails and messages on services such as AOL asking them to confirm the password they use. These attacks appear to come from the administrative staff of the network. The attacker already has the user ID or screen name; all they need to complete the attack is the password. Make sure your users never give their user IDs or passwords. Either case potentially completes an attack.
With social engineering, the villain doesn't always have to be seen or heard to conduct the attack. The use of e-mail was mentioned earlier, and in recent years, the frequency of attacks via instant messaging has also increased. Attackers can send infected files over Instant Messaging (IM) as easily as they can over e-mail. A recent virus on the scene accesses a user's IM client and uses the infected user's buddy list to send messages to other users and infect their machines as well.
Phishing is a form of social engineering in which you simply ask someone for a piece of information that you are missing by making it look as if it is a legitimate request. An e-mail might look as if it is from a bank and contain some basic information, such as the user's name. In the e-mail, it will often state that there is a problem with the person's account or access privileges. They will be told to click a link to correct the problem. After they click the link—which goes to a site other than the bank's—they are asked for their username, password, account information, and so on. The person instigating the phishing can then use the values entered there to access the legitimate account.
|
The only preventive measure in dealing with social engineering attacks is to educate your users and staff to never give out passwords and user IDs over the phone or via e-mail, or to anyone who isn't positively verified as being who they say they are. Social engineering is a recurring topic that will appear several times throughout this book as it relates to the subject being discussed.
3.149.29.112