In this chapter, you will learn how to

   Define basic terminology associated with social engineering

   Describe steps organizations can take to improve their security

   Describe common user actions that may put an organization’s information at risk

   Recognize methods attackers may use to gain information about an organization

   Determine ways in which users can aid instead of detract from security

   Recognize the roles training and awareness play in assisting the people side of security

The operational model of computer security discussed in the previous chapter acknowledges that absolute protection of computer systems and networks is not possible and that we need to be prepared to detect and respond to attacks that are able to circumvent our security mechanisms. Another very basic fact that should be recognized is that technology alone will not solve the security problem. No matter how advanced the technology is, it will ultimately be deployed in an environment where humans exist. It is the human element that poses the biggest security challenge. It is hard to compensate for all the possible ways humans can deliberately or accidentally cause security problems or circumvent our security mechanisms. Despite all the technology, despite all the security procedures we have in place, and despite all the security training we may provide, somebody will invariably fail to do what they are supposed to do, or do something they are not supposed to do, and create a vulnerability in the organization’s security posture. This chapter discusses the human element and the role that people play in security—both the user practices that can aid in securing an organization and the vulnerabilities or holes in security that users can introduce.

People—A Security Problem

The operational model of computer security acknowledges that prevention technologies are not sufficient to protect our computer systems and networks. There are a number of explanations for why this is true; most of them are technical, but one of the biggest reasons that prevention technologies are not sufficient is that every network and computer system has at least one human user, and humans are prone to make mistakes and are often easily misled or fooled.

Social Engineering

Social engineering is the process of convincing an authorized individual to provide confidential information or access to an unauthorized individual. It is a technique in which the attacker uses various deceptive practices to convince the targeted person to divulge information they normally would not divulge or to convince the target of the attack to do something they normally wouldn’t do. Social engineering is very successful for several reasons. The first is the basic desire of most people to be helpful. When somebody asks a question for which we know the answer, our normal response is not to be suspicious but rather to answer the question. The problem with this is that seemingly innocuous information can be used either directly in an attack or indirectly to build a bigger picture that an attacker can use to create an aura of authenticity during an attack—the more information an individual has about an organization, the easier it will be to convince others that this person is part of the organization and has a right to even sensitive information. An attacker who is attempting to exploit the natural tendency of people to be helpful may take one of several approaches:

   The attacker might simply ask a question, hoping to immediately obtain the desired information. For basic information that is not considered sensitive, this approach generally works. As an example, an attacker might call and ask who the IT manager is.

   The attacker might first attempt to engage the target in conversation and try to evoke sympathy so that the target feels sorry for the individual and is more prone to provide the information. For information that is even slightly sensitive in nature, the request of which could possibly arouse suspicion, this technique may be tried. As an example, an attacker might call and claim to be under some deadline from a supervisor who is upset for some reason. The target, feeling sorry for an alleged fellow worker, might give up the information, thinking they are helping them avoid trouble with the supervisor.

   The attacker might appeal to an individual’s ego. As an example, an attacker might call the IT department, claiming to have some sort of problem, and praising them for work they supposedly did to help another worker. After being told how great they are and how much they helped somebody else, they will often be tempted to demonstrate that they can supply the same level of help to another individual. This technique may be used to obtain sensitive information, such as having the target’s password reset.

The second reason that social engineering is successful is that individuals normally seek to avoid confrontation and trouble. If the attacker attempts to intimidate the target, threatening to call the target’s supervisor because of a lack of help, the target may give in and provide the information to avoid confrontation. This variation on the attack is often successful in organizations that have a strict hierarchical structure. In the military, for example, a lower-ranking individual may be coerced into providing information to an individual claiming to be of higher rank or to be working for another individual higher up in the chain of command.

Social engineering can also be accomplished using other means besides direct contact between the target and the attacker. For example, an attacker might send a forged e-mail with a link to a bogus web site that has been set up to obtain information from the target or convince the target to perform some action. Again, the goal in social engineering is to convince the target to provide information that they normally wouldn’t divulge or to perform some act that they normally would not do. An example of a slightly different attack that is generally still considered a social engineering attack is one in which an attacker replaces the blank deposit slips in a bank’s lobby with ones containing his or her own account number but no name. When an unsuspecting customer uses one of the slips, a teller who is not observant could end up crediting the attacker’s account with the deposit.

Tools

The tools in a social engineer’s toolbox are based on a knowledge of psychology and don’t necessarily require a sophisticated knowledge of software or hardware. The social engineer will employ strategies aimed to exploit people’s own biases and beliefs in a manner to momentarily deny them the service of good judgment and the use of standard procedures. Employing social engineering tools is second nature to a social engineer, and with skill they can switch these tools in and out in any particular circumstance, just as a plumber uses various hand tools and a system administrator uses OS commands to achieve complex tasks. When watching any of these professionals work, we may marvel at how they wield their tools, and the same is true for social engineers—except their tools are more subtle, and the target is people and trust. The following sections detail common “techniques” that can be employed in many social engineering attacks.

Authority

The use of authority in social situations can lead to an environment where one party feels at risk in challenging another over an issue. To use authority in a social engineering situation, the attacker will set up a scenario where there’s an appearance that a person has a level of authority in a situation, and this leads to the false impression that challenging the authority could have detrimental consequences. The attacker can use the establishment of a belief of authority that they might have in a situation to convince others to act in a particular manner. Act like a boss is requesting something, and people are less likely to withhold it. If an attacker can convince others that he has authority in a particular situation, he can entice them to act in a particular manner. The best defenses against this and many social engineering attacks is a strong set of policies that have no exceptions. Much like security lines in the airport, when it comes to the point of screening, everyone gets screened, even flight crews, so there is no method of bypassing the critical step.

Intimidation

Intimidation can be either subtle, through perceived power, or more direct, through the use of communications that build an expectation of superiority.

Consensus

Consensus is a group-wide decision. It frequently comes not from a champion, but rather through rounds of group negotiation. These rounds can be manipulated to achieve desired outcomes. The social engineer simple moves others to achieve her desired outcome.

Scarcity

If something is in short supply and is valued, then arriving with what is needed can bring rewards—and acceptance. “Only X number left at this price” is an example of this technique. Even if something is not scare, implied scarcity or implied future change can create a perception of scarcity.

Familiarity

People do things for people they like or feel connected to. Building this sense of familiarity and appeal can lead to misplaced trust. The social engineer can focus the conversation on familiar items, not on the differences. Again, creating the perception that one has been there before or has done something, even if they haven’t, will lead to the desired familiar feeling of familiarity.

Trust

Trust is defined as having an understanding of how something or someone will act under specific conditions. Social engineers can shape the perceptions of a worker to where they will apply judgments to the trust equation and come to false conclusions. The whole objective of social engineering is not to force people to do things they would not normally do, but rather to give them a pathway to feel that they are doing the correct thing in the moment.

Urgency

Time can be manipulated to drive a sense of urgency and prompt shortcuts that can lead to opportunities for interjection into processes. Limited-time offers should always be viewed as suspect. Perception is the key, giving the target a reason to believe that they can take advantage of a time situation, regardless of whether it really is present, achieves the outcome of them acting in a desired manner.

Impersonation

Impersonation is a common social engineering technique that can be employed in many ways. It can occur in person, over a phone, or online. In the case of an impersonation attack, the attacker assumes a role that is recognized by the person being attacked, and in assuming that role, the attacker uses the potential victim’s biases against their better judgment to follow procedures. Impersonation can occur in a variety ways—from third parties, to help desk operators, to vendors and even online sources.

Third-Party Authorization

By using previously obtained information about a project, deadline, and boss, the attacker can (1) arrive with something the victim is somewhat expecting or would see as normal, (2) use the guise of a project in trouble or some other situation where they will be viewed as helpful or as one not to upset, and (3) name-drop “Mr. Big Wig,” who happens to be out of the office and unreachable at the moment, thus avoiding a reference check. And the attacker seldom asks for anything that on the face of it seems unreasonable, or is unlikely to be shared based on the circumstances. These actions can create the appearance of a third-party authorization, when in fact there is none.

Help Desk/Tech Support

Calls to or from help desk and tech support units can be used to elicit information. Posing as an employee, you can get a password reset, details about some system, or other useful information. The call can go the other direction as well, where the social engineer is posing as the help desk or tech support. Then, by calling employees, the attacker can get information on system status and other interesting elements that they can use later.

Contractors/Outside Parties

It is common in many organizations to have outside contractors clean the building, water the plants, and do other routine chores. In many of these situations, without proper safeguards, an attacker can simply put on clothing that matches a contractor’s uniform, show up to do the job at a slightly different time than it’s usually done, and, if challenged, play on the sympathy of the workers by saying they are filling in for X or covering for Y. The attacker then roams the halls unnoticed because they blend in, all the while photographing desks and papers and looking for information.

Online Attacks

Impersonation can be employed in online attacks as well. In these cases, technology plays an intermediary role in the communication chain. Some older forms, such as pop-up windows, tend to be less effective today, because users are wary of them. Yet phishing attempts via e-mail and social media scams abound.

Defenses

In all of the cases of impersonation, the best defense is simple—have processes in place that require employees to ask to see a person’s ID before engaging with them if the employees do not personally known them. That includes challenging people such as delivery drivers and contract workers. Don’t let people in through the door, piggybacking, without checking their ID. If this is standard process, then no one becomes offended, and if someone fakes offense, it becomes even more suspicious. Training and awareness do work, as proven by trends such as the diminished effectiveness of pop-up windows. But the key to this defense is to make the training periodic and to tailor it to what is currently being experienced, rather than a generic recitation of best practices.

Phishing

Phishing (pronounced fishing) is a type of social engineering in which an attacker attempts to obtain sensitive information from a user by masquerading as a trusted entity in an e-mail or instant message sent to a large group of often random users. The attacker attempts to obtain information such as usernames, passwords, credit card numbers, and details about the user’s bank accounts. The message sent often encourages the user to go to a web site that appears to be for a reputable entity such as PayPal or eBay, both of which have frequently been used in phishing attempts. The web site the user actually visits is not owned by the reputable organization, however, and asks the user to supply information that can be used in a later attack. Often the message sent to the user will state that the user’s account has been compromised and will request, for security purposes, the user to enter their account information to verify the details.

The best defense against phishing and other social engineering attacks is an educated and aware body of employees. Continual refresher training about the topic of social engineering and specifics about current attack trends are needed to keep employees aware of and prepared for new trends in social engineering attacks. Attackers rely on an uneducated, complacent, or distracted workforce to enable their attack vector. Social engineering has become the gateway for many of the most damaging attacks in play today.

In another very common example of phishing, the attacker sends a bulk e-mail, supposedly from a bank, telling the recipients that a security breach has occurred and instructing them to click a link to verify that their account has not been tampered with. If an individual actually clicks the link, they are taken to a site that appears to be owned by the bank but is actually controlled by the attacker. When they supply their account and password for “verification” purposes, they are actually giving this information to the attacker.

The e-mails and web sites generated by the attackers often appear to be legitimate. A few clues, however, can tip off the user that the e-mail might not be what it claims to be. The e-mail may contain grammatical and typographical errors, for example. Organizations that are used in these phishing attempts (such as eBay and PayPal) are careful about their images and will not send a security-related e-mail to users containing obvious errors. In addition, almost unanimously, organizations tell their users that they will never ask for sensitive information (such as a password or account number) via an e-mail. The URL of the web site that the users are taken to may also provide a clue that the site is not what it appears to be. Despite the increasing media coverage concerning phishing attempts, many users still fall for them, which results in attackers continuing to use this relatively cheap method to gain the information they are seeking.

A recent development has been the introduction of a modification to the original phishing attack. Spear phishing is the term that has been created to refer to the special targeting of groups with something in common when launching a phishing attack. By targeting specific groups, the ratio of successful attacks (that is, the number of responses received) to the total number of e-mails or messages sent usually increases because a targeted attack will seem more plausible than a message sent to users randomly.

Pharming

Pharming consists of misdirecting users to fake web sites made to look official. Using phishing, attackers target individuals, one by one, by sending out e-mails. To become a victim, the recipient must take an action (for example, respond by providing personal information). In pharming, the user will be directed to the fake web site as a result of activity such as DNS poisoning (an attack that changes URLs in a server’s domain name table) or modification of local host files (which are used to convert URLs to the appropriate IP address). Once at the fake site, the user might supply personal information, believing that they are connected to the legitimate site.

Vishing

Vishing is a variation of phishing that uses voice communication technology to obtain the information the attacker is seeking. Vishing takes advantage of the trust that some people place in the telephone network. Users are unaware that attackers can spoof (simulate) calls from legitimate entities using Voice over IP (VoIP) technology. Voice messaging can also be compromised and used in these attempts. Generally, the attackers are hoping to obtain credit card numbers or other information that can be used in identity theft. The user might receive an e-mail asking them to call a number that is answered by a potentially compromised voice message system. Users may also receive a recorded message that appears to come from a legitimate entity. In both cases, the user will be encouraged to respond quickly and provide the sensitive information so that access to their account is not blocked. If a user ever receives a message that claims to be from a reputable entity and asks for sensitive information, the user should not provide it but instead should use the Internet or examine a legitimate account statement to find a phone number that can be used to contact the entity. The user can then verify that the message received was legitimate or report the vishing attempt.

Spam

Though not generally considered a social engineering issue, or even a security issue for that matter, spam can still be a security concern. Spam, as just about everybody knows, is bulk unsolicited e-mail. It can be legitimate in the sense that it has been sent by a company advertising a product or service, but it can also be malicious and could include an attachment that contains malicious software designed to harm your system, or a link to a malicious web site that may attempt to obtain personal information from you. Though not as well known, a variation on spam is spim, which is basically spam delivered via an instant messaging application such as Yahoo! Messenger or AIM. The purpose of hostile spim is the same as that of spam—the delivery of malicious content or links.

Shoulder Surfing

Shoulder surfing does not necessarily involve direct contact with the target, but instead involves the attacker directly observing the individual entering sensitive information on a form, keypad, or keyboard. The attacker may simply look over the shoulder of the user at work, for example, or may set up a camera or use binoculars to view the user entering sensitive data. The attacker can attempt to obtain information such as a personal identification number (PIN) at an automated teller machine (ATM), an access control entry code at a secure gate or door, or a credit card number. Many locations now use a small shield to surround a keypad so that it is difficult to observe somebody entering information. More sophisticated systems can actually scramble the location of the numbers so that the top row might include the numbers 1, 2, and 3 one time and the numbers 4, 8, and 0 the next. Although this makes it a bit slower for the user to enter information, it thwarts an attacker’s attempt to observe what numbers are pressed and enter the same buttons/pattern, since the location of the numbers constantly changes.

Although methods such as adding shields to block the view or having the pad scramble the numbers can help make shoulder surfing more difficult, the best defense is for users to be aware of their surroundings and to not allow individuals to get into a position from which they can observe what the user is entering.

The attacker may attempt to increase the chance of successfully observing the target entering the data by starting a conversation with the target. This provides an excuse for the attacker to be physically closer to the target. Otherwise, the target could be suspicious if the attacker is standing too close. In this sense, shoulder surfing can be considered a social engineering attack.

Reverse Social Engineering

A slightly different approach to social engineering is called reverse social engineering. In this technique, the attacker hopes to convince the target to initiate the contact. This obviously differs from the traditional approach, where the target is the one that is contacted. The reason this attack might be successful is that, because the target is the one initiating the contact, attackers might not have to convince the target of their authenticity. The tricky part of this attack is, of course, convincing the target to make that initial contact. Possible methods to accomplish this might include sending out a spoofed e-mail (fake e-mail designed to appear authentic) that claims to be from a reputable source and provides another e-mail address or phone number to call for “tech support,” or posting a notice or creating a bogus web site for a legitimate company that also claims to provide “tech support.” This may be especially successful if timed to coincide with a company’s deployment of a new software or hardware platform. Another potential time to target an organization with this sort of attack is when there is a significant change in the organization itself, such as when two companies merge or a smaller company is acquired by a larger one. During these times, employees are not familiar with the new organization or its procedures, and amid the confusion it is easy to conduct either a social engineering or reverse social engineering attack.

Hoaxes

At first glance, it might seem that a hoax related to security would be considered a nuisance and not a real security issue. This might be the case for some hoaxes, especially those of the urban legend type, but the reality of the situation is that a hoax can be very damaging if it causes users to take some sort of action that weakens security. One real hoax, for example, described a new, highly destructive piece of malicious software. It instructed users to check for the existence of a certain file and to delete it if the file was found. In reality, the file mentioned was an important file used by the operating system, and deleting it caused problems the next time the system was booted. The damage caused by users modifying security settings can be serious. As with other forms of social engineering, training and awareness are the best and first line of defense for both users and administrators. Users should be trained to be suspicious of unusual e-mails and stories and should know whom to contact in the organization to verify their validity if they are received. Hoaxes often also advise the user to send it to their friends so they know about the issue as well—and by doing so, they help spread the hoax. Users need to be suspicious of any e-mail telling them to “spread the word.”

Poor Security Practices

A significant portion of human-created security problems results from poor security practices. These poor practices may be those of an individual user who is not following established security policies or processes, or they may be caused by a lack of security policies, procedures, or training within the user’s organization.

Password Selection

For many years, computer intruders have relied on users’ poor selection of passwords to help the intruders in their attempts to gain unauthorized access to a system or network. If attackers could obtain a list of the users’ names, chances were good they could eventually access the system. Users tend to pick passwords that are easy for them to remember, and what easier password could there be than the same sequence of characters that they use for their user ID? If a system has an account with the username jdoe, an attacker’s reasonable first guess of the account’s password would be jdoe. If this doesn’t work, the attacker would try variations on the same, such as doej, johndoe, johnd, and eodj, all of which would be reasonable possibilities.

If the attacker’s attempt to use variations on the username does not yield the correct password, they might simply need more information. Users also frequently pick names of family members, pets, or favorite sports teams. If the user lives in San Antonio, Texas, for example, a possible password might be gospursgo in honor of the city’s professional basketball team. If these attempts don’t work for the attacker, then the attacker might next try hobbies of the user, the name of the user’s favorite make or model of car, or similar pieces of information. The key is that the user often picks something easy for them to remember, which means that the more the attacker knows about the user, the better the chance of discovering the user’s password.

In an attempt to complicate the attacker’s job, organizations have encouraged their users to mix upper- and lowercase characters and to include numbers and special characters in their password. Although this does make the password harder to guess, the basic problem still remains: users will pick something that is easy for them to remember. Thus, our user in San Antonio may select the password G0*Spurs*G0, capitalizing three of the letters, inserting a special character twice, and substituting the number zero for the letter O. This makes the password harder to crack, but there are a finite number of variations on the basic gospursgo password, so, while the attacker’s job has been made more difficult, it is still possible to guess the password.

Organizations have also instituted additional policies and rules relating to password selection to further complicate an attacker’s efforts. Organizations, for example, may require users to frequently change their password. This means that if an attacker is able to guess a password, it is only valid for a limited period of time before a new password is selected, after which the attacker is locked out. All is not lost for the attacker, however, because, again, users will select passwords they can remember. For example, password changes often result in a new password that simply incorporates a number at the end of the old one. Thus, our San Antonio user might select G0*Spurs*G1 as the new password, in which case the benefit of forcing password changes on a periodic, or even frequent, basis has been totally lost. It is a good bet that the next password chosen will be G0*Spurs*G2, followed by G0Spurs*G3, and so forth.

Another policy or rule governing password selection often adopted by organizations is that passwords must not be written down. This, of course, is difficult to enforce, and thus users will frequently write them down, often as a result of what is referred to as the “password dilemma.” The more difficult we make it for attackers to guess our passwords, and the more frequently we force password changes, the more difficult the passwords are for authorized users to remember and the more likely they are to write them down. Writing them down and putting them in a secure place is one thing, but all too often users will write them on a slip of paper and keep them in their calendar, wallet, or purse. Most security consultants generally agree that if they are given physical access to an office, they will be able to find a password somewhere—the top drawer of a desk, inside of a desk calendar, attached to the underside of the keyboard, or even simply on a yellow “sticky note” attached to the monitor.

With the proliferation of computers, networks, and users, the password dilemma has gotten worse. Today, the average Internet user probably has at least a half dozen different accounts and passwords to remember. Selecting a different password for each account, following the guidelines mentioned previously regarding character selection and frequency of changes, only aggravates the problem of remembering the passwords. This results in users all too frequently using the same password for all accounts. If a user does this, and then one of the accounts is compromised, all other accounts are subsequently also vulnerable to attack.

The need for good password selection and the protection of passwords also applies to another common feature of today’s electronic world: PINs. Most people have at least one PIN associated with things such as their ATM card or a security code to gain physical access to a room. Again, users will invariably select numbers that are easy to remember. Specific numbers, such as the individual’s birth date, their spouse’s birth date, or the date of some other significant event, are all common numbers to select. Other people will pick patterns that are easy to remember—2580, for example, uses all of the center numbers on a standard numeric pad on a telephone. Attackers know this, and guessing PINs follows the same sort of process that guessing a password does.

Password selection is an individual activity, and ensuring that individuals are making good selections is the realm of the entity’s password policy. In order for users make appropriate choices, they need to be aware of the issue and their personal role in securing accounts. An effective password policy conveys both the user’s role and responsibility associated with password usage and does so in a simple enough manner that it can be conveyed via screen notes during mandated password change events.

Shoulder Surfing

As discussed earlier, shoulder surfing does not involve direct contact with the user, but instead involves the attacker directly observing the target entering sensitive information on a form, keypad, or keyboard. The attacker may simply look over the shoulder of the user at work, watching as a coworker enters their password. Although defensive methods can help make shoulder surfing more difficult, the best defense is for a user to be aware of their surroundings and to not allow individuals to get into a position from which they can observe what the user is entering. A related security comment can be made at this point: a person should not use the same PIN for all of their different accounts, gate codes, and so on, because an attacker who learns the PIN for one could then use it for all the others.

Piggybacking

People are often in a hurry and will frequently not follow good physical security practices and procedures. Attackers know this and may attempt to exploit this characteristic in human behavior. Tailgating, or piggybacking, is the simple tactic of following closely behind a person who has just used their own access card or PIN to gain physical access to a room or building. An attacker can thus gain access to the facility without having to know the access code or having to acquire an access card. It is similar to shoulder surfing in that it relies on the attacker taking advantage of an authorized user not following security procedures. Frequently the attacker might even start a conversation with the target before reaching the door so that the user is more comfortable with allowing the individual in without challenging them. In this sense, piggybacking is related to social engineering attacks. Both the piggybacking and shoulder surfing attack techniques can be easily countered by using simple procedures to ensure nobody follows you too closely or is in a position to observe your actions. Both techniques rely on the poor security practices of an authorized user to be successful. A more sophisticated countermeasure to piggybacking is a man trap, which utilizes two doors to gain access to the facility. The second door does not open until the first one is closed, and it is spaced close enough to the first door that an enclosure is formed that only allows one individual through at a time.

Dumpster Diving

As mentioned earlier, attackers need a certain amount of information before launching their attack. One common place to find this information, if the attacker is in the vicinity of the target, is the target’s trash. The attacker might find little bits of information that could be useful for an attack. This process of going through a target’s trash in hopes of finding valuable information that can be used in a penetration attempt is known in the computer community as dumpster diving.

The tactic is not, however, unique to the computer community; it has been used for many years by others, such as identity thieves, private investigators, and law enforcement personnel, to obtain information about an individual or organization. If the attackers are very lucky, and the target’s security procedures are very poor, they may actually find user IDs and passwords. As mentioned in the discussion on passwords, users sometimes write their password down. If, when the password is changed, they discard the paper the old password was written on without shredding it, the lucky dumpster diver can gain a valuable clue. Even if the attacker isn’t lucky enough to obtain a password directly, they undoubtedly will find employee names, from which it’s not hard to determine user IDs, as discussed earlier.

Finally, the attacker might gather a variety of information that can be useful in a social engineering attack. In most locations, trash is no longer considered private property after it has been discarded (and even where dumpster diving is illegal, little enforcement occurs). An organization should have policies about discarding materials. Sensitive information should be shredded and the organization should consider securing the trash receptacle so that individuals can’t forage through it. People should also consider shredding personal or sensitive information that they wish to discard in their own trash. A reasonable-quality shredder is inexpensive and well worth the price when compared with the potential loss that could occur as a result of identity theft.

Installing Unauthorized Hardware and Software

Organizations should have a policy that restricts the ability of normal users to install software and new hardware on their systems. A common example is a user installing unauthorized communication software and a modem to allow them to connect to their machine at work via a modem from their home. Another common example is a user installing a wireless access point so that they can access the organization’s network from many different areas. In these examples, the user has set up a backdoor into the network, circumventing all the other security mechanisms in place. The terms rogue modem and rogue access point may be used to describe these two cases, respectively. A backdoor is an avenue that can be used to access a system while circumventing normal security mechanisms and can often be used to install additional executable files that can lead to more ways to access the compromised system. Security professionals can use widely available tools to scan their own systems periodically for either of these rogue devices to ensure that users haven’t created a backdoor.

Another common example of unauthorized software that users install on their systems is games. Unfortunately, not all games come in shrink-wrapped packages. Numerous small games can be downloaded from the Internet. The problem with this is that users don’t always know where the software originally came from and what may be hidden inside it. Many individuals have unwittingly installed what seemed to be an innocuous game, only to have downloaded a piece of malicious code capable of many things, including opening a backdoor that allows attackers to connect to, and control, the system from across the Internet.

Because of these potential hazards, many organizations do not allow their users to load software or install new hardware without the knowledge and assistance of administrators. Many organizations also screen, and occasionally intercept, e-mail messages with links or attachments that are sent to users. This helps prevent users from, say, unwittingly executing a hostile program that was sent as part of a worm or virus. Consequently, many organizations have their mail servers strip off executable attachments to e-mail so that users can’t accidentally cause a security problem.

Data Handling

Understanding the responsibilities of proper data handling associated with one’s job is an important training topic. Information can be deceptive in that it is not directly tangible, and people tend to develop bad habits around other job measures … at the expense of security. Employees require training in how to recognize the data classification and handling requirements of the data they are using, and they need to learn how to follow the proper handling processes. If certain data elements require special handling because of contracts, laws, or regulations, there is typically a training clause associated with this requirement. Personnel assigned to these tasks should be specifically trained with regard to the security requirements. The spirit of the training clause is you get what you train, and if security over specific data types is a requirement, then it should be trained. This same principle holds for corporate data-handling responsibilities; you get the behaviors you train and reward.

Physical Access by Non-Employees

As has been mentioned, if an attacker can gain physical access to a facility, chances are very good that the attacker can obtain enough information to penetrate computer systems and networks. Many organizations require employees to wear identification badges when at work. This is an easy method to quickly spot who has permission to have physical access to the organization and who does not. Although this method is easy to implement and can be a significant deterrent to unauthorized individuals, it also requires that employees actively challenge individuals who are not wearing the required identification badge. This is one area where organizations fail. Combine an attacker who slips in by tailgating off of an authorized individual and an environment where employees have not been encouraged to challenge individuals without appropriate credentials and you have a situation where you might as well not have any badges in the first place. Organizations also frequently become complacent when faced with what appears to be a legitimate reason to access the facility, such as when an individual shows up with a warm pizza claiming it was ordered by an employee. It has often been stated by security consultants that it is amazing what you can obtain access to with a pizza box or a vase of flowers.

Another aspect that must be considered is personnel who have legitimate access to a facility but also have intent to steal intellectual property or otherwise exploit the organization. Physical access provides an easy opportunity for individuals to look for the occasional piece of critical information carelessly left out. With the proliferation of devices such as cell phones with built-in cameras, an individual could easily photograph information without it being obvious to employees. Contractors, consultants, and partners frequently not only have physical access to the facility but may also have network access. Other individuals who typically have unrestricted access to the facility when no one is around are nighttime custodial crewmembers and security guards. Such positions are often contracted out. As a result, hackers have been known to take temporary custodial jobs simply to gain access to facilities.

Clean Desk Policies

Preventing access to information is also important in the work area. Firms with sensitive information should have a “clean desk policy” specifying that sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian. Even leaving the desk area and going to the bathroom can leave information exposed and subject to compromise. The clean desk policy should identify and prohibit things that are not obvious upon first glance, such as passwords on sticky notes under keyboards or mouse pads or in unsecured desk drawers.

People as a Security Tool

An interesting paradox when speaking of social engineering attacks is that people are not only the biggest problem and security risk but also the best tool in defending against a social engineering attack. The first step a company should take to fight potential social engineering attacks is to create the policies and procedures that establish the roles and responsibilities for not only security administrators but for all users. What is it that management expects, security-wise, from all employees? What is it that the organization is trying to protect, and what mechanisms are important for that protection?

Security Awareness

Probably the single most effective method to counter potential social engineering attacks, after establishment of the organization’s security goals and policies, is an active security awareness program. The extent of the training will vary depending on the organization’s environment and the level of threat, but initial employee training on social engineering at the time a person is hired is important, as well as periodic refresher training.

An important element that should be stressed in training about social engineering is the type of information that the organization considers sensitive and may be the target of a social engineering attack. There are undoubtedly signs that the organization could point to as indicative of an attacker attempting to gain access to sensitive corporate information. All employees should be aware of these indicators. The scope of information that an attacker may ask for is very large, and many questions attackers pose might also be legitimate in another context (asking for someone’s phone number, for example). Employees should be taught to be cautious about revealing personal information and should especially be alert for questions regarding account information, personally identifiable information, or passwords.

As a final note on user responsibilities, corporate security officers must cultivate an environment of trust in their office, as well as an understanding of the importance of security. If users feel that security personnel are only there to make their life difficult or to dredge up information that will result in an employee’s termination, the atmosphere will quickly turn adversarial and be transformed into an “us-versus-them” situation. Security personnel need the help of all users and should strive to cultivate a team environment in which users, when faced with a questionable situation, will not hesitate to call the security office. In situations like this, security offices should remember the old adage of “don’t shoot the messenger.”

Social Networking and P2P

With the rise in popularity of social networking sites—notably Facebook, Twitter, and LinkedIn—many people have gotten into a habit of sharing too much information. Using a status of “Returning from sales call to XYZ company” reveals information to people who have no need to know this information. Confusing sharing with friends and sharing business information with those who don’t need to know is a line people are crossing on a regular basis. Don’t be the employee who mixes business and personal information and releases information to parties who should not have it, regardless of how innocuous it may seem.

Users also need to understand the importance of not using common programs such as torrents and other peer-to-peer (P2P) file sharing communiations in the workplace, as these programs can result in infection mechanisms and data-loss channels. The information security training and awareness program should cover these issues. If the issues are properly explained to employees, their motivation to comply won’t simply be to avoid adverse personnel action for violating a policy; they will want to assist in the security of the organization and its mission.

Security Policy Training and Procedures

People in an organization play a significant role in the security posture of the organization, As such, training is important because it can provide the basis for awareness of issues such as social engineering and desired employee security habits. These are detailed in Chapter 2.