People Hacking: The Art of Social Engineering

People Hacking: The Art of Social Engineering

ABSTRACT

Social engineering is one of the most overlooked aspects of information security and yet it is the easiest way for someone - usually an employee - to gain access to restricted information on a computer network. Attacks can be either physical or psychological; each can be equally effective in acquiring confidential information. Methods used to get information can be either human- or computer-based, with different psychological reasons why each method works. Protecting against social engineers boils down to policies that guard against their attacks, but these policies must also be complemented with an effective security awareness program in order to be successful.

INTRODUCTION

Imagine a local banking company. The CIO is out of town on business. A group of strangers walks in early one morning, and by lunchtime they walk out with access to anything they want on the company's network. How did this happen?

First of all, these so-called "strangers" researched the company and probably knew more about it than most employees. The intruders showed up at the front door and just followed other employees into secured areas of the building. Each smiled when they searched for their "lost" security badge when trying to enter the top floor where the VIPs were located; a friendly employee smiled back as he let them in.

Since these strangers knew the CIO was out of town (something that the HR department revealed when they called earlier in the week), they were able to get into his office, call the Help Desk, and get his password changed because his current one "wasn't working." After they got access to the network, the intruders were able to successfully hack into the system and become a super-user with access to valuable resources. They then sorted through the CIO's files and even his trash and were able to find all kinds of useful information. These strangers then walked out of the building a few hours later with "the keys to the kingdom" and no one at the bank had any idea what just happened.

Scenarios such as the one above may not be as common as your everyday hacker trying to punch a hole through a corporate firewall, but they do happen. Although the intruders above used typical hacking tools once they were on the network, it took several days of preparation to get access to the right information in order to get into the building and start hacking. The process of acquiring this information is what is known as social engineering - also known as "people hacking."

SOCIAL ENGINEERING BASICS

Social engineering can be defined as the process of deceiving someone into giving away confidential information or inappropriate access. A social engineer works to gain the trust of the intended victim and then uses this trust to get whatever data he needs. Basically, it is a confidence game that exploits a person's natural desire to help other people. Of all of the hardware and software that comprise a security system, the weakest of all links is the human being (Arthurs, 2001). Firewalls and intrusion detection systems cannot defend against such an attack; it is one of the most successful ways to get information from a secure computer network. It is human nature to want to help others. This is a weakness that can be exploited by the social engineer - the people hacker.

Most companies are aware of the internal threat that social engineering poses, but do not focus on this aspect of information security as much as they do intrusion detection and prevention through hardware and software means. Since the majority of threats to a company's data are internal, there needs to be a greater emphasis on educating employees on how to protect against these threats.

THE GREATEST COMPUTER THREAT -- EMPLOYEES

The importance of protecting company assets has become much more of a priority in recent years, especially with the emergence of destructive viruses and the increase of intrusions into business computer networks. Even the focus of securing networks has moved from just intrusion detection to intrusion detection and prevention (Golomb, 2003). Although most companies have significant investments in physical security (security guards and laptop locks) and data security (IDS/IPS and firewalls), one of the biggest and yet most misunderstood threats is from internal sources.

INSIDERS VS. HACKERS

Studies have shown that the majority of all threats to a company are internal. This is where firewalls and IDS systems have little to no effect. This is also where management needs to focus on the employees instead of technology. Internal threats can be anything from a disgruntled employee selling corporate secrets to a secretary who has been given too much access to unneeded information. One survey, conducted by New York security firm Michael G. Kessler & Associates Ltd, discovered that "35 percent of the theft of proprietary information is perpetrated by discontented employees. Outside hackers steal secrets 28 percent of the time; other U.S. companies 18 percent; foreign corporations 11 percent and foreign governments, 8 percent" (Kessler, 2000).

THE COST OF COMPUTER CRIMES

In another study conducted by the Computer Security Institute and the FBI, it was shown that the rate of computer crimes is rising, along with the costs associated with such crimes. The findings stated, "Financial losses among 163 respondents totaled $124 million, which was the third straight year the survey had recorded losses greater than $100 million" (Kessler, 2000). The numbers for insider breaches was even more alarming than the Kessler study, reporting that "System break-ins by outsiders were reported by 30 percent of respondents, and unauthorized access by insiders was reported by 55 percent" (Kessler, 2000).

No matter what the percentage, it can be seen that internal threats are clearly the biggest problem for most companies. In order to combat this growing threat, we need to understand the different types of social engineering attacks so we can defend against them.

TYPES OF SOCIAL ENGINEERING

Before a people hacker can begin an attack, a certain amount of background work must be done. This is known as "footprinting" (Allen, 2001, p. 2). Footprinting

...