Social Engineering: The Human Side Of Hacking

[InfoSec News <isn () c4i org>]

http://itmanagement.earthweb.com/secu/article/0,,11953_1040881,00.html

By Sharon Gaudin 
May 7, 2002  

A woman calls a company help desk and says she's forgotten her
password. In a panic, she adds that if she misses the deadline on a
big advertising project her boss might even fire her. The help desk
worker feels sorry for her and quickly resets the password --
unwittingly giving a hacker clear entrance into the corporate network.

Meanwhile, a man is in back of the building loading the company's
paper recycling bins into the back of a truck. Inside the bins are
lists of employee titles and phone numbers, marketing plans and the
latest company financials. All free for the taking.

Hackers, and possibly even corporate competitors, are breeching
companies' network security every day. The latest survey by the
Computer Security Institute and the FBI shows that 90% of the 503
companies contacted reported break-ins within the last year.

What may come as a surprise, according to industry analysts and
security experts, is that not every hacker is sitting alone with his
computer hacking his way into a corporate VPN or running a program to
crack executives' passwords.

Sometimes all they have to do is call up and ask.

"There's always the technical way to break into a network but
sometimes it's easier to go through the people in the company. You
just fool them into giving up their own security," says Keith A.  
Rhodes, chief technologist at the U.S. General Accounting Office,
which has a Congressional mandate to test the network security at 24
different government agencies and departments. "Companies train their
people to be helpful, but they rarely train them to be part of the
security process. We use the social connection between people, their
desire to be helpful. We call it social engineering.

"It works every time," Rhodes says, adding that he performs 10
penetration tests a year on agencies such as the IRS and the
Department of Agriculture. "Very few companies are worried about this.  
Every one of them should be."

Playing Off Trust

Social engineering is the human side of breaking into a corporate
network. Companies with authentication processes, firewalls, VPNs and
network monitoring software are still wide open to an attack if an
employee unwittingly gives away key information in an email, by
answering questions over the phone with someone they don't know or
even by talking about a project with coworkers at a local pub after
hours.

"Incidents of social engineering are quite high, we believe," says
Paul Robertson, director of risk assessment at Herndon, Va.-based
TruSecure Corp. "A significant portion of the time, people don't even
know it's happened to them. And with the people who are good at it,
their [victims] don't even know they've been scammed."

Robertson says for companies with great security technology in place,
it's almost always possible to penetrate them using social engineering
simply because it preys on the human impulse to be kind and helpful,
and because IT executives aren't training employees to wary of it.

"People have been conditioned to expect certain things," says
Robertson. "If you dress in brown and stack a whole bunch of boxes in
a cart, people will hold the door open for you because they think
you're the delivery guy...Sometimes you grab a pack of cigarettes and
stand in the smoking area listening to their conversations. Then you
just follow them right into the building."

Guard The Perimeter

Eddie Rabinovitch, vice president of global networks and
infrastructure operations at Stamford, Ct.-based Cervalis LLC, says he
is definitely aware and on alert for various types of security attacks
-- technical or not. Cervalis is a managed hosting and IT outsourcing
company.

"We continuously have training about security in general and social
engineering in particular," says Rabinovitch. "People are out there
looking for information. They're always looking for new ways to get at
that information. In many cases, you can deal with it with tools, but
it always comes down to procedures and your people."

Rabinovitch says he deals with social engineering by focusing a lot of
training on his people on the perimeter -- security guards,
receptionists and help desk workers. For instance, he says security
guards are trained to check on visitors if they go out in the smoking
area to make sure they're not handing their admittance badge over to
someone else. And he adds that if someone shows up in a utility
worker's uniform, his visit is confirmed before he is allowed into the
building to do any work.

Rhodes, who has focused on computer security, privacy and e-commerce
in his 11 years at the GAO, says a lot of companies unwittingly put
sensitive information up for grabs. Some companies list employees by
title and give their phone number and email address on the corporate
Web site. That allows a hacker to call an office worker and say Sally
Jones in the Denver accounting office wants you to change my user ID.  
Or Rhodes says a company may put ads in the paper for high-tech
workers who trained on Oracle databases or Unix servers. Those little
bits of information help hackers know what kind of system they're
tackling.

Brian Dunphy, director of analysis operations at Alexandria-Va.-based
RipTech Inc., a security analyst and consulting firm, says when they
do risk assessments for their corporate customers it's a given that if
they use social engineering, they'll be able to break in.

"It's never been much of an effort to exploit social engineering and
get in," says Dunphy. "Companies may request that we use social
engineering. We really only do it for the non-believers."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.