We use it when we try to get our kids to do their homework, cajole employees into doing a bit of extra work, or try to talk a traffic cop out of a ticket. However, hackers also use social engineering to get valuable information that allows them to penetrate IT systems.
Social engineering is a growing threat to IT security for two main reasons:
- Security consciousness is increasing and systems are being hardened, which makes standard hacking over the Internet more difficult.
- Social engineering is easier than it used to be because the current business environment involves many new employees and temp workers, who can easily be targeted by hackers impersonating fellow employees. From a more paranoid standpoint, some of these new hires or temps may even be hackers themselves, who will be around only long enough to gather information they can use to attack the IT infrastructure.
Understanding the social engineering threat
Although it may appear to be a recent trend, social engineering is actually one of the oldest successful hacking methods and was addressed by one of the earliest CERT Security Bulletins, CA-1991-04 Social Engineering.
Long before that, back when computers were young, hackers routinely talked their way into computer departments at major universities such as MIT and CalTech. Since this was before the widespread use of the Internet and predated the practice of connecting dial-up modems to most computers, social engineering was essentially the only way hackers could gain access to the hulking mainframe monsters that held such fascinating technology mysteries.
Today, social engineering attacks can take a number of different forms. Let's take a look at some of the most common scenarios: Help desk attacks and phone attacks, as well as how to test your defenses.
Help desk attacks
Help desks are the main target for a direct social engineering attack for a couple reasons. First, help desk personnel are supposed to be accommodating. Second, they have a lot of critical information to give out. These employees hear the same problems day after day and offer help based on some reference documentation, which probably includes a list of passwords and usernames. And the documentation will almost certainly cover how to log on to the network, spelled out in excruciating detail.
Here's a simple procedure that will eliminate most of the problem: Have help desk workers take down the details of requests, and if the question is anything potentially more dangerous than, -Where's the [Delete] key?" make sure that they don't give the requested information immediately. Instead, have them call the person back at an authorised home or office number so that they know for sure who's getting the information. It's also a good idea to give all legitimate users a separate password to verify their identity and to have a special procedure for any requests involving passwords.
1%
8%
