Hacking-101.com

In a previous post I went into further detail about what social engineering is and the major types of social engineering that are employed today.

Safeguards That Protect Against Social Engineering
There’s a lot to be said about the phrase “An ounce of prevention is worth a pound of cure” and this holds especially true in regards to social engineering.

Prevention is the key to social engineering. In many cases it’s impossible to determine if someone is attempting social engineering attacks against your organization. This is due to the fact that many of the things an attacker may be asking are innocuous and don’t necessarily stand out as sensitive information to an employee.

Training, Training and More Training
Employee’s should be taught what social engineering is, common attacks, and what sort of information is safe to discuss with non-employee’s. Refresher Information Technology training should be accomplished at least yearly to ensure that employee’s continue to be vigilant about computer security.

One of the best training examples I ever used was to tell stories about successful social engineering attacks I’d performed during my security assessments. It’s quite an eye opener to find out the sort of information people willingly disclose to people they barely know.

What About Customer Service?
We live in a customer service oriented world. Everywhere you turn people are greeting you and generally being helpful. Or hopefully. Another negative side-effect is that no one wants to tell the customer “no.” We’re always focused on being helpful and giving the customer what they want.

It is possible to strike a balance, have a postive and helpful attitude, but still protect the company and its’ assets. First, employee’s must know what information they cannot give out. Examples of this are:

• Usernames and passwords to computer systems
• Specific or probing questions about information systems
• PIN codes or access codes
• Organizational Charts of any kind
• Telephone directories

When asked for these types of information employee’s should be trained to either redirect the question or politely notify the person asking that information is sensitive and cannot be provided. Any real customer will understand this. If the person asking escalates the situation the employee should know who to call for more help.

The dangers of social engineering are real. Not only are hackers using it to gain access to prove that they can, companies have been known to use these techniques to perform corporate espionage on competitors. A well-documented training plan along with detailed incident reponse procedures can prevent social engineering attacks or minimize the impact of a successful attack.

In a previous post I touched on the dangers of social engineering. Social engineering is the process by which a hacker builds a rapport with trusted individuals to gain access to restricted systems.

How Serious Is Social Engineering?
Social engineering comes in many shapes and sizes and no company is immune. In larger companies there’s more of a chance that social engineering attempts will go undetected. Smaller companies benefit from a close-knit community of employee’s and a base of customers that tend to be smaller as well.

Larger, more disparate environments may suffer from a non-centralized security staff, a client-base that is spread out with no face-to-face interaction and a disparate management staff with policies that differ from the rest of the company. A lack of common procedures and incident handling procedures minimizes the effectiveness of any Information Technology Policy.

To further complicate things, social engineering is hard to detect. Unless someone from the IT staff is actually contacted, or that users are extremely savvy, most attacks may go unnoticed. Social engineering attacks come in so many different flavors that there’s not really a one-size-fits-all approach to detect and deter these attacks.

Types of Social Engineering Attacks
Let’s break this down into two different areas; operational attacks and technical attacks. They overlap a little but they are two separate and distinct entities.

Operational Attacks
Operational attacks are phone calls, emails and maybe even faxes that do two things, build trust and ask for information. A skilled social engineer will take his or her time and not jump to the really difficult questions until they have spent time building a groundwork and rapport with employee’s. Only after they have gathered a significant amount of prepatory information the attacker will ask for more detailed information, or maybe even favors, like a trip to see the datacenter or the server room.

Technical Attacks
Technical attacks require little human interaction. These attacks are really just gaming the system to gather information. Many times these techical attacks will precede an operational attack. An example of a technical attack would be calling the voicemail system of any business and enumerating names, phone numbers and job description.

Next I’ll tell you ways you can protect yourself against these attacks.