Social engineering is not a new phenomenon. Military regimes in particular have long been using this technique to stifle enemy tactics. The controversial murder of Alexander Litvinenko (former lieutenant colonel of the Russian Federation’s Federal Security Service), for example, showed some classic elements of social engineering.
Social engineering is a form of crime that exploits human nature. The concept which primarily originated from the 1991 movie War Games concentrates on human psychology, widely regarded as the weakest link in the computer security chain. It’s a crime that targets basic principles of ‘human traits’. In other words, employees tend to be helpful and can be easily influenced to develop trusted relationships. This creates vulnerabilities which social engineers are adept at manipulating.
Research has shown that individuals are likely to associate certain behaviours and appearances with known entities. For instance, a man dressed up in a white suit rolling a goods cage... People will hold the door open for him as they consider that individual to be the authorised delivery person.
How are social engineering attacks carried out, then, and is there any set pattern to it? The trend is based on the basic element of trust. Once trust is established, the social engineer skilfully tries to extract crucial information.
Research among SMEs
At the University of Portsmouth, we have been carrying out research on social engineering in conjunction with several SMEs in the UK. The research borrows from the fundamental concept outlined in former hacker Kevin Mitnick’s own research, implementing the penetration strategy to identify vulnerable information security standards.
During the research, the SMEs involved have been asked to identify the most vulnerable threats in the area of social engineering. Most of those companies surveyed considered authority and trust-based relationships as the most vulnerable tendencies of the human being. Let’s look at each in turn.
To append the element of authority and intimidation, social engineers tend to assume the identity of an important employee. People will ‘perform’ an ‘out of character’ act for someone they perceive to be in a position of authority. For example, a hacker posing as the director of the ICT Department can wilfully persuade new members of staff to change their password, creating a sense of urgency by claiming that they need immediate access to the resources for an important meeting.
In this type of attack, the target is led to believe that they are the decision-maker, and that their decision could result in the failure or success of the project in question.
In his book entitled The Art of Deception, Mitnick writes: “I have never asked anyone for his or her password”. Most of the time, he has ‘survived’ by building a trust relationship, thus creating a sense of security between himself and the victim. This has resulted in the victim offering valuable information without even realising the importance of it. The recent incidents of Call Centre operatives in India divulging client account details over a bottle of beer is a prime example of this type of activity.
Mastering the art
Social engineering is far from an easy task. It demands continuous practice, trial and error scenarios. Engineers will read books about body language, voice control and group dynamics. They are expert in understanding individual personality types that are evident through body language and vocal ‘vibes’. They practice observing these conscious and sub-conscious traits in others and themselves.
Using the above traits, some of the main techniques identified during the research were dumpster (or bin) diving, intelligence derived from job advertisements and key logging.
The research showed that, when compared to multinational organisations, SMEs did not follow any stringent background checks on those people with unrestricted access to their bins and shredders. No proper procedures were implemented for the disposal of sensitive information. Also, the lack of guidance and appropriate policy was noted for employees working from home (in other words, shredding official documents in the household bin).
The study also showed that job advertisements placed by companies are providing useful intelligence for social engineers. For instance, an advert placed for a database programmer or marketing assistant could imply several possibilities – that these are new positions (detailing sensitive information on the IT systems being used) or that they are designed to replace members of staff who are about to leave (or who have already left).
Armed with this ‘cyber intelligence’, the social engineer can review archived copies of the perpetrator’s web site through www.archive.org to find out the names of the former employees and acquire their skills to gain access. Research has shown that social networking sites like Hi5 and MySpace are being considered as ‘best source’ for finding vulnerable employees.
Hardware key loggers
In addition, the survey noted that hardware key loggers are posing a serious security threat to SMEs (approximately 45% of those companies surveyed have been a victim). This is mainly due to the amount of work needed to identify them as they are virtually undetectable, totally invisible and require manual detection.
They could be placed through secondary help in one of the companies surveyed, it was installed with the help of the cleaner.
The survey highlighted two salient issues relating to key loggers: employees showed a lack of knowledge concerning the threat, and were not able to easily identify the key loggers; l employees are not scanning the back of their workstations daily for potential key loggers.
Vulnerabilities to be overcome
Security professionals working for SMEs must scrutinise their company’s job posting to check minimum information is given with regard to the organisational structure. They should also create balanced security policies for remote workers (including procedures for the disposal of official materials). Make sure internal web pages are only accessible via the Intranet, and create awareness among employees of the threats associated with information posted on social networking web sites.
Also, it’s essential to create an environment wherein every employee at the organisation considers themselves a vital part of the overall security process. Employees should be trained to detect early signs of social engineering attacks. Resistance or simulation training for key personnel working in the customer-focused areas of the business could play an important role in blunting the effectiveness of a concerted social engineering attack.
The classification of information and the implementation of appropriate security models – for example Bell-Lapadula and Clarke Wilson – should be prioritised. However, risk assessment prior to the implementation of these models will enable the organisation to efficiently categorise its ‘product risk’.
There are no set guidelines that will eliminate social engineering completely. Only by way of appropriate education and training can we begin to minimise its effects.