Examining ‘social engineering’

It’s another typical day in the office and you find yourself minding your own business in your work area. All of a sudden, the office phone rings displaying an unfamiliar number. You answer it and the voice from the other line introduces himself as an agent from a credit card company. In an overly friendly tone, he asks for your colleague’s name, address, and contact number. Will you give it?

Let’s say that, after hanging up the phone, you decide to check your email inbox. You find out that there is a new message and it tells you to log in to the company’s webmail by clicking the embedded link. Will you log in?

While on your way to the company’s pantry, you encounter a building repairman asking for access to the company premises. He says that there is a leak in the water pipe and an emergency repair is necessary. Will you let him enter the premises?

These scenarios may be common in our daily corporate life, but you have to ask yourself: Are all of these legitimate? Or did you just become one of the victims of social engineering?

Social engineering defined

Though the topic of social engineering is widely discussed in several books, articles, or online forums, many are still unaware of the term social engineering -- the danger it presents and the manner in which it is performed.

In an informal survey conducted, random respondents were asked of their understanding of the term “social engineering.” Answers varied widely: Some of the respondents related social engineering to a movement for social change; others thought it is a course offered in college.

Social engineering is defined in two different contexts:

In political science, social engineering is the discipline that relates to the efforts by the government or by private groups to influence the acceptance or rejection of individual attitudes and behaviors at a large scale through the implementation of laws, prohibitions or propagandas.

For security consultants, social engineering is the art of manipulating unsuspecting individuals to perform certain actions for the purpose of obtaining sensitive information or access to the company’s critical network infrastructures. It is the kind of intrusion that relies mainly on human interaction and trickery to break the normal and established security protocols.

Social engineering and human vulnerabilities

What makes us human is our inherent nature to extend help to those who are in need, and to trust people when we have perceived them as credible and trustworthy individuals.

Unfortunately, social engineering can be used to exploit this trust.

According to Ashish Thapar, a certified information systems security professional (CISSP) and an author of a whitepaper on social engineering, the human traits that are most vulnerable to social engineering attacks are as follows:

• Tendency to trust

• Willingness to help

• Ignorance of the value of information

• Eagerness to receive rewards

• Fear of incurring losses

• Appeal to authority

• Carelessness

Taking these into consideration, it would be easier for a professional social engineer to take advantage of a person and get him or her to perform actions that may compromise a system or sensitive information.

Social engineering tactics

The techniques and tactics used in these social conquests depend upon the creative mind of the social engineer. Their tactics are also constantly changing to keep up with the fast pace of society’s technological advancement.

Through time, many social engineering techniques have been developed, orchestrated, and performed that resulted in several compromised network infrastructures. The following are just some of the more common techniques and tactics perpetrated by social engineers (as listed by Thapar):

• Pretexting – Pretexting or impersonation is done by using a reason, event, or scenario to persuade the victim to divulge information or perform actions for the attacker. Pretexting is often done through telephone calls.

• Dumpster diving – This is performed by examining the trash of the victim, usually the unshredded documents in the trash bin, to retrieve confidential information.

• Observation or spying activities – By secretly observing a person when he is keying his credentials, e.g., username and password,) through the keyboard or by listening to a conversation, an attacker can gather with much needed information.

• Phishing – Commonly, this comes in the legitimate business. The email contains a request for the recipient to click a link to “verify” the user’s information. If the link is clicked, the user is directed to a fraudulent, albeit legitimate-looking webpage of the business that requires the login credentials, e.g., username and password of the user.

• Spam mails – These are emails with a file attachment that promise gifts, discounts, and other enticing offers to the recipient. If opened, unauthorized programs such as viruses, Trojans and worms, are executed that can infect the company’s entire network.

• Spywares or malwares - These are programs disguised as an interesting useful program or a crack to expensive commercial software. When the victim downloads and installs the program in his computer, the said program gathers or records information such as passwords, caches, cookies and even keyboard strokes, and sends it to the attacker at some point in time (as configured in the program).

Impact of social engineering

As defined by the standard (ISO 27001), “Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.” Organizations spend millions and millions every year acquiring the most up-to-date hardware and software just to protect their vital information. However, even the most sophisticated security technology may be compromised by using the oldest play in the book – social engineering.

Social engineering targets the weakest link of the organization’s information security chain: its people. And when security awareness and good security practices are lacking in an organization, social engineering is likely to succeed.

Social engineering prevention

There are many safeguards that can be adopted to prevent the people in an organization from becoming preys of social engineering. These safeguards may be in the form of documented policies, employee awareness, trainings, and comprehensive assessment procedures.

Information technology security policy

One of the safeguards that an organization can employ is to create an Information Technology (IT) security policy. An IT security policy sets the ground rules on the security practices of the organization. This document contains the objectives, purpose, policy statements, personnel responsibilities and security measures and protection on the proper handling of IT resources.

The organization can also include in its security policy the procedures and guidelines discussing the following items:

• Acceptable use of IT resources

• User account management

• Change management

• Disaster recovery

• Incident management

• Network settings or configuration

• Password

• Physical security

• Privacy security

• Software version control

• Virus protection

• Intrusion prevention and detection

• Network/logical access

• Use of portable devices

• System development

• Monitoring and reporting

Security assessments

Assessment of the organization’s security strengths and weaknesses can be carried out by performing periodic security audits and compliance reviews. Through these methods, the organization can identify the risk areas with regard to threats from external and internal factors, and properly coordinate responses from its people to safeguard the company.

Security awareness trainings and workshops

The primary target of social engineering activities are the employees of the organization.  Hence, it is important for employees to be educated about the threats and methodologies associated with social engineering activities.

One way to do this is to maintain a security awareness bulletin that informs employees about these kinds of activities. Another way of educating the employees is through trainings and seminars. Many of today’s IT consultants provide trainings and workshops that includes social engineering.

More than a buzzword, social engineering poses a real threat to organizations. Knowing the different aspects related to social engineering and educating employees on the subject (techniques, medium, and safeguards) can go a long way towards thwarting the success of information exploitation attacks targeted at your organization.

Ross de Vera CPA, CIA is a Lead Consultant with the Advisory Services Division of Punongbayan & Araullo.

Executive Brief – September 2012

Punongbayan and Araullo