Another concern is help desk staff not validating user requests. The help desk is often the first line of defense, but it is often the first place that is attacked as well. Be it a rogue insider or someone like me hired to find the holes in the information systems, all it takes is guessing or otherwise enumerating valid user names (it is really easy to do with the right network tools) and then calling the help desk to have any given user’s password reset. This works especially well when calling from the user’s phone at their desk!
There is also the problem of users peeking at malware-infested USB drives and CDs they find lying around. This is an easy one: a social engineer installs a backdoor access or keylogger program that automatically runs from a USB drive or CD when it is inserted. He drops off the drives/disks around the building. Curious users pick them up and insert them into their work computers and the fun begins. All of a sudden, passwords, files, screenshots, databases and more are copied right off your computers and sent offsite for further abuse.
Lots of people want to be seen and heard, and the Web is just the place to do it. From social networking sites such as LinkedIn, Plaxo and Facebook, to blogs and articles scattered about the Web, many people do not realize just how much personal information they are divulging. Combine this with public records search sites, a savvy social engineer can easily glean the information needed to access personal e-mail and Web site accounts.
Finally, e-mails and Web pages are chock full of malicious intent. From users clicking on e-mail solicitations and being “phished,” to rogue sites, to search engine queries leading to malware-infested Web pages, to attackers posting misleading messages and malicious links via compromised MySpace or Facebook accounts — social engineering has entered a new phase of exploitation. And people are falling for it. Sadly, I hardly see any controls in place to prevent these types of attack.
Once a social engineer has gained entry into your computing environment (be it onsite or offsite), anything is fair game. The attacker can gain access to unprotected databases and make queries to extract sensitive information. He can exploit missing patches on servers or critical workstations and gain a remote command prompt with full administrative rights. He can install malware on computers with screens that do not lock. He can guess simple passwords (yes, sadly people still use those!) and gain access to network files. He can gain control of your security cameras — sometimes entire data center control systems — to monitor things and erase videos snippets to cover his tracks. Once a social engineer is inside your systems, he has full access to a lot of things you probably do not want him accessing.
What You Can Do
Want to prevent social engineering? Well, you can’t — completely. It is the oldest scheme there is and no amount of security awareness, policies or technical controls is going to keep it from happening. So, what’s the next best thing? Do what you can — put reasonable controls and processes in place and remain confident for a positive outcome. But you cannot stop there.
The only way you will ever know where you are vulnerable and what level of risk is being introduced into your business (both now and in the future) is to find out first-hand. Perform social engineering tests internally or hire someone from the outside. When you find areas of risk that can be directly exploited and place information assets in imminent danger, you know that the likelihood of exposure is good; therefore, the risk should be addressed immediately. The next level of risk consists of things that cannot necessarily be exploited directly but could be if enough things fall into place. Your largest number of risks will likely fall into this category. Do not ignore them. Finally, if you come across things that cannot be exploited but still come across as a potential weakness, then address them when you can, because they may get worse.
Whatever you do, just do something. The risk of social engineering attacks is there — you just have not quantified it yet.
Kevin Beaver is an independent information security consultant with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments. He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at firstname.lastname@example.org.