Social engineering in a socially networked world

Feb. 23, 2010

Social engineering is the clever manipulation of the natural human tendency to trust.I believe that Social Engineering is the number one overlooked risk in security today. Social engineering is really just a sexy new term for something that is age-old: fraud. It's the idea of impersonating, masquerading or taking advantage of social behavior, people's good graces and exploiting vulnerabilities in your environment.

When professions analyze social engineering, they are really looking at different fraud categories because there is so much out there today.

The most common are:

Baiting: An attacker leaves a malware infected floppy disk, CD/DVD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot and my favorite the smoking area), gives it a legitimate looking and curiosity-piquing label or internal ID, and simply waits for the victim to use the device. Maybe write something like "Executive Salary Q1 2010" on the front of the DVD case. As a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network.

Phishing: A technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business. The e-mail usually contains a link to a fraudulent web page that seems legitimate with company logos and content and has a form requesting everything from a home address up to an ATM card's PIN.

Vishing: A technique using a rogue Interactive voice response (IVR) system to recreate a copy of a bank or other institution's IVR system. The victim is prompted to call in to the "bank" via a number provided in order to "verify" information. Typically the system will reject pins and login information continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords.

Pretext: A technique used to trick a business into disclosing customer information. Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. A pretext individual must simply prepare answers to questions that might be asked by the victim. In some cases all that’s needed is a voice that sounds authoritative or an earnest tone.

Quid pro quo: The attacker calls random numbers at a company claiming to be calling back from technical support. The attacker will "help" solve a problem (eventually they will hit someone with a legitimate problem) and in the process have the user type commands that give the attacker access or launch malware.

Diversion Theft: The deception has many facets, which include social engineering techniques to persuade legitimate admin or traffic personnel of a transport or courier company to issue instructions to the driver to redirect the consignment or load to a different location. Most companies do not prepare their staff for this type of deception.

Kevin Mitnick who popularized the term 'social engineering', pointing out that it is much easier to trick someone into giving a password for a system than to spend the effort to hack into the system.

Carl Herberger of Evolve IP said “One of the reasons this is such a problem is that it's behavior-based and emotion-based. In addition to that, the ownership around security in this space isn't obvious. It bridges the gap between the information security space as well as physical security.”

Bruce Schneier said in his book Beyond Fear: Social engineering will probably always work, because so many people are by nature helpful and so many corporate employees are naturally cheerful and accommodating. Attacks are rare, and most people asking for information or help are legitimate. By appealing to the victim’s natural tendencies, the attacker will usually be able to cozen what they want.

If security management wants people to think about security often, and the manager wants people to behave a particular way (like no tailgating, no credential sharing, no door holding) then the manager has to reinforce these VALUES regularly (think parenting). How does a child know what is important to the parents? Repetition, consequences and positive reinforcement are all parenting techniques that work well to modify behavior if applied consistently over the long run. One memo to your kids when they are six to keep their room clean will probably not produce consistent results over the long run. Similarly, business managers need to keep security as a regular topic. They need to provide the leadership to cause their staff to internalize the importance of the mission and to ensure each person understands what the specific expectations are for their behavior.

As the editor of SecurityInterviews.com I have an interest in other people’s interviews in the security space. One of the best interviews and frankly one I would have liked to have conducted in this regard: http://www.youtube.com/watch?v=8_VYWefmy34 but 60 minutes beat me to it….

An interesting paper: FBI Social Engineering Manual Revealed! Federal Bureau of Investigation (FBI) Monograph: Pretexts and Cover Techniques - May 1956 - http://www.mitnicksecurity.com/FBI_Pretexts_and_Cover_Techniques_May-1956.pdf

- Chris Hills