Social Engineering

April 22, 2009
The big risk no one’s thinking about

What do sleazy salespeople and social engineers have in common? They are masters of ill-gotten gains. They try to milk you of valuable things you have taken for granted yet they can benefit from. How can you tell sleazy salespeople and social engineers apart? One thing is obvious — the other not so much. You know when you are about to be taken advantage of by a sleazy salesperson. Social engineers, on the other hand, are in and out without you even thinking about it. If there has ever been a predictable and consistent risk to sensitive information assets, it is social engineering. And there is no end in sight.

What It Is

Social engineering is nothing more than exploiting human beings for malicious purposes. In the context of information security, social engineering is used to gain entry into buildings, data centers, wiring closets and even the network itself in order to access systems and sensitive information. Social engineers are posers. They claim to be someone else in order to escalate their privileges and become a trusted part of your organization. Then, overly-trusting and gullible people facilitate their misdeeds. So do weak HR policies, IT processes and physical security controls. The Web has become an excellent facilitator of social engineering as well. From physical theft to identity theft — practically anything can happen as the result of social engineering and there is a lot riding on it from a business risk perspective.

We have all heard of social engineering. Some of us have even experienced it. It is sort of the dirty secret of information security yet it is often off the radar of management. You would think that something creating such a large risk to any given organization would get the attention of the right people. But it hardly happens. Even when controls are put in place, they are rarely enough to stop a good social engineer. Perhaps worst of all, the effectiveness of controls and procedures are never validated. They are put in place and left alone under the assumption that all shall be well. Hence the continuing cycle of exploitation.

Where You are Likely Weak

So how exactly is social engineering carried out to exploit weaknesses in your business? As with hacking, there are a million ways to do it. That said, it is typically the same set of simple oversights and weaknesses that create the foundation needed for a social engineer to take advantage. In my work performing security assessments, I see some really interesting things related to social engineering — many of which are really basic. That’s the thing about social engineering: it’s not any elaborate hacking of complex systems — it is taking advantage of human and procedural weaknesses that we do not think about.

For starters, employees are typically told what they can and cannot do with their computers, building access badges and so on. Everything from the employee handbook to new employee orientation looks nice and formal but it is not enough — especially since it is typically done once and forgotten about. Sure, employees are often the last line of defense against social engineering; however, telling employees what to do and not do is one thing, but expecting them to remain vigilant all day every day when they have a thousand other things going on is just not realistic. That is the fatal flaw.

There is also an assumption that just because a person is in the building that they are legit. Even if it looks like he or she is doing something out of line, there is a psychological phenomenon called bystander apathy that keeps people from intervening. People — your employees — become apathetic and believe that “it is not my business” and someone else surely knows that this is going on. This facilitates a lot of social engineering misdeeds.

Another concern is help desk staff not validating user requests. The help desk is often the first line of defense, but it is often the first place that is attacked as well. Be it a rogue insider or someone like me hired to find the holes in the information systems, all it takes is guessing or otherwise enumerating valid user names (it is really easy to do with the right network tools) and then calling the help desk to have any given user’s password reset. This works especially well when calling from the user’s phone at their desk!

There is also the problem of users peeking at malware-infested USB drives and CDs they find lying around. This is an easy one: a social engineer installs a backdoor access or keylogger program that automatically runs from a USB drive or CD when it is inserted. He drops off the drives/disks around the building. Curious users pick them up and insert them into their work computers and the fun begins. All of a sudden, passwords, files, screenshots, databases and more are copied right off your computers and sent offsite for further abuse.

Lots of people want to be seen and heard, and the Web is just the place to do it. From social networking sites such as LinkedIn, Plaxo and Facebook, to blogs and articles scattered about the Web, many people do not realize just how much personal information they are divulging. Combine this with public records search sites, a savvy social engineer can easily glean the information needed to access personal e-mail and Web site accounts.

Finally, e-mails and Web pages are chock full of malicious intent. From users clicking on e-mail solicitations and being “phished,” to rogue sites, to search engine queries leading to malware-infested Web pages, to attackers posting misleading messages and malicious links via compromised MySpace or Facebook accounts social engineering has entered a new phase of exploitation. And people are falling for it. Sadly, I hardly see any controls in place to prevent these types of attack.

Once a social engineer has gained entry into your computing environment (be it onsite or offsite), anything is fair game. The attacker can gain access to unprotected databases and make queries to extract sensitive information. He can exploit missing patches on servers or critical workstations and gain a remote command prompt with full administrative rights. He can install malware on computers with screens that do not lock. He can guess simple passwords (yes, sadly people still use those!) and gain access to network files. He can gain control of your security cameras — sometimes entire data center control systems — to monitor things and erase videos snippets to cover his tracks. Once a social engineer is inside your systems, he has full access to a lot of things you probably do not want him accessing.

What You Can Do

Want to prevent social engineering? Well, you can’t — completely. It is the oldest scheme there is and no amount of security awareness, policies or technical controls is going to keep it from happening. So, what’s the next best thing? Do what you can — put reasonable controls and processes in place and remain confident for a positive outcome. But you cannot stop there.

The only way you will ever know where you are vulnerable and what level of risk is being introduced into your business (both now and in the future) is to find out first-hand. Perform social engineering tests internally or hire someone from the outside. When you find areas of risk that can be directly exploited and place information assets in imminent danger, you know that the likelihood of exposure is good; therefore, the risk should be addressed immediately. The next level of risk consists of things that cannot necessarily be exploited directly but could be if enough things fall into place. Your largest number of risks will likely fall into this category. Do not ignore them. Finally, if you come across things that cannot be exploited but still come across as a potential weakness, then address them when you can, because they may get worse.

Whatever you do, just do something. The risk of social engineering attacks is there — you just have not quantified it yet.

Kevin Beaver is an independent information security consultant with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments. He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at [email protected].