Social Engineering: Difference between revisions
No edit summary |
|||
(36 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
Social engineering a method of fraud and hacking that utilizes the humanity and nature of people to retrieve information | Social engineering a method of fraud and hacking that utilizes the humanity and nature of people to retrieve information. If one can fool a person into giving away information, then creating a program or hack to retrieve that information by force is not required. Furthermore, it can be much simpler and efficient to get information from someone through social engineering than it would ever be to steal that information via a computer program or password cracker. | ||
Defense against social engineering requires guardians of information to be very proactive. For example, you can use an antivirus program that will passively scan your computer for viruses automatically. However, the human must be actively on the defense for social-engineering tricks and tactics that may be used against them. Over the years, general guidelines for companies and employees have been developed to give the knowledge necessary to be vigilant and alert for social engineering fraud attempts. | |||
==STUDY GUIDE== | |||
This study guide relates to security precautions against Social Engineering. For the main Security Precautions study guide, go [http://ethics.csc.ncsu.edu/risks/security/precautions/study.php here]. | |||
==Tactics and Methods== | ===Tactics and Methods=== | ||
There are various means of utilizing social engineering to obtain confidential and secret information such as passwords and private data. All of these methods work through some medium in which the attacker has to actually converse with the victim in some way, whether directly or indirectly. In all methods, feedback from the victim is required. This feedback is usually the necessary information the attacker was looking for. | There are various means of utilizing social engineering to obtain confidential and secret information such as passwords and private data. All of these methods work through some medium in which the attacker has to actually converse with the victim in some way, whether directly or indirectly. In all methods, feedback from the victim is required. This feedback is usually the necessary information the attacker was looking for. | ||
Although social engineering tactics are heavily performed through electronic and computer | Although social engineering tactics are heavily performed through electronic and computer media, there are many ways to do social engineering through the physical realm. As long as there can be some form of communication between the attacker and the victim, any medium may be used. Social engineering is so successful because it takes advantage of the fallacies of the human being. Whether by means of flattery, impersonation, and greed; social engineering is considered to some an art form of psychology. | ||
Social Engineering can be extremely simple to perform, but have dire effects and consequences. There are even [http://news.cnet.com/8301-1009_3-9995253-83.html guides and tips] on how hackers have used social engineering in extremely simple ways. Social engineering is considered so dangerous that [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick], a renowned hacker and early user of social enginering, was considered the most dangerous hacker. The FBI thought that Mitnick could start a nuclear war by simply utilizing social engineering. | |||
====Phishing==== | |||
The main way of retrieving electronic information from victim voluntarily is through [http://en.wikipedia.org/wiki/Phishing phishing]. Phishing, like social engineering, can be performed over various electronic and physical mediums. In a general term, phishing is pretending to be something legitimate, when you are not. When you fool the victim into thinking you are the legitimate source that is being faked, they will reveal all the information that would normally be required to use that source. This may include account numbers, usernames, passwords, or even Social Security numbers. | |||
A major medium of phishing is through e-mail. The example of a bank and customer is extremely common. The attacker will send the victim an e-mail notifying them of some required account information to be updated. This e-mail will look exactly like the standard e-mail the victim may have received from the bank before. The victim will be required to login and update their information as soon as possible. However, the link will not be sent to the bank website, but to a separate server that was set up by the attacker to retrieve the information. This website, like the e-mail, will look exactly like the actual bank website. Once the person types their login information, the attacker then has all the information they needed from the victim. | |||
In unusual cases, phishing may also be performed over the phone by pretending to be a representative of some company that is requesting some kind of account information. The attacker may even know some basic information about the victim to prove that (s)he is legitimate. Usually, a victim will not question the caller's authority and will provide the necessary information. The attacker can then use this information to take advantage of the victim by means of identity or property theft. | |||
====Pretexting==== | |||
[http://www.ftc.gov/bcp/conline/pubs/credit/pretext.shtm Pretexting] is a form of using information about the victim to obtain even more information or to use it against the victim. Through pretexting the attacker uses the limited information gained to obtain more information. Once enough information is gained. The attacker may use credit pretending to be the victim, to make purchases acting as the victim, or to manipulate the records of the victim. | |||
The goal of pretexting is to prove to someone that you are legitimately the victim. This may be done from proving that you know their name, address, phone number, and Social Security Number. This could also be done by knowing the victim's username and password that was retrieved through phishing. | |||
=== | ====Trojan Horse==== | ||
A [http://www.tech-faq.com/trojan-horse-virus.shtml Trojan Horse] a technological form of social engineering. Not only does it fool the victim that it is from a legitimate source, but it also fools the computer the victim is using. A Trojan horse is a program that may seem to perform a legitimate action, but in fact is collecting sensitive information or stealing data in the background. This is, of course, derived from the tactic used by the Spartans to invade Troy by presenting the Trojans with a gift horse containing Spartan soldiers (this is an ancient example of social engineering). | |||
To be specific, a ''gimme'' is a type of Trojan Horse that plays off of social engineering. This tactic goes in conjunction with spamming or phishing. The user will receive a pop-up ad or e-mail ad notifying the victim of some software that would benefit them. Because of their curiosity and the seeming innocence of the program, the victim will install it on their machine. The software may even perform as advertised, but in the background is obtaining account information and other confidential data. | |||
This is where a computer program pretends to be something it is not. Instead of an actual human being performing the pretexting, it is done by an automated computer program. | |||
== | ===Security, Precautions, and Defenses=== | ||
There are many precautions and defenses against social engineering. However, users lack education on the methods to defend against this tactic. Various methods include rigorous identity verification, minimizing the number of people with access to sensitive information, as well as reducing the trust level of those in control of information. Many companies have developed security policies and guidelines that employees should follow to minimize the risk of social engineering exploits. | |||
== | ====Proactive Social Defenses==== | ||
SANS Network Security has a [http://www.sans.org/reading_room/whitepapers/engineering/511.php brief guide] for employees to maintain a proactive awareness against social engineering. Through proactive self-defense a company should develop a detailed policy on security and data release. This policy should detail who is able to release information, what information, and to who that information may be released to. | |||
== | There should be detailed access approval to any secured area or information. A company should set up a defense against social engineering by always having a detailed access approval process, instead of simply not challenging the requester of information. The company should have a designated help desk and support center that is knowledgeable in the policies of data release. Information such as employee IDs, account information, and passwords should always be challenged with a detailed approval policy. | ||
By detailing who is allowed to release information and what information can be released, a company can minimize the amount of violations through social-engineering. Usually social engineering succeeds because there is no preset guideline for giving out information for rare instances that social engineers exploit. | |||
===Employee Training=== | |||
Since the human being is the reason for social engineering exploits, the employee is the number-one defense against attacks. By [http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=232696 being trained on case studies], employees gain an understanding of how easy it is for social engineering to work. Training to employees to reduce their trust value and not take request for information at face value will discourage attackers from requesting further information. If in doubt, the employee should never give out confidential information, but take the request to the next person in command. | |||
====Security Software and Electronics==== | |||
Since the goal of social engineering exploits are to bypass technological and security barriers, there are few electronic and software means to stop social engineering. One main way to combat and reduce the risk is to have in place strict identity verification technologies that combat counterfeit and impersonation attacks. Social engineering attacks are so easy because it is so easy to appear legitimate. If identify verification were scrutinized at both a human and electronic level, the legitimacy of identity would be much harder to prove. | |||
In addition, companies can install [http://ca.com/us/securityadvisor/documents/collateral.aspx?cid=157506 software] that will reduce the number of social engineering solicitations that employees receive through e-mail and Web sites. By filtering out known threatening sources, this software can prevent the employee from even having to make the decision of whether the source is legitimate. | |||
===Legal and Ethical Concerns=== | |||
In the United States, there are laws against pretexting and falsifying identity. The [http://en.wikipedia.org/wiki/Gramm-Leach-Bliley_Act Gramm-Leach-Billey Act (GLBA)] makes it illegal to do the following | |||
* To falsify information or make false statements to retrieve information from a financial institution or even a customer of that institution | |||
* To use forged or stolen documents to receive information from a financial institution or a customer of that institution | |||
* Ask another person to obtain information by using the above two means | |||
In addition, the [http://en.wikipedia.org/wiki/Federal_Trade_Commission_Act Federal Trade Commission Act] prohibits pretexting for customer information. | |||
===Some Helpful Information=== | |||
'''1. Why Are Security Precautions Necessary to Safeguard Against Social Engineering?''' | |||
* In the United States, identity, both personal and financial, are held digitally. Typical social engineering attacks aim at stealing the digital identities of people. This can ruin their credit and ability to purchase things, as well as reputations when it comes to employment. [http://www.ftc.gov/bcp/edu/microsites/idtheft/ Here] are some tips from the FTC on safeguarding your information. You should never give out information unless you are certain of the source. You should also limit the amount of information you allow organizations to have. They are also prone to hacking and social engineering threats that could steal your identity. | |||
* If security precautions are not taken against social engineering, a skilled hacker could forge his way into nearly any system. It is said that the famous social engineer [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick] would be able to set off nuclear missiles from his phone using social-engineering tactics. It is important that organizations and individuals be aware of the threat of social engineering. Do not take everything at face value. | |||
* Social-engineering attacks are not just made through electronic means. Social-engineering tricks play on the fallacy of a human and their associated emotions. It is important for an individual to be aware of the threats and tactics of social engineering. Social engineers typically target gullible members of a company to obtain small bits of information and work their way up, gaining more information. If you are alert to these threads, you are better defender against both your identity, your employer, as well as your clients. | |||
* It is sometimes very hard to tell when you are being tricked by a fraudulent act. Employees in control of sensitive information must go through rigorous training to sense when they are being tricked. | |||
'''2. Social Engineering Security Precautions Are Not Easy''' | |||
* Since social engineering does not necessarily require any special technical skill set, like hacking, it is open to many types of attackers who are adept at fooling an individual. | |||
* It is hard to devise structured policies to defend against the leak of confidential information through the means of social engineering. There is no single solution for solving the problem of social engineering. It is up to the company to do the best job they can creating useful policies for the release of sensitive data. Employees much also be aware of the various methods and tactics used by social engineers to obtain information. | |||
* Unlike hacking or stealing by force, social engineering is very elusive. Almost always, when information is released, the victim has no idea they gave it to someone posing as a legitimate source. | |||
==Useful Resources== | |||
Definitions and Descriptions of Social Engineering: | |||
* [http://ethics.csc.ncsu.edu/risks/security/precautions/ Security Precautions (Old Project Page)] | * [http://ethics.csc.ncsu.edu/risks/security/precautions/ Security Precautions (Old Project Page)] | ||
Line 43: | Line 92: | ||
* [http://searchfinancialsecurity.techtarget.com/tip/0,289483,sid185_gci1294530,00.html Social Engineering Attacks] | * [http://searchfinancialsecurity.techtarget.com/tip/0,289483,sid185_gci1294530,00.html Social Engineering Attacks] | ||
* [http://news.cnet.com/8301-1009_3-9995253-83.html Social Engineering: Hackers show how it is done] | |||
Defense and Tips against Social Engineering Attacks: | |||
* [http://www.sans.org/reading_room/whitepapers/engineering/511.php Proactive Defense to Social Engineering] | * [http://www.sans.org/reading_room/whitepapers/engineering/511.php Proactive Defense to Social Engineering] | ||
Line 54: | Line 107: | ||
* [http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=232696 Social Engineering Self-defense] | * [http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=232696 Social Engineering Self-defense] | ||
* [http://news. | * [http://www.infosecwriters.com/text_resources/pdf/Social_Engineering_CRhodes.pdf Safeguarding Against Social Engineering] | ||
Current News and Information on Social Engineering | |||
* [http://www.expresscomputeronline.com/20080728/securityspecial07.shtml Why 2008 is the Year of Social Engineering and Malware] | |||
* [http://www.vnunet.com/vnunet/news/2223358/adobe-warns-fake-flash-peddlers Adobe Warns of Fake Flash Codec and Social Engineering Scam] | |||
* [http://www.vnunet.com/vnunet/news/2223350/phishing-attack-hits-beijing-olympics Phishing Attacks Hit Beijing Olympics] | |||
* [http://www.gamesdog.co.uk/news/news.phtml/7895/8919/Phishing-scam-hits-Xbox-Live.phtml Phishing Scam Hits Xbox Live] | |||
* [http://www.coloradodaily.com/news/2008/jul/31/word-jump-line-here-phishing-lures-malicious-e/ Phishing Lures Dangled at Campus E-mail Addresses] |
Latest revision as of 12:13, 6 August 2008
Social engineering a method of fraud and hacking that utilizes the humanity and nature of people to retrieve information. If one can fool a person into giving away information, then creating a program or hack to retrieve that information by force is not required. Furthermore, it can be much simpler and efficient to get information from someone through social engineering than it would ever be to steal that information via a computer program or password cracker.
Defense against social engineering requires guardians of information to be very proactive. For example, you can use an antivirus program that will passively scan your computer for viruses automatically. However, the human must be actively on the defense for social-engineering tricks and tactics that may be used against them. Over the years, general guidelines for companies and employees have been developed to give the knowledge necessary to be vigilant and alert for social engineering fraud attempts.
STUDY GUIDE
This study guide relates to security precautions against Social Engineering. For the main Security Precautions study guide, go here.
Tactics and Methods
There are various means of utilizing social engineering to obtain confidential and secret information such as passwords and private data. All of these methods work through some medium in which the attacker has to actually converse with the victim in some way, whether directly or indirectly. In all methods, feedback from the victim is required. This feedback is usually the necessary information the attacker was looking for.
Although social engineering tactics are heavily performed through electronic and computer media, there are many ways to do social engineering through the physical realm. As long as there can be some form of communication between the attacker and the victim, any medium may be used. Social engineering is so successful because it takes advantage of the fallacies of the human being. Whether by means of flattery, impersonation, and greed; social engineering is considered to some an art form of psychology.
Social Engineering can be extremely simple to perform, but have dire effects and consequences. There are even guides and tips on how hackers have used social engineering in extremely simple ways. Social engineering is considered so dangerous that Kevin Mitnick, a renowned hacker and early user of social enginering, was considered the most dangerous hacker. The FBI thought that Mitnick could start a nuclear war by simply utilizing social engineering.
Phishing
The main way of retrieving electronic information from victim voluntarily is through phishing. Phishing, like social engineering, can be performed over various electronic and physical mediums. In a general term, phishing is pretending to be something legitimate, when you are not. When you fool the victim into thinking you are the legitimate source that is being faked, they will reveal all the information that would normally be required to use that source. This may include account numbers, usernames, passwords, or even Social Security numbers.
A major medium of phishing is through e-mail. The example of a bank and customer is extremely common. The attacker will send the victim an e-mail notifying them of some required account information to be updated. This e-mail will look exactly like the standard e-mail the victim may have received from the bank before. The victim will be required to login and update their information as soon as possible. However, the link will not be sent to the bank website, but to a separate server that was set up by the attacker to retrieve the information. This website, like the e-mail, will look exactly like the actual bank website. Once the person types their login information, the attacker then has all the information they needed from the victim.
In unusual cases, phishing may also be performed over the phone by pretending to be a representative of some company that is requesting some kind of account information. The attacker may even know some basic information about the victim to prove that (s)he is legitimate. Usually, a victim will not question the caller's authority and will provide the necessary information. The attacker can then use this information to take advantage of the victim by means of identity or property theft.
Pretexting
Pretexting is a form of using information about the victim to obtain even more information or to use it against the victim. Through pretexting the attacker uses the limited information gained to obtain more information. Once enough information is gained. The attacker may use credit pretending to be the victim, to make purchases acting as the victim, or to manipulate the records of the victim.
The goal of pretexting is to prove to someone that you are legitimately the victim. This may be done from proving that you know their name, address, phone number, and Social Security Number. This could also be done by knowing the victim's username and password that was retrieved through phishing.
Trojan Horse
A Trojan Horse a technological form of social engineering. Not only does it fool the victim that it is from a legitimate source, but it also fools the computer the victim is using. A Trojan horse is a program that may seem to perform a legitimate action, but in fact is collecting sensitive information or stealing data in the background. This is, of course, derived from the tactic used by the Spartans to invade Troy by presenting the Trojans with a gift horse containing Spartan soldiers (this is an ancient example of social engineering).
To be specific, a gimme is a type of Trojan Horse that plays off of social engineering. This tactic goes in conjunction with spamming or phishing. The user will receive a pop-up ad or e-mail ad notifying the victim of some software that would benefit them. Because of their curiosity and the seeming innocence of the program, the victim will install it on their machine. The software may even perform as advertised, but in the background is obtaining account information and other confidential data.
This is where a computer program pretends to be something it is not. Instead of an actual human being performing the pretexting, it is done by an automated computer program.
Security, Precautions, and Defenses
There are many precautions and defenses against social engineering. However, users lack education on the methods to defend against this tactic. Various methods include rigorous identity verification, minimizing the number of people with access to sensitive information, as well as reducing the trust level of those in control of information. Many companies have developed security policies and guidelines that employees should follow to minimize the risk of social engineering exploits.
Proactive Social Defenses
SANS Network Security has a brief guide for employees to maintain a proactive awareness against social engineering. Through proactive self-defense a company should develop a detailed policy on security and data release. This policy should detail who is able to release information, what information, and to who that information may be released to.
There should be detailed access approval to any secured area or information. A company should set up a defense against social engineering by always having a detailed access approval process, instead of simply not challenging the requester of information. The company should have a designated help desk and support center that is knowledgeable in the policies of data release. Information such as employee IDs, account information, and passwords should always be challenged with a detailed approval policy.
By detailing who is allowed to release information and what information can be released, a company can minimize the amount of violations through social-engineering. Usually social engineering succeeds because there is no preset guideline for giving out information for rare instances that social engineers exploit.
Employee Training
Since the human being is the reason for social engineering exploits, the employee is the number-one defense against attacks. By being trained on case studies, employees gain an understanding of how easy it is for social engineering to work. Training to employees to reduce their trust value and not take request for information at face value will discourage attackers from requesting further information. If in doubt, the employee should never give out confidential information, but take the request to the next person in command.
Security Software and Electronics
Since the goal of social engineering exploits are to bypass technological and security barriers, there are few electronic and software means to stop social engineering. One main way to combat and reduce the risk is to have in place strict identity verification technologies that combat counterfeit and impersonation attacks. Social engineering attacks are so easy because it is so easy to appear legitimate. If identify verification were scrutinized at both a human and electronic level, the legitimacy of identity would be much harder to prove.
In addition, companies can install software that will reduce the number of social engineering solicitations that employees receive through e-mail and Web sites. By filtering out known threatening sources, this software can prevent the employee from even having to make the decision of whether the source is legitimate.
Legal and Ethical Concerns
In the United States, there are laws against pretexting and falsifying identity. The Gramm-Leach-Billey Act (GLBA) makes it illegal to do the following
- To falsify information or make false statements to retrieve information from a financial institution or even a customer of that institution
- To use forged or stolen documents to receive information from a financial institution or a customer of that institution
- Ask another person to obtain information by using the above two means
In addition, the Federal Trade Commission Act prohibits pretexting for customer information.
Some Helpful Information
1. Why Are Security Precautions Necessary to Safeguard Against Social Engineering?
- In the United States, identity, both personal and financial, are held digitally. Typical social engineering attacks aim at stealing the digital identities of people. This can ruin their credit and ability to purchase things, as well as reputations when it comes to employment. Here are some tips from the FTC on safeguarding your information. You should never give out information unless you are certain of the source. You should also limit the amount of information you allow organizations to have. They are also prone to hacking and social engineering threats that could steal your identity.
- If security precautions are not taken against social engineering, a skilled hacker could forge his way into nearly any system. It is said that the famous social engineer Kevin Mitnick would be able to set off nuclear missiles from his phone using social-engineering tactics. It is important that organizations and individuals be aware of the threat of social engineering. Do not take everything at face value.
- Social-engineering attacks are not just made through electronic means. Social-engineering tricks play on the fallacy of a human and their associated emotions. It is important for an individual to be aware of the threats and tactics of social engineering. Social engineers typically target gullible members of a company to obtain small bits of information and work their way up, gaining more information. If you are alert to these threads, you are better defender against both your identity, your employer, as well as your clients.
- It is sometimes very hard to tell when you are being tricked by a fraudulent act. Employees in control of sensitive information must go through rigorous training to sense when they are being tricked.
2. Social Engineering Security Precautions Are Not Easy
- Since social engineering does not necessarily require any special technical skill set, like hacking, it is open to many types of attackers who are adept at fooling an individual.
- It is hard to devise structured policies to defend against the leak of confidential information through the means of social engineering. There is no single solution for solving the problem of social engineering. It is up to the company to do the best job they can creating useful policies for the release of sensitive data. Employees much also be aware of the various methods and tactics used by social engineers to obtain information.
- Unlike hacking or stealing by force, social engineering is very elusive. Almost always, when information is released, the victim has no idea they gave it to someone posing as a legitimate source.
Useful Resources
Definitions and Descriptions of Social Engineering:
Defense and Tips against Social Engineering Attacks:
Current News and Information on Social Engineering