Social Engineering: Difference between revisions
Line 43: | Line 43: | ||
===Employee Training=== | ===Employee Training=== | ||
Since the human being is the reason for social engineering exploits, the employee is the number one defense against attacks. By [http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=232696 training the employees through examples], they gain an understanding of how easy it is for social engineering to work. By training to employees to reduce their trust value and not take request for information at face value, it will discourage the attacker to request any further information. If in doubt, the employee should never give out confidential information and bring it to the next person in command. | Since the human being is the reason for social engineering exploits, the employee is the number one defense against attacks. By [http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=232696 training the employees through examples], they gain an understanding of how easy it is for social engineering to work. By training to employees to reduce their trust value and not take request for information at face value, it will discourage the attacker to request any further information. If in doubt, the employee should never give out confidential information and bring it to the next person in command. | ||
===Security Software and Electronics== | |||
Since the goal of social engineering exploits are to bypass technological and security barriers, there are few ways to stop social engineering through electronic and software means. One main way to combat and reduce the risk is to have, in place, strict identity verification technologies that combat counterfeit and impersonation attacks. Social engineering attacks are so easy because it is so easy to appear legitimate. If identify verification were scrutinized at both a human and electronic level, the legitimacy of identity would be much harder to prove. | |||
In addition, companies can install [http://ca.com/us/securityadvisor/documents/collateral.aspx?cid=157506 software] that will reduce the amount of social engineering solicitations that employees receive through e-mail and websites. By filtering out known threatening sources, this software can prevent the employee from even having to worry about making the decision of whether the source is legitimate. | |||
==Ethical and Legal Concerns== | ==Ethical and Legal Concerns== |
Revision as of 17:53, 23 July 2008
Social engineering a method of fraud and hacking that utilizes the humanity and nature of people to retrieve information from them voluntarily. By playing into the nature of the person, hacking through technological means is sometimes not necessary. If one can fool a person into giving away information voluntarily, then creating a program or hack to retrieve that information involuntarily is no required. Furthermore, it can be much simpler and efficient to get information from someone through social engineering than it would ever be to steal that information via a computer program or password cracker.
This form of forcing users to disclose information must be done through some human means. The point of social engineering is to utilize the fallacies of human logic and biases to trick the target into revealing confidential information through various methods and tactics.
The precautions necessary against social engineering are required to be very proactive. For example, you can put an anti virus program that will passively scan your computer for viruses automatically. However, the human must be actively on the defense for social engineering tricks and tactics that may be used against them. Over the years, general guidelines for companies and employees have been developed to give the knowledge necessary to be vigilant and alert for social engineering fraud attempts.
Tactics and Methods
There are various means of utilizing social engineering to obtain confidential and secret information such as passwords and private data. All of these methods work through some medium in which the attacker has to actually converse with the victim in some way, whether directly or indirectly. In all methods, feedback from the victim is required. This feedback is usually the necessary information the attacker was looking for.
Although social engineering tactics are heavily performed through electronic and computer mediums. There are many methods in which social engineering can be done through the physical realm. As long as there can be some form of communication between the attacker and the victim any medium may be used. Social engineering is so successful because it takes advantage of the fallacies of the human being. Whether by means of flattery, impersonation, and greed; social engineering is considered to some an art form of psychology.
Social Engineering can be extremely simple to perform, but have dire effects and consequences. There are even guides and tips on how hackers have used social engineering in extremely simple ways. Social engineering is considered so dangerous that Kevin Mitnick, a renouned hacker and early user of social enginering, was considered the most dangerous hacker. By using social engineering, the FBI though that Mitnick could start a nuclear war by simply utilizing social engineering.
Phishing
The main way of retrieving electronic information from victim voluntarily is through phishing. Phishing, like social engineering, can be performed over various electronic and physical mediums. In a general term, phishing is pretending to be something legitimate, when you are not. When you fool the victim into thinking you are the legitimate source that is being faked, they will reveal all the information that would normally be required to use that source. This may include account numbers, usernames, passwords, or even Social Security Numbers.
A major medium of phishing is through e-mail. The example of a bank and customer is extremely common. The attacker will send the victim an e-mail notifying them of some required account information to be updated. This e-mail will look exactly like the standard e-mail the victim may have received from the bank before. The victim will be required to login and update their information as soon as possible. However, the link will not be sent to the bank website, but to a separate server that was setup by the attacker to retrieve the information. This website, like the e-mail, will look exactly like the actual bank website. Once the person types their login information, the attacker then has all the information they needed from the victim.
Although uncommon, phishing may also be performed over the phone by pretending to be a representative of some company that is requesting some kind of account information. The attacker may even know some basic information about the victim to prove that they are legitimate. Usually, a victim will not question the call and will provide the necessary information. The attacker can then use this information to take advantage of the victim by means of identity or property theft.
Pretexting
Pretexting is a form of using information about the victim to obtain even more information or to use it against the victim. Through pretexting the attacker uses the limited information gained to obtain more information. Once enough information is gained. The attacker may use credit pretending to be the victim, to make purchases acting as the victim, or to manipulate the records of the victim.
The goal of pretexting is to prove to someone that you are legitimately the victim. This may be done from proving that you know their name, address, phone number, and Social Security Number. This could also be done by knowing the victim's username and password that was retrieved through phishing.
Trojan Horse
A Trojan Horse a technological form of social engineering. Not only does it fool the victim that it is from a legitimate source, but it also fools the computer the victim is using. A trojan horse is a program that may seem to perform a legitimate action, but in fact is collecting sensitive information or stealing data in the background. This is, of coruse, derived from the ancient tactic used by the Spartans to invade Troy by pretending to be a gift to the Trojans (which is an ancient example of social engineering).
To be specific, a gimme is a type of Trojan Horse that plays off of Social Engineering. This tactic goes in conjunction with spamming or phishing. The user will receive a pop-up ad or e-mail ad notifying the victim of some software that would benefit them. Because of their curiosity and the seeming innocence of the program, the victim will install it on their machine. The software may even perform as advertised, but in the background is obtaining account information and other confidential data.
This is where a computer program pretends to be something it is not. Instead of an actual human being performing the pretexting, it is an automated computer program.
Security, Precautions, and Defenses
There are many precautions and defenses against social engineering. However, there is a lack of education on the methods to defend against this tactic. Various methods include vigorous identity verification, minimizing the amount of people that have sensitive information, as well as reducing the trust level of those in control of information. Many companies have developed security policies and guidelines that employees should follow to minimize the risk of social engineering exploits.
Proactive Social Defenses
SANS Network Security has a good example of a brief guide for employees to maintain a proactive awareness against social engineering. Through proactive self defense a company should develop a detailed policy on security and data release. These policy should detailed who is able to release information, what information, and to who that information may be released to.
There should be detailed access approval to any secured area or information. A company should setup a defense against social engineering by always having a detailed access approval process instead of simply not challenging the requester of information. The company should have a designated help desk and support center that is knowledgeable in the policies of data release. Information such as employee IDs, account information, and passwords should always be challenged with a detailed approval policy.
By detailing who is allowed to release information and what information can be released, a company can minimize the amount of violations through social-engineering. Usually social engineering succeeds because there is no preset guideline for giving out information for rare instances that social engineers exploit.
Employee Training
Since the human being is the reason for social engineering exploits, the employee is the number one defense against attacks. By training the employees through examples, they gain an understanding of how easy it is for social engineering to work. By training to employees to reduce their trust value and not take request for information at face value, it will discourage the attacker to request any further information. If in doubt, the employee should never give out confidential information and bring it to the next person in command.
=Security Software and Electronics
Since the goal of social engineering exploits are to bypass technological and security barriers, there are few ways to stop social engineering through electronic and software means. One main way to combat and reduce the risk is to have, in place, strict identity verification technologies that combat counterfeit and impersonation attacks. Social engineering attacks are so easy because it is so easy to appear legitimate. If identify verification were scrutinized at both a human and electronic level, the legitimacy of identity would be much harder to prove.
In addition, companies can install software that will reduce the amount of social engineering solicitations that employees receive through e-mail and websites. By filtering out known threatening sources, this software can prevent the employee from even having to worry about making the decision of whether the source is legitimate.