[ISN] Social Engineering: The Human Side Of Hacking

From: InfoSec News (isnat_private)
Date: Thu May 09 2002 - 00:11:33 PDT

  • Next message: InfoSec News: "[ISN] "Nessus calls home"? Facts of the matter."

    By Sharon Gaudin 
    May 7, 2002  
    A woman calls a company help desk and says she's forgotten her
    password. In a panic, she adds that if she misses the deadline on a
    big advertising project her boss might even fire her. The help desk
    worker feels sorry for her and quickly resets the password --
    unwittingly giving a hacker clear entrance into the corporate network.
    Meanwhile, a man is in back of the building loading the company's
    paper recycling bins into the back of a truck. Inside the bins are
    lists of employee titles and phone numbers, marketing plans and the
    latest company financials. All free for the taking.
    Hackers, and possibly even corporate competitors, are breeching
    companies' network security every day. The latest survey by the
    Computer Security Institute and the FBI shows that 90% of the 503
    companies contacted reported break-ins within the last year.
    What may come as a surprise, according to industry analysts and
    security experts, is that not every hacker is sitting alone with his
    computer hacking his way into a corporate VPN or running a program to
    crack executives' passwords.
    Sometimes all they have to do is call up and ask.
    "There's always the technical way to break into a network but
    sometimes it's easier to go through the people in the company. You
    just fool them into giving up their own security," says Keith A.  
    Rhodes, chief technologist at the U.S. General Accounting Office,
    which has a Congressional mandate to test the network security at 24
    different government agencies and departments. "Companies train their
    people to be helpful, but they rarely train them to be part of the
    security process. We use the social connection between people, their
    desire to be helpful. We call it social engineering.
    "It works every time," Rhodes says, adding that he performs 10
    penetration tests a year on agencies such as the IRS and the
    Department of Agriculture. "Very few companies are worried about this.  
    Every one of them should be."
    Playing Off Trust
    Social engineering is the human side of breaking into a corporate
    network. Companies with authentication processes, firewalls, VPNs and
    network monitoring software are still wide open to an attack if an
    employee unwittingly gives away key information in an email, by
    answering questions over the phone with someone they don't know or
    even by talking about a project with coworkers at a local pub after
    "Incidents of social engineering are quite high, we believe," says
    Paul Robertson, director of risk assessment at Herndon, Va.-based
    TruSecure Corp. "A significant portion of the time, people don't even
    know it's happened to them. And with the people who are good at it,
    their [victims] don't even know they've been scammed."
    Robertson says for companies with great security technology in place,
    it's almost always possible to penetrate them using social engineering
    simply because it preys on the human impulse to be kind and helpful,
    and because IT executives aren't training employees to wary of it.
    "People have been conditioned to expect certain things," says
    Robertson. "If you dress in brown and stack a whole bunch of boxes in
    a cart, people will hold the door open for you because they think
    you're the delivery guy...Sometimes you grab a pack of cigarettes and
    stand in the smoking area listening to their conversations. Then you
    just follow them right into the building."
    Guard The Perimeter
    Eddie Rabinovitch, vice president of global networks and
    infrastructure operations at Stamford, Ct.-based Cervalis LLC, says he
    is definitely aware and on alert for various types of security attacks
    -- technical or not. Cervalis is a managed hosting and IT outsourcing
    "We continuously have training about security in general and social
    engineering in particular," says Rabinovitch. "People are out there
    looking for information. They're always looking for new ways to get at
    that information. In many cases, you can deal with it with tools, but
    it always comes down to procedures and your people."
    Rabinovitch says he deals with social engineering by focusing a lot of
    training on his people on the perimeter -- security guards,
    receptionists and help desk workers. For instance, he says security
    guards are trained to check on visitors if they go out in the smoking
    area to make sure they're not handing their admittance badge over to
    someone else. And he adds that if someone shows up in a utility
    worker's uniform, his visit is confirmed before he is allowed into the
    building to do any work.
    Rhodes, who has focused on computer security, privacy and e-commerce
    in his 11 years at the GAO, says a lot of companies unwittingly put
    sensitive information up for grabs. Some companies list employees by
    title and give their phone number and email address on the corporate
    Web site. That allows a hacker to call an office worker and say Sally
    Jones in the Denver accounting office wants you to change my user ID.  
    Or Rhodes says a company may put ads in the paper for high-tech
    workers who trained on Oracle databases or Unix servers. Those little
    bits of information help hackers know what kind of system they're
    Brian Dunphy, director of analysis operations at Alexandria-Va.-based
    RipTech Inc., a security analyst and consulting firm, says when they
    do risk assessments for their corporate customers it's a given that if
    they use social engineering, they'll be able to break in.
    "It's never been much of an effort to exploit social engineering and
    get in," says Dunphy. "Companies may request that we use social
    engineering. We really only do it for the non-believers."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu May 09 2002 - 03:23:13 PDT