Social engineering
From Computing and Software Wiki
Social Engineering is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricking the person getting attacked. In many cases, the attacked never know that they have been attacked.
Born October 6, 1963
Convicted of computer related crimes using social engineering.
Contents |
What is Social Engineering?
Social Engineering is the manipulation of people to further a person's motives using various methods. “The art and science of getting people to comply to your wishes” - Bernz. This "compliance" is generally associated with the acquisition of electronic information. However, Social Engineering can also apply to a border definition which encompasses any kind personal manipulation in an attempt to gain something dishonestly. The manipulation is performed by "tricking" the mark (the unsuspecting victim) into a false sense of trust which is them abused to obtain the sought objective.
Aspects of Social Engineering
A social engineering attack can be thought of as process with two key components; human and the system. The human component requires the social engineer to gain the trust of whom ever has access to the system.
Human
The human element in social engineering attacks is the method in which the objectives are carried out. Human beings are generally the weakest part of any security system because they can be tricked or corrupted. By attacking the people who have access to what a social engineer wants, the objectives of a social engineer can be reach more easily. People like system administrator, maintenance people, or employees can all potential jeopardized a secure system by giving out information that to someone who they consider to be trustworthy.
System
The system refers to any potentially closed system which contains something a social engineer wants. A social engineering attack is only successful if the social engineer has knowledge about the inner workings of the system. Knowledge like protocols, terminology, names of people, important dates, etc., provide a social engineer ammunition to construct a persona which is then used to manipulate the people who have access to the system.
Methods of Social Engineering
By Phone
This is the most common method of social engineering attacks. An attacker will call the mark, using a persona, and gain the mark's trust. Then the attacker will request information which then might be used to perform another social engineering attack.
- Most common method
- Call a company and imitate someone in a position of authority or relevance.
- Supervisor, manager, system admin.
- pretend they can’t log into the system
- or that they need your login to troubleshoot
- Supervisor, manager, system admin.
- Help desks are most prone to this
- used to helping people
- trained to give out information and be friendly
- want to move on to next call
- minimally educated in security area
Online
- Many people use same password and login for internet sites
- Using methods like Phishing can allow the Social Engineer to obtain lots of information about a person
Persuasion
- The true strength of a Social Engineer
- Gaining trust by
- impersonation (identiy theft)
- imitation (made up identity)
- Uses psychological methods
- Guilt
- Tempting offers
Dumpster Diving
- also known as trashing
- looking through garbage for information
- Many companies don’t implement any method of security for their garbage
- user and password lists
- Company directories
- Event calendars
- obsolete computers
- printouts of source codes
- The more a Social Engineer knows about:
- a company
- their protocols
- terminology
- the more likely he’ll be able to succeed.
Reverse Social Engineering
- Pretend to be someone in a position of authority
- employees will ask him for information
- Most difficult method to pull off
- requires lots of preparation
- but can yield the most successful results
Protection
- Security policies dealing with both physical and psychological elements
- Standard physical security mechanisms
- networks protection
- good password protection
- secure disposal of trash
- standard security measures we’ve discussed in class
- Education and training of employees
- Making employees aware of Social Engineering
- better recognize an attack
- Authentication
- Making sure the person they are speaking with is that person
- Availability of ANY information
- only give out information that’s need-to-know
- Don’t give out confidential information
- Standard physical security mechanisms
Conclusion
- Social Engineering attacks are very difficult to protect against.
- A system’s security is only as strong as the people who maintain it.
- With proper training, a social Engineering attack can be made extremely difficult.
- However, it can never been fully projected against.
References
Bernz: “The complete Social Engineering FAQ!” http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt
Sarah Granger : “Social Engineering Fundamentals”, SecurityFocus, December 18, 2001 http://www.securityfocus.com/infocus/1527
“Social engineering (security)”, Wikipedia, November 19, 2007 http://en.wikipedia.org/wiki/Social_engineering_(computer_security)
“social engineering”, SearchSecurity, October 10, 2006 http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html
Mitnick, Kevin: “My first RSA Conference,” SecurityFocus, April 30, 2001 http://www.securityfocus.com/news/199
Leslie Hawthorn: “Social Engineering”, O’Reilly Network, March 10, 2006 http://www.oreilly.com/pub/a/womenintech/2007/09/04/social-engineering.html
“Social Engineering”, McGuill Network Communications Services, September 7, 2007 http://www.mcgill.ca/ncs/products/security/threatsdangers/socialeng/
--Shahinrs 07:36, 7 November 2007 (EST)
