September 15th, 2005 11:35 PM
Social Engineering Paper
Hey, I go to the University of Advancing Technology for network security. I just got finished the first draft of a short paper on the basics of social engineering. Wanted to get some input on it from you guys, so any help would be greatly appreciated. Thanks!
An Introduction to Social Engineering
What is Social Engineering? Why is it important? How can I protect myself against possible attacks? Everyone should be concerned about social-engineering. In this paper these issues will all be explained. After reading this paper you should grasp a basic understand of how social engineering can be devastating in the business world. Note that this information is intended for ethical use and prevention of such attacks. This information is not intended for malicious use of any kind.
Social Engineers take advantage of the weakest link in any organization’s information-security defenses: the employees. Social Engineering is the art of manipulating the trusting nature of human beings to be used for personal gain. Let’s face it; it is human nature to want to be trusting of people. Unfortunately, some people like to benefit from others’ weaknesses.
Typically, hackers will pose as someone else to gain information and access that he or she is not supposed to have access to. Once a hacker has access to a network, he or she can physically cause havoc to network resources, steal or delete files, and even commit industrial espionage against the company he or she is attacking.
The social engineer may pose as false support personnel, where he or she will claim that they need to update system software or talk a user into downloading new software, and then obtain remote control of the system. Others will ask for the administrator password and obtain full access to the system. Many administrators and users are paranoid when it comes to get virtually manipulated online such as clicking ad links and opening suspicious emails; but too many are still skeptics when it comes to person-to-person security.
Here’s an example taken from the book “Spies Among US” where world-renowned social-engineer Ira Winkler is paid by a corporation to social engineer his way into their company headquarters.
“They first scoped out the main entrance of the client’s building and found that the reception/security desk was in the middle of a large lobby and was staffed by a receptionist. The next day, the two men walked into the building during the morning rush while pretending to talk on cell phones. They stayed at least 15 feet from the attendant and simply ignored her as they walked by.
After they were inside the facility, they found a conference room to set up shop. They sat down to plan the rest of the day and decided a facility badge would be a great start. Mr. Winkler called the main information number and asked for the office that makes the badges. He was forwarded to the reception/security desk. He then pretended to be the CIO and told the person on the other end of the line that he wanted badges for a couple of subcontractors. The person responded ‘Send the subcontractors down to the main lobby.’
When Mr. Winkler and his accomplice arrived, a uniformed guard asked what they were working on, and they mentioned computers. The guard then asked them if they needed access to the computer room! Of course they said. Within minutes, they both had badges with access to all office areas and the computer operations center. They went to the basement and used their badges to open the main computer room door. They walked right in and were able to access a Windows server, load the user administration tool, add a new user to the domain, and make the user a member of the administrators’ group. Then they quickly left.
The two men had access to the entire corporate network with administrative rights within two hours. They also used the badges to perform after-hours walkthroughs of the building. In doing this, they found the key to the CEO’s office and planted a mock bug there.”
From that example you can see exactly how detrimental social engineering can be to a company. Within hours they had full administrative rights to the company’s network. This was actually quicker than it would take most hackers to access such a network. Note that most social engineers are outsiders of the company, as it is harder for insiders of a company to act as somebody else. Most social engineers are very detailed when it comes to their work, and research their target weeks in advance, obtaining references, background checks, etc of the company.
Another example is one that I have personally done. Note that this was all done with the full permission from the owner of the company. I called a local video store posing as the manager from another store of the same chain a few miles away. As an initial step for research, I visited both locations and noted the employees currently on duty. I even asked the manager of the target store what time he was on duty. Without hesitation of any kind, he told me. I then called the store from a public telephone with a private number.
“Hi this is Evan from the ********** in Lawnside. I have a Ryan Wetenhall here with an account at your store that has a movie showing up as overdue. He says he returned the movie last Tuesday around 10 p.m. at your location but it’s still showing up as overdue in our system. His account number is ********.”
Without any question, he replied “sorry about that, I’m sure it’s here somewhere… I’ll take it off the system right now, should be showing up clear in about 5 minutes.”
When I first tried this test I had no previous social engineering experience, and was amazed at the stupidity of the store manager. I then called the owner of the target location. The manager was fired the next morning.
Effective social engineers can obtain user or administrative passwords, security badges, keys, financial reports, physical property, employee information, and even customer lists and sales projections. If any of this is leaked out, it can lead to financial losses and create legal issues where information was to remain confidential by law..
The problem with preventing social engineering is that there are so many loopholes to cover up. The basic steps to social engineering are:
1. Perform research: this includes history of the company, employee names, dumpster diving (picking classified information out of a dumpster. All companies should have paper shredders to discard such information).
2. Build trust: talking to employees at the companies, acting like you know people you don’t.
3. Exploit relationship for information through words, actions, or technology
4. Use the information gathered for malicious purposes.
Now that you know what steps social engineers take, its time to learn how to prevent such people from gaining access to such fragile information. Some basic steps include: Classifying data, hiring employees and contractors and setting up user IDs, Terminating employees and contractors and removing their IDs, changing passwords regularly, escorting guests, and performing social engineering tests on your own business through security consulting firms.
The most important step to help prevent social engineering attacks is user awareness. Hold regular meetings in which such issues are taken in to consideration. Train users on detecting suspicious activity. Keep workers up to date with security information.
Other social-engineering prevention tips include:
• Escort all guests within a building
• Never send or open files from strangers
• Never give out passwords
• Never let a stranger connection to one of your network jacks for even a second. Network analyzers take virtually no time to plant.
• Classify all information, both hardcopy and electronic; train all employees on using such methods.
• NEVER allow anonymous access to File Transfer Protocol’s if you don’t have to.
As you can see from all of this information, social-engineering is a big problem in the business world, as people are trusting by nature. A good social engineer can obtain all the information he or she needs without even touching his or her computer. If you follow the prevention tips I have listed above, you should have a basic understand of how to prevent such situations, and just how detrimental having an insecure and untrained staff can be.