A social engineering attack is usually conducted by an outsider who will use a variety of psychological tricks on a computer user to get the information they need in order to access a computer or network. Do not get confused with the concept "outsider." While the true outside hackers get the headlines, the far more prevalent form of social engineering in conducted by one employee on another employee.
Dr. Peter Stephenson has indicated that thirty percent of all hacking comes from outsiders: that is people who are not working for the attacked organization. This means that seventy percent of hackers come from within our own organization. We must keep this fact in mind when we develop defenses against social engineers.
The goal of social engineer is to trick someone into giving them what they want. The social engineer preys on qualities of human nature, such as:
- The desire to be helpful. We have trained our employees well. Make sure the customer is satisfied. The best way to a good appraisal is to have good responses from those needing assistance. Most of our employees want to be helpful and this can lead to giving away too much information.
- A tendency to trust people. Human nature is to actually trust others until they prove that they are not trustworthy. If someone tells use that they are a certain person, we usually accept that statement. We must train our employees to seek independent proof.
- The fear of getting into trouble. Too many of us have seen negative reaction by superiors because verification of identity took too long or that some official was offended. Management must support all employees that are doing their assignment and protecting the information resources of the enterprise.
- The willingness to cut corners. Sometimes we get lazy. We post passwords on the screen or leave important material lying out.
What scares most companies about social engineers is that the sign of a truly successful social engineer is that they receive what they are looking for without raising any suspicion. It is the bad social engineers that we know about, not the good ones.
We Are the Weakest Link!
Securing the hardware, software and firmware is relatively easy; it is the "wetware" that causes us the biggest headache. According to the Jargon Dictionary "wetware" is the human being attached to a computer system. People are usually the weakest link in the security chain. In the 1970s, we were told that if we installed access control packages then we would have security. In the 1980s we were encouraged to install effective anti-virus software to ensure that our systems and networks were secure. In the 1990s we were told that firewalls would lead us to security. Now in the twenty-first century, it is intrusion detection systems or public key infrastructure that will lead us to information security. In each iteration, security has eluded us because the silicon based products have to interface with carbon-based units. It is the human factor that will continue to appear in our discussion on social engineering.
A skilled social engineer will often try to exploit this weakness before spending time and effort on other methods to crack passwords or gain access to systems. Why go to all of the trouble of installing a sniffer on a network, when a simple phone call to an employee may gain the needed userid and password. A while back a client asked us to see if we could obtain employee access accounts and passwords. They have an aggressive awareness campaign to remind employees of the need to keep the passwords from being compromised. The client wanted to know if we were going to install a sniffer, we told them that we had a better method, we would call his employees. We called twelve employees and had nine people answer our call. We told them we were from network administration and that we needed them to logon so we could troubleshoot a problem. We told them we needed their account identification and password so that our scope could see when they entered the network. Of the nine who answered, eight gave us the information we wanted. The ninth couldn't find the Post-it note that had his password.
Social engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone. A successful defense will require an effective information security architecture starting with policies and standards and following through with a vulnerability assessment process.
Aspects of Psychology in Social Engineering
There are three key aspects of social psychology that will help us understand the methods used by social engineers. These include:
- Using alternate routes to persuasion;
- Attitudes and beliefs that affect human interactions; and
- Techniques for persuasion and influence.
In the concept of alternate routes, there are two methods: the direct route and the secondary route.
In the direct route the social engineer may actually just ask the target for the information. This does not work very often, but it is always worth a try. If that fails they will prepare a systematic approach to obtain what they want. They are willing to invest time into the relationship and gain a pseudo relationship with the intended victim. They will prepare logical arguments that will work on the victim to get them to act.
The secondary or indirect methods the social engineer will make the prospective victim more susceptible by making some statement at the outset that trigger a strong emotion such as excitement or fear. Because the social engineer is willing to spend time to get to know the mark or that they may be a fellow employee, they can contrive a situation that plays on the background of the victim.
In a typical interaction our attitudes and beliefs about a request for service begins with the basic belief that each party is who they say they are. In the social engineering interaction, only the victim maintains this notion. The effective social engineer relies on the knowledge that the victim will seldom question who they are.
Common Types of Social Engineering
While the greatest area for success is human-based interaction by the social engineer, there are also some computer-based methods that attempt to retrieve the desired information by using software programs to either gather information or to deny service to a system. One of the most ingenious methods was first introduced into the Internet in February 1993. The user attempting to log on to the system was met with the normal prompt and after entering the correct userid and password, the system begin the prompt sequence over again. What had happened, was that a social engineer managed to get a program installed in front of the normal signon routine, gathered the information and then passed the prompt to the real signon process. According to published articles at the time, over 95% of regular users had their access codes compromised.
Today we see the use of Web sites as a common ploy is to offer something free or a chance to win something on the Web site or to gain important information. At a Michigan firm in 1998, the network administrator installed a 401K information website that required employees to register with the site to obtain information on their 401K program. After giving such information as account id, password, social security number and home address, the website returned a message that indicated it was still under construction. Within a week nearly every employee with a 401K, including senior management had attempted to register to the Web site.
Social engineering can be broken into two types: human-based and technology-based. Human-based refers to a person-to-person interaction to obtain the desired action. Technology-based refers to having an electronic interface that attempts to retrieve the desired outcome.
Human-based Social Engineering
Impersonation and Important User: Of the human-based forms of social engineering, the first two are categorized as Impersonation and Important User. These two are often used in combination with one another. In the 1991 book Cyberpunk by Katie Hafner and John Markoff, they describe the actions of one Susan Hadley (aka Susan Thunder). Using an easily accessible military computer directory she was able to obtain the name of the individual in charge. She used her basic knowledge of military systems and terminology as she called a military base to find out the commanding officer of the secret compartmentalized information facility. She sweet-talked her way into obtaining the name of the Major's secretary and then hung up.
Using this information, she changed tactics. She switched from being nonchalant to authoritative. Her "boss," the Major, was having problems accessing the system and she wanted to know why. Using threats, she got the access and, according to her, was in the system within 20 minutes.
Pretending to be someone you are not, or schmooze your way to the information you need. These are typical examples of how social engineers work to obtain the information they need. They will often contact the help desk and drop names of other employees. Once they have what they need to gain further access, they will attack a more vulnerable person. Someone who has information, but not necessarily the clout to challenge anyone of "authority".
Third-party Authorization: The typical third-party authorization is when the social engineer drops the name of a higher-up who has the authority to grant access. It is usually something like "Ms. Shooter says its OK" or "Before she went on vacation, Ms. Shooter said I should call you to get this information." The social engineer may well have called the authorizing office to establish if they would be unavailable to corroborate the request. Remember, most social engineers are internal to the organization and can find this out very easy.
In Person: The social engineer may enter the building and pretend to be an employee, visitor or service personnel. They may be dressed in a uniform or become part of the contract cleaning crew. A few years ago in New York, the cleaning crew arrived just before lunch and began to go into the offices and empty the trash containers and dust. Most employees offered to get out of the way and left their office for a few minutes. Later in the afternoon the employees noticed that the trash cart was still in the hallway. The "cleaning crew" had cleaned the offices of wallets, purses and briefcases.
2600: The Hacker Quarterly ran an article on how to become part of a contract cleaning crew that would allow the social engineer access to a target after hours. In John Gresham's The Firm, information is gathered on the firm by a character who is part of the cleaning crew.
A number of years ago I was doing work with a utility lobby in Washington, D.C. and I asked them if they had any confidential information. The lobbyist told me that everything they had was made available to Congress and was therefore public information. I asked him what was it before it was released. He told me that pre-released information had to be kept secret. I noticed his face change in expression. I asked him who cleaned his rented office. I was informed that there was a different person in his office most every night. I then asked if he had locked cabinets and a shredder. He said that he would have them the next day.
The easiest way to gain access to a building is to show up at the employee entrance carrying four boxes of Krispy Kreme donuts. The door will be held open and the only request will be to tell them on what floor will be the confections. In Canada, try using Tim Horton's.
We have gained access to facilities by posing as service repairmen, complete with tool belt, clipboard and repair orders. In one facility located in New England, we gained access by using employee badges. We were able to get the employee IDs by going to the local dry cleaners and, posing as security personnel, asking if they had any identification badges. The dry cleaner came out with a box of badges. We each selected one we liked and proceeded into the facility. We all met in the cafeteria for lunch.
Dumpster Diving and Shoulder Surfing: Perhaps two of the oldest forms of social engineering are dumpster diving and shoulder surfing. The dumpster diver (now called trash trawler or garbagolist) is willing to get dirty to get the information they need. Too often companies throw out important information. Sensitive information, manuals and phone books should be shredded before disposing. In Detroit and bottled oxygen salesman bragged that he got his competitor's price list by accessing the competitor's dumpster and "rooting around like a pig."
The shoulder surfer will look over someone's shoulder to gain passwords or pin numbers. A few years ago, one of the news magazine shows did a session on phone card fraud. During one sequence, the reporter was given a new phone calling card and told to use it a Grand Central Station in New York. While she made the call, the undercover police counted at least five people surfing her pin number. One even turned to the cameraman to make sure he got the number too. Within minutes the stolen card numbers were being used to make international phone calls.
Technology-based Social Engineering
Pop-up Windows: A window will appear on the screen informing the user that the host connection has been interrupted and that the network connection needs to be re-authenticated. The pop up program will then e-mail the intruder with the access information.
In another scam a message saying from eBay asks the victim to submit his password and other personal information to a Web site. The e-mail typically arrives shortly after the victim's credit card had expired, so they didn't suspect the site was phony. These are called phishing scams and have been around for years but have in recent months become more numerous and sophisticated.
Mail Attachments: Programs and executables can be hidden in e-mail attachments. Vince Gallo was the first to show the vulnerability of governments and corporations to information warfare via email through his simulated Bunratty attack. The first step to exploiting this vulnerability is to write a program that could be the "inside agent" to which the social engineer would send the covert messages. This program could be written to do anything, from sending copies of documents on the user's computer to spying on other computers on the network. It could be placed in the machine either with human assistance; for example, a collaborator inside the company, or by placing it on a Web site for download, hidden within innocent looking software: a Trojan horse.
Once this Trojan software is inside the target machine, the malicious software does nothing until the attacker contacts it by sending an e-mail message to the compromised machine; the special message class allows it to be forwarded directly to the hidden folders without ever being seen by the user.
Websites: The newer trend in spam and identity theft is called brand spoofing. "phishing" or "brand spoofing" is the process of sending an e-mail to a user falsely claiming to be a legitimate enterprise in an attempt to scam the user into disclosing private information. Government, financial institutions and online auctions/pay services are common targets of brand spoofing. The attacker sends an HTML e-mail input form within an email or an e-mail providing a link to a deceptive replica of an existing web page.
Personality Traits That Lead to Social Engineering
Social engineering can be successful when certain personality traits can be exploited.
Diffusion of Responsibility: The target is made to believe that they are not solely responsible for their actions. The social engineer will create situations with many factors that dilute personal responsibility for decision making.
A psychology lecturer once arranged for her class to have to use the language laboratory on some pretext. Not long after she had started the lesson in the language laboratory, she was called away to the telephone. While she was away, someone was attacked in the room next to the language lab. There were screams and the sound of falling furniture. Eventually everything went quiet. None of the psychology students went to investigate. The psychology lecturer had set the whole thing up before she left. She had taken care to start the language lab recording before she left. She played the students the recording of how they had behaved during her absence. Sure enough, the consensus view was that "somebody'll do something about it."
The 2002 study examined the effect of shared responsibility on responsiveness to Internet help requests. The results are consistent with recent findings demonstrating that diffusion of responsibility effects are not limited to the physical world but can also exist in a virtual world where the presence of others is indicated by the e-mails they generate. In line with the assumed role of cueing, recipients of personally addressed e-mails were almost three times as likely to comply than were recipients who received the e-mail from a discussion group
Chance for Ingratiation: The victim is lead to believe that compliance with the request will enhance their chances of receiving benefit.This includes gaining advantage over a competitor, getting in good with management, or giving assistance to an unknown, yet sultry sounding female--although often it's a computer modulated male's voice--over the phone.
When making phone calls to conduct social engineering tests, we use two very different people. When calling men, in employ "Lisa" who has a sweet little voice and she can work the victim pretty good. Men are more likely to offer help to a pretty voice. On the other hand,"Lisa" has less positive results with women. So to counter that obstacle we use a gentleman from Glasgow, Scotland. He sounds like Sean Connery, he looks like Joe Crocker, but it is the voice that women love and respond to.
Trust Relationship: The social engineer spends time developing a relationship with the intended victim. Through a series of small interaction, a relationship is established. In many instances, the victim will actually recognize the voice of the social engineer because of all of the time they have spent talking.
About ten years ago I was doing seminar presentations for the Federal Reserve Bank in Boston and an FBI agent told of a wire transfer fraud case. The perpetrator was a young female that had worked in a bank over a summer as an intern. She would call branch offices and pretend she was a new hire at another branch and would ask how to perform wire transfers. By working the victims over a number of weeks, she built a trust relationship with the victim and was able to implement her fraud.
Guilt: Most individuals attempt to avoid the guilt trip if possible.Think about the last time you were approached by some hapless waif, usually from network administration, with their hand out and those big sad eyes. Hard to refuse them, isn't it. Well the social engineer isn't above stooping to lie about their situation. They may confide in the victim that they have "screwed up" before and if this doesn't get fixed they'll be out of a job.
Many of us will do some action just to get rid of the person that is heaping the guilty feeling on us. The social engineer tries to make the victim believe that not granting the request will lead to significant consequences to the requestor.
Security Breaches that Lead to Social Engineering Exploits
Some potential security breaches are so mundane that they hardly seem to be of concern. With all the fires that we have to fight each day and the deadlines we have to meet, sometimes the most obvious is often overlooked.
Passwords: The number one access point for social engineers is the good old fashion password. After all of the awareness programs and reminder cards, we still find that employee-generated passwords are too short or too easy to guess. System-generated passwords are too long and employees have to write them down to remember them. Even today, some systems do not require passwords to be changed. We find this most often in e-mail systems and Internet accounts. We recommend that an assessment of the password length and interval for change standards. See if they still meet the current needs of the user community.
Modems: Every company has more modems than they know about. Employees and contractors will add a modem to a system and then install products like pcAnywhere or Carbon Copy to improve their remote access time. We recommend that war dialers be used at least twice a year to check on modems.
Help Desk: We've discussed this before. Put in place processes that can assist the Help desk employee in verifying who is on the other end of the phone call.
Websites: Two problems here, the dummy site that gathers information and the legal site that gives away too much information. Many hackers use the information that they gather from the enterprise website to launch attacks on the network. Make certain that the information available will not compromise the information resources of the enterprise.
Defense of the Social Engineer
A social engineer may simply walk in and behave like an employee. Many facilities I visit do not require anyone to where photo identification or only require visitors to where a visitors badge. To become an employee, a visitor simple has to remove the paper badge. The first step in social engineering is to ensure that only those persons authorized to be in the facility are granted access. All visitors need to be escorted when inside the lobby area.
Additionally, our employees have not been trained to challenge strangers. Or if they have been trained, there has not been enough reinforcement of the challenge process. Require that all personnel on site where appropriate identification. Some organizations require only visitors to wear badges. Therefore, to become an employee, a visitor must simply remove the badge. Sell the principle that employee identification is not just a security measure, but it is a process to protect the employees in the work place. By ensuring that only authorized personnel are permitted access, the employees will have a safe work environment.
Since there is neither hardware nor software available to protect an enterprise against social engineering, it is essential that good practices be implemented. Some of those practices might include:
- Require anyone there to perform service to show proper identification. Make certain that the reception area has been trained to verify all service personnel and that there are procedures in place for the receptionist to summon assistance quickly.
- Establish a standard that passwords are never to be spoken over the phone. When contacting the help desk to have a password reset, the organization should establish a set of phrases or words known only by the user. The help desk can then reset the password to one of those words.
- Implement a standard that forbids passwords from being left lying about. Because employees now average around eight access accounts and passwords (information technology employees average twenty accounts), it is no longer possible to forbid the writing down of accounts and passwords. The new requirement should place the emphasis on the classification of passwords and confidential information and require the employees to treat them accordingly.
- Implement caller ID technology for the Help Desk and other support functions. Many facilities have different ring tones based on inter-office phone calls as opposed to calls that originate from outside. Employees need to be trained to not forward outside calls. Take down the name and number of the call and forward the message on to the proper person.
- Invest in shredders and have one on every floor. Every work area needs a shredder. The size of the shredder should be based on how much confidential information is present in the office area. Eliminate confidential information collection bins. Require shredding, not storing.
Policies, procedures and standards are an important part of an overall anti-social engineering campaign. To be effective a policy should be:
- It should not contain standards or directives that may not be attainable. When creating standards work with the user community to establish what can be accomplished immediately. Once these actions have been implemented, then every six months assess the process and act accordingly.
- They should stress what can be done and stay away from isn't allowed as much as possible. Enumerate to the employees what they can and should do. Requirements that begin with "Thou shall not . . ." have a tendency ro turn people off to the standard.
- They should be brief and concise. Our employees don't have a lot of spare time. Tell them what is required and leave the rationalizations to the security awareness program.
- The need to be reviewed on a regular basis and kept current. Nothing lasts forever. As we discussed above, every six months assess the process and make adjustments as required.
- The message and standards should be easily attainable by the employees and available via the company intranet. Keep the user base informed. Use an internal web site to answer questions and give advise.
Employee Education Is the Key
To be effective, policies, procedures and standards must be taught and reinforced to the employees. This process must be ongoing and must not exceed 6 months between reinforcement times. It is not enough to just publish policies and expect them to read, understand and implement what is required. They need to be taught to emphasize what is important and how it will help them do their job. This training should begin at new employee orientation and continue through employment. When an person becomes an ex-employee, a final time of reinforcement should be done during the exit interview process.
Another method to keep employees informed and educated is to have a web page dedicated to security. It should be updated regularly and should contain new social engineering ploys. It could contain a "security tip of the day" and remind employees to look for typical social engineering signs. These signs might include such behaviors as:
- Refusal to give contact information
- Rushing the process
- Small mistakes
- Requesting forbidden information or accesses
As part of this training or education process, reinforce a good catch. When an employee does the right thing, make sure they receive proper recognition. Train the employees on who to call if they suspect they are being social engineered.
Apply technology where you can. Consider implementing trace calls if possible or at least caller ID where available. Control overseas long distance services to most phones. Ensure that physical security for the building and sensitive areas are effective.
A social engineer with enough time, patience and resolve will eventually exploit some weakness in the control environment of an enterprise. Employee awareness and acceptance of safeguard measures will become our first line of defense in this battle against the attackers. The best defense against social engineering requires that employees be tested and that the bar of acceptance be raised regularly.
Security professionals can begin this process by making available to all personnel a broad range of supporting documentation. Many employees respond positively to anecdotes relating to social engineering attacks and hoaxes. Keep the message fresh and accurate.
Include details about the consequences of successful attacks. Do not discuss these attacks in terms of how security was circumvented, but on their impact to the business or mission of the enterprise. These attacks can lead to a loss of customer confidence, market share, and jobs.
Employees at all levels of the enterprise need to understand and believe that they are important to the overall protection strategy. Without all employees being part of the team, the enterprise, its assets, and its employees will be open to attack form external and internal social engineers. With training and support, we can lessen the impact of these kinds of attacks.
About the Author
Thomas R. Peltier, CISSP, CISM, is principal of Peltier and Associates (www.peltierassociates.com), an information security consulting and service firm. He can be reached at firstname.lastname@example.org.