2.6 EMERGING ATTACKS: SOCIAL ENGINEERING

 Social Engineering is the name given to a category of security attacks in which someone manipulates others into revealing information that can be used to steal data access to systems, access to cellular phones , money or even your own identity. The complexity of such attacks may vary from very low to high. Gaining access to information over the phone or over website that one may visit has added new dimensions to the field of social engineering. Social engineering is basically the acquisition of sensitive information or inappropriate access privileges by an outsider based upon the building of an  inappropriate trust relationship with the insiders. The “outsider” does not always refer to a person who is not an employee of the company or is stranger to you; an employee who tries to tamper the company policies is also a social engineer.

The goal of social engineering is to trick someone into providing valuable information or access to that information or resource. The social engineer targets the human nature of a person and exploits his/her human qualities such as:

· The desire to help others: Most of the competitive companies train their employees to behave well with the customers and pose helpful to the customers. The attitude of “ May I help you?” sometime becomes trouble as the employees unknowingly disclose too much information about the company

· A tendency to trust others: Human nature is to trust others easily if the physical appearance of a person goes in consistency with the statements he is giving. The need is to train the employees of the company to not to trust others easily and not to disclose information in such a case.

· The fear of getting into trouble: Too many of us have seen negative reaction by superiors because verification of identity took too long or because some official was offended. Management must support all employees who are doing their assignment and protecting the information resources of the enterprise.

· Careless attitude: Sometimes we get lazy and leave our passwords open or leave some sensitive material on the desktop of our office PC which is easily accessible to others.

The important quality of a good social engineer is i.e., is able to do the harm silently without getting noticed. It is about bad social engineers we know. The good social engineers live happily between us and we are not able to catch them.

Human beings are the weakest link in a security chain. We cannot be sure of the security of a system even if we install an antivirus, firewall, cryptography based system or anything else. The machine can never be as intelligent and as destructive as a human being (after all human creates machines). A social engineers therefore always tries to exploit the human factor involved for instance why to go on to install a sniffer on a network when a simple phone call to an employee of the company can allow you to gain access to the user_id and password. Social engineering is difficult to defend with the hardware or the software alone. A successful defense will require effective information security architecture, making policies and standards to be followed strictly etc. Let us now discuss some of the prevalent social engineering types.

2.6.1 Types of Social Engineering

Although the majority of social engineering attacks focus on humanbased interaction Software Vulnerabilities by the social engineer, there are also some computerbased methods that attempt to retrieve the desired information using software programs to either gain information or deny service to a system. A social engineering initiated based system was initiated in 1993. The user attempting to log on to the system was met with the normal prompt and after entering the correct user name and password, had the system prompt over again. 

What actually happened that a social engineer managed to get a program installed for in front of normal signon routine, gathered the information and passed the prompt to real signon process. About 95% of the normal user got their codes compromised at that time.

You must have got lucrative messages in your emails, offering you something for free, or you have won some prize or contest (without applying for it). Many people get emails that they have turned into billionaires overnight as some of their closed relative has died leaving all the property and wealth worth several billions. You are requested to just disclose your valid account number so that the money can be transferred into your account. All these types of messages are socialengineering motivated.

Two of the oldest form of social engineering are dumpster diving and shoulder surfing. The dumpster diver is willing to get dirty to the information it needs. Too often companies throw out important information. Sensitive information, phone directories should be shredded before disposing.

The final two types of social engineering are third party authorization and tech support. The typical  thirdparty authorization occurs when the social engineer drops the name of higher –up who has the authority to grant access. The tech support method is where the social engineer pretends to be someone from the infrastructure group and wants a user to access a system while the social engineer scopes out the connection. 

They will usually ask for the user’s accountid and password so that they can see it across the network. Some potential security breaches are so mundane that they hardly seem to be a concern. With all the fires that we have to fight everyday and the deadlines we have to meet, sometimes the most often are overlooked:

· Passwords: The numberone access point for social engineers is the good oldfashioned password. After all the awareness programs and reminder cards, we still find that employeegenerated passwords are too short or too easy to guess.

Systemgenerated passwords are too long and employees have to write them down to remember them. Even today some systems do not require that passwords need be changed. We find this most often in email systems and Internet accounts. We recommend an assessment of the password length and interval for change standards; determine if they still meet the current needs of the user community.

· Modems: Every company has more modems than they know about. Employees and contractors will add a modem to the system and then install products such as pcAnywhere to improve their remote access time.

· Help desk: Put in place processes that can assist the helpdesk employee in identifying who is on the other hand of the phone call.

· Websites: There are two problems here: the dummy site which gathers the information and the legal site that gives away too much information. Many hackers use the information they gather from the enterprise Web site to launch attacks on the network. Make sure that the information available will not compromise with the information resources of the enterprise.

2.6.2 Physical Social Engineering

A social engineer can simply walk in and behave like an employee. The employees of a company are generally not being trained to challenge strangers or if they have been trained there has not been much reinforcement of the challenge process. It is needful that all personnel on site wear appropriate identification. Some organizations require only visitors to wear badges. Therefore to become an employee a visitor must simply remove the badge. By ensuring that only authorized personnel are permitted access, the employees will have a safe working environment.

Because there is neither hardware nor software available to protect an enterprise against social engineering, it is essential that good practices be implemented. Some of those practices might be:

  • · Require anyone there to perform service to show proper identification.
  • · Establish a standard that passwords are never to be spoken over the phone.
  • · Implement a standard that forbids passwords from being left lying about
  • · Implement Caller ID technology for the help desk and other support functions.

To be effective, policies, procedures, and standards must be taught and reinforced to the employees. This process must be ongoing and must not exceed six months between reinforcement times. It is not enough to just publish policies and expect employees to read, understand and follow what is required. They need to be taught to emphasize what is important and how it will help them to do their jobs. This training should begin at new employee orientation and continue throughout employment.

When a person becomes an exemployee, a final time of reinforcement should be done during the exit interview process.

Another method to keep employees informed and educated is to have a web page dedicated to security. It should be updated regularly and should contain new social engineering ploys. It could contain a “security tip of the day” and remind employees to look for typical social engineering signs. These signs might include the behavior such as:

  • · Refusal to give contact information
  • · Rushing the process
  • · Namedropping
  • · Intimidation
  • · Small mistakes
  • · Requesting forbidden information or access

A social engineer with enough time, patience and resolve will eventually exploit some weakness in the control environment of an enterprise. Employee awareness and acceptance of safeguard will become our first line of defense in this battle against the hackers. The best defense against social engineering requires that employees be tested and that the bar of acceptance be raised regularly.


Comments

Post a Comment

Popular posts from this blog

3.8 SECURE NETWORK DEVICES

 In this unit, we have already learnt that the firewall is only one entry point to your network. Modems, if you allow them to answer incoming calls, can provide an easy means for an attacker to sneak around, your front door (or, firewall). Just as castlesweren't built with moats only in the front, your network needs to be protected at all of its entry points. Secure Modems, DialBack Systems If modem access is to be provided, this should be guarded carefully. The terminal server, or network device that provides dialup access to your network needs to be actively administered, and its logs need to be examined for strange behavior. Its passwords need to be strong not ones that can be guessed. Accounts that aren't actively used should be disabled. In short, it's the easiest way to get into your network from remote: guard it carefully. There are some remote access systems which have the feature of a twopart procedure to establish a connection. The first part is the remote user di...
Read more

3.5 SECURITY ISSUES FOR SMALL AND MEDIUM SIZED BUSINESSES

 Small and medium sized businesses use the Internet and networked applications to reach new customers and serve their existing ones more effectively. At the same time, new security threats and legislation puts increased pressure on business networks to be reliable and secure. Business Challenges According to recent studies, security is the biggest challenge facing small and mediumsized businesses. Everchanging security threats from both inside and outside the business network can wreak havoc on business operations, affecting profitability and customer satisfaction. Small and mediumsized businesses must also comply with new regulations and laws created to protect consumer privacy and secure electronic information. Security issues for small and medium – sized businesses are classified into 5 basic categories: Worms and Viruses As per research, Computer worms and viruses remain the most common security threat, with 75 percent of small and medium businesses affected by it.. Worms and v...
Read more

3.4 TOPOLOGIES

Image
 In computer networking, topology refers to the layout of connected devices. You can think of a topology as a structure of a network. This shape does not necessarily correspond to the actual physical layout of the devices on the network. Network Topology is the study of the arrangement or mapping of the elements (links, nodes, etc.) of a network interconnection between the nodes. It also determines the strategy for physically expanding the network, in future Topologies can be physical or logical. Physical Topology means the physical design of a network including the devices, location and cable installation. Logical Topology refers to the fact that how data actually transfers in a network as opposed to its design. Following are the considerations for choosing a Topology: · Costing: Some kind of topology may be less expensive compared to others in terms of installation (for example Bus topology). · Length of cable: It is needed to connect machines in a network. · Network scalability:...
Read more