Social Engineering
by
Contributed - Story:
33537
Sep 12, 2007 / 6:00 am
Sep 12, 2007 / 6:00 am
Earlier this year, PC Magazine published their ‘Complete Guide to Security’ issue, which listed the top 10 security threats to your computer. The usual suspects are all there: spam, phishing, viruses, wireless etc. What surprised me was their pick as the number one threat to computer security—social engineering. (In other PC Magazine news, Jim Louderback, the magazine’s editor-in-chief, has just stepped down from his position that he’s held for the past fifteen years. His final column, which appeared in the September 4th issue, deals with his extreme frustration with Vista. Check it out at pcmag.com, click on Columns, and choose ‘Passing the Torch’.)
As for social engineering, it is actually the easiest method for hackers to get the information they want from you. Why go to all the trouble in trying to penetrate the corporate firewall, access the corporate network and try to steal passwords with a computer program when it’s much easier to just ask for the passwords? A smart hacker can call a random employee at a given company, act friendly, name-drop a little bit, pretend they are from the help desk and eventually come away with all the information they need.
Here are a few scary examples: According to a government study, in July 2007, IRS employees in Washington DC disregarded security policies and turned over sensitive computer information to a caller (social engineer) posing as a technical support person.
A whopping 61 of the 102 people who got the test calls—which included managers and a contractor—complied with a request for the employee to provide his or her username and temporarily change his or her password to one the caller suggested. The findings were reported to the Treasury Inspector General for Tax Administration, an office that provides oversight of the Internal Revenue Service.
And last year, an informal survey was conducted whereby a security researcher stood outside a large financial institution in San Francisco with a stack of ten-dollar Starbucks gift cards. As employees from the financial company approached him, he presented them with a survey that eventually asked to divulge very sensitive corporate data such as their network ID and password. In exchange for the information, the subjects would receive the $10 gift card. Over 70% of them gave up the data… all for a few cups of coffee!
Kevin Mitnick, the world’s most famous hacker, wasn’t by any means a computer genius. What made him so good at compromising data was his social engineering skills. He used whatever means necessary to get the information he wanted: dumpster diving, observing employees, and just using his persuasive people skills. He exploited numerous systems and eventually served five years in jail. He has now turned his life around so to speak and is working for the ‘good side’ as president of Mitnick Security Consulting.
Back to the top ten list. I was surprised to see social engineering at number one because typically, social engineering fails to be brought up as a serious risk to computer security. I was very glad to see it listed as the top threat. One of the first things information security professionals learn is that people are often the weakest link in the security chain. Not because we are stupid, more so due to the fact that the computer security world moves way too fast for most of us to catch up.
Threats to computer safety are changing far too quickly. The ability to maintain sufficient awareness of everything going on in the computer security world is becoming more difficult each year.
Still, there are things we can do to prevent being ‘socially engineered’. Very important is our use of passwords. Make them difficult to guess but easy for you to remember. And don’t write them down. Especially on a sticky note behind or beside your computer screen!
Also, be suspicious of anyone who asks you for your password. Even at work, if someone calls and asks for you to reveal sensitive information, ask questions to make sure they are who they say they are. And never reveal any sensitive information in an email.
With the security landscape changing so quickly, security awareness in organizations is becoming more and more important. If employees were more educated on how to deal with issues like social engineering, many of the threats to corporate data would be dramatically reduced. The time and effort spent on security awareness can pay off exponentially!
As for social engineering, it is actually the easiest method for hackers to get the information they want from you. Why go to all the trouble in trying to penetrate the corporate firewall, access the corporate network and try to steal passwords with a computer program when it’s much easier to just ask for the passwords? A smart hacker can call a random employee at a given company, act friendly, name-drop a little bit, pretend they are from the help desk and eventually come away with all the information they need.
Here are a few scary examples: According to a government study, in July 2007, IRS employees in Washington DC disregarded security policies and turned over sensitive computer information to a caller (social engineer) posing as a technical support person.
A whopping 61 of the 102 people who got the test calls—which included managers and a contractor—complied with a request for the employee to provide his or her username and temporarily change his or her password to one the caller suggested. The findings were reported to the Treasury Inspector General for Tax Administration, an office that provides oversight of the Internal Revenue Service.
And last year, an informal survey was conducted whereby a security researcher stood outside a large financial institution in San Francisco with a stack of ten-dollar Starbucks gift cards. As employees from the financial company approached him, he presented them with a survey that eventually asked to divulge very sensitive corporate data such as their network ID and password. In exchange for the information, the subjects would receive the $10 gift card. Over 70% of them gave up the data… all for a few cups of coffee!
Kevin Mitnick, the world’s most famous hacker, wasn’t by any means a computer genius. What made him so good at compromising data was his social engineering skills. He used whatever means necessary to get the information he wanted: dumpster diving, observing employees, and just using his persuasive people skills. He exploited numerous systems and eventually served five years in jail. He has now turned his life around so to speak and is working for the ‘good side’ as president of Mitnick Security Consulting.
Back to the top ten list. I was surprised to see social engineering at number one because typically, social engineering fails to be brought up as a serious risk to computer security. I was very glad to see it listed as the top threat. One of the first things information security professionals learn is that people are often the weakest link in the security chain. Not because we are stupid, more so due to the fact that the computer security world moves way too fast for most of us to catch up.
Threats to computer safety are changing far too quickly. The ability to maintain sufficient awareness of everything going on in the computer security world is becoming more difficult each year.
Still, there are things we can do to prevent being ‘socially engineered’. Very important is our use of passwords. Make them difficult to guess but easy for you to remember. And don’t write them down. Especially on a sticky note behind or beside your computer screen!
Also, be suspicious of anyone who asks you for your password. Even at work, if someone calls and asks for you to reveal sensitive information, ask questions to make sure they are who they say they are. And never reveal any sensitive information in an email.
With the security landscape changing so quickly, security awareness in organizations is becoming more and more important. If employees were more educated on how to deal with issues like social engineering, many of the threats to corporate data would be dramatically reduced. The time and effort spent on security awareness can pay off exponentially!
Read more Computer Security articles
About the author...
Mark Stone is an information security consultant for his company, Triad Security Consulting. He has been in the Information Security industry for 8 years and in Information Technology for over 20 years. He is a Certified Information Systems Security Professional (CISSP), and is a strong advocate for promoting computer security awareness and policy in organizations.
Mark's first novel, Behind The Screen: Hacking Hollywood, is now available online. See also http://www.markstonebooks.com
Mark can be reached at 250-864-2294 or email mark@triadsecurityconsulting.com
Visit Mark's web site at: www.triadsecurityconsulting.com
Mark Stone is an information security consultant for his company, Triad Security Consulting. He has been in the Information Security industry for 8 years and in Information Technology for over 20 years. He is a Certified Information Systems Security Professional (CISSP), and is a strong advocate for promoting computer security awareness and policy in organizations. Mark's first novel, Behind The Screen: Hacking Hollywood, is now available online. See also http://www.markstonebooks.com
Mark can be reached at 250-864-2294 or email mark@triadsecurityconsulting.com
Visit Mark's web site at: www.triadsecurityconsulting.com
The views expressed are strictly those of the author and not necessarily those of Castanet.
Castanet presents its columns "as is" and does not warrant the contents.
- Cooler, cheaper, secure and free! Mar 10
- SANS is coming to Kelowna! Feb 19
- Facebook is definitely evil Feb 12
- Canadian passport security exposed! Dec 7
- Leopard security Dec 1
- Illegal downloaders buy more CDs Nov 23
- Think your PC is safe? Think again. Nov 16
- Security starts with human resources Nov 9
this page.(Click for RSS instructions.)
© 2010 Castanet.net