The easiest way to break into any computer system is to use a valid username and password and the easiest way to get that information is to ask someone for it. In the world of computer network security, the term “social engineering” refers to tricking someone into revealing information, such as a password, useful for an attack.
Like many hacking techniques, social engineering got its start in attacks against the telephone company. The hacker (or phone phreaks, as they used to be called) would dial-up an operator and by using the right jargon, convince him or her to make a connection or share some information that should not have been shared.
Social engineering can be used to collect any information an attacker might be interested in, such as the layout of your network, names and/or IP addresses of important servers, version numbers of operating systems and software, and network security products in use internally. Also, social engineering is not limited to phone calls. Some attackers will follow people as they leave on Friday afternoon, hoping that they will go to a bar where they can strike up a conversation.
In reality, social engineering is probably as old as speech, and goes back to the first lie. It is still successful today because people are generally helpful, especially to someone who is nice, knowledgeable, and / or insistent. No amount of computer network security technology can protect you against a social engineering attack.
Recognizing an attack
You can prepare your organization by teaching employees how to recognize a possible social engineering attack. The easiest attack to recognize involves the request for a password. This often comes in the form of a telephone call from someone claiming to be a technician or field engineer trying to solve a problem for your organization. And if the first person called won’t give up his or her password, the caller may try several more before either succeeding or giving up.
The social engineer may also try the help desk or the server administrator. In organizations too large for workers to be familiar with everyone, an attacker may pose as a new hire, or an existing employee who has forgotten his or her password. You should develop procedures to guard against these incidents.
Prevent a successful attack
You can prepare a defense against this form of social engineering by including instructions in your computer network security policy for handling it. Or, if you don’t have a formal network security policy, teach fellow employees what social engineering is and how to deal with it.
The first rule is that no one is ever allowed to share his or her password with anyone under any circumstances. When this rule is followed, it will be possible to track any system access to a specific user-account, because only that user should know that password.
Instruct the help desk to only change or assign passwords when positive identification is provided. Make sure that the authentication method you choose is secure. Caller ID, for example, is not. One attacker who was trying to talk a help desk into changing a password fooled the company equipment into displaying an internal phone number as the caller ID.
Create a response plan
Your response plan should include instructions on how to deal with inquiries relating to passwords or other classified information. For example, transfer the inquiry to the person in the organization that handles computer network security (for example, the person who installs and maintains the firewall). If the caller hangs up, a PBX system with a trace function, or caller ID will identify or give clues to the identity of the person calling. With this information collected, the security staff can uncover patterns, such as a persistent person trying to collect passwords. If the attempts continue, a return call to the social engineer is often enough to stop the attempts.
Unless you work for the NSA, or the armed forces, you may not be constantly reminded that “loose lips sink ships”. Nevertheless, vigilance is important. You and your organization need to be circumspect in the information you share with outsiders, as well as insiders, in order to protect critical information about your networks and servers.