SmashArticles.com
Search For
Keywords  
  Advance Search
Smash Articles | Smash Ebooks | Smash Community | Smash Web Directory | Smash SEO Tools
Articles
Submit Your Article
Latest Articles
Popular Articles
Top Rated Articles
RSS Feed for Articles ROR Feed for Articles
Ebooks
Latest Ebooks
Popular Ebooks
Top Rated Ebooks
Authors
Cover Gallery
RSS Feed for Ebooks ROR Feed for Ebooks
Donation
Web Directory
Submit Your Website
Partner
Articles directory
Sign up for Newsletter
Email

 

Add This Article To:
Del.icio.us Digg Google Spurl
Blink Furl Y! MyWeb
Back to Computers

Social Engineering


by Samir Bedreddine

Introduction



In his book, Secrets and Lies, Bruce Schneier writes, “People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems (Schneier).” The reason why people are tagged with the weakest link label is due to the unchanging and inalterable fact that “anyone with access to any part of the system, physically or electronically, is a potential security risk (Harl)”. Social engineers target this human weakness, the weakest link of the system, to gain access to a system (Cox). This paper will focus on defining social engineering, explaining how social engineering works, exploring the costs of social engineering, and investigating how social engineering can be combated.





Social Engineering Defined


IT Security professionals are always working on a new, more comprehensive viewpoint in defining social engineering. In 1997, one expert equated social engineering to an art and science with the single goal of “getting people to comply with your wishes (Harl)”. In 2002, another expert expanded on the psychological component of social engineering by emphasizing the role that “building trust relationships with insiders” plays in the acquisition of “sensitive information or unauthorized privileges” (Damle). He also concludes that this form of deception is an art which, through careful manipulation, elicits people into speaking or acting “contrary to their normal manner” and often outside of company policies. Again, there is an emphasis on the social engineer achieving the attainment of valuable information or unauthorized access. In a 2004 article, Shinder defined social engineering as a non-technical kind of intrusion which is dependent on human interaction and enticing users to “break normal security procedures and policies”(Shinder). Social engineers have been likened to con artists (Sheikh), and although social engineers have always been around, they have moved progressed from a simple con to becoming “a person armed with a little bit of knowledge…that can catch a business man, consumer, or employee unawares and end up gaining access to valuable information or systems” (Cox).




How Social Engineering Works


In order to get users to break with normal security procedures and policies set in place for employees to gain information, social engineers project themselves as something that they are not (B). There are two main mediums by which social engineers are able to launch their attacks; attacks are either human based “using traditional methods of communication (either in person or over telephone)” or computer based which “uses modern computing devices for the interaction” (Damle). Shoulder surfing, impersonation, third party authorization, pretending to be a tech support member, and dumpster diving are all examples of human based social engineering, while computer based social engineers will use email, software, pop-up windows (Damle). A Key Ghost is another tool that falls within the computer based social engineering; when attached to a keyboard, this device will capture everything that is typed on the keyboard (Damle).



There is a common pattern associated with a social engineering attack which makes this form of attack both recognizable and preventable (Allen). The cycle consists of four phases: information gathering, developing relationship, exploitation, and execution (Allen). In the information gathering phase, the social engineer may use “a variety of techniques to gather information about the target(s) which can be used to build a relationship with either the target or someone important to the success of the attack (Allen).” In the relationship development phase, the social engineer will “position himself in a position of trust which he will then exploit (Allen)”. In the next stage, called the exploitation phase, this “trusted” attacker will manipulate the user into revealing information. The final stage is that of execution which is completed once the aggressor has acquired the information that he/she was seeking (Allen).



Successful social engineering involves a lot of groundwork and preparation before information gathering (Damle). Some of the preparation necessary before a social engineering attack includes a framing a plausible story, developing realistic props, seeking a target, gathering information, and setting appropriate timing. One story from a white hat social engineer emphasizes just how important preparation is for a social engineer; this engineer’s lack of preparation almost led to his arrest because he was unaware that the building which housed the company that he was hired to penetrate also housed Britain’s domestic intelligence agency (Sheikh). Before meeting his target employee, he was spotted with CCTV cameras and escorted away (and nearly arrested).





Frequent Targets of Social Engineering


Because a social engineer is after privileged information, there are people whose positions make them valuable targets for high-risk exposures (Damle). These positions include those who have access to plenty of private/confidential information, frequent interaction with the public, and those who are unaware of potential warning signals of a social engineering attack (Damle). For this reason, secretaries, executive assistants, computer operators, call centers, as well as help desks, are frequently targeted by social engineers (Damle).


Among the reasons why these positions are so easily penetrated is the fact that so much pressure is placed on the employees to improve customer service; they are “being measured on helping customers and providing a great customer experience” (Lineberry). This helpful attitude is exactly what the social engineer is counting on.





The Costs of Social Engineering


Few companies pay enough attention or devote enough resources to the human element of information security (Lineberry). This tendency has proven to be a costly gamble. In a 2006 CSI/FBI Computer Crime and Security Survey, “313 computer security professionals reported a total of 52.49 million in losses linked to computer security incidents for 2006 (Lineberry)”. The following chart is a sample of the kinds of attacks reported:





Virus contamination: $15.6 million


Unauthorized access to information: $10.62 million


Laptop or mobile hardware theft: $6.64 million


Theft of proprietary information: $6.03 million


Insider abuse of Internet access or e-mail: $1.85 million


Bots (zombies) within the organization: $923,700


System penetration by outsider: $758,000


Phishing in which your organization wasfraudulently represented as the sender: $647,510


Password sniffing: $161,210





Of course, the total cost of social engineering may be monumentally higher than this 2006 survey suggests. The reason for this is social engineering attacks often go unrecognized and/or undocumented.


For companies and industries concerned about social engineering, it has become a common practice to hire an outside firm to conduct social engineering testing (Lineberry). This outside testing typically costs between $10,000 and $15,000 (Lineberry). Though this cost is substantial for a small business to absorb, it can reduce the cost social engineering places on a larger firm.





Tools to Combat Social Engineering


While social engineering relies on the natural tendencies of people to be helpful and accommodating, there are ways to combat it. To this end, Bruce Schneier recommends building systems that “the user cannot subvert, whether by malice, accident, or trickery (Dubner).” He also recommends convincing individuals to recognize the importance of organizational security. Kevin Mitnick explains the dilemma faced in corporations on a daily basis and makes some security recommendations, “... it is up to each individual to define in their own mind's eye what is sensitive. But when anyone requests information from you that could be sensitive, such as passwords or how you connect to a system, you should question that. When people get a phone call from someone who sounds knowledgeable or says certain things about a product they may use, they are of a mind to go ahead and give out the information. But people have to become comfortable with saying no and not giving information to someone when there is no need for them to have it” (Cox). To this end, one solution that may provide a degree of organizational security is termed “social reengineering (Piedad)”. Social reengineering is a continuous process of improvement that focuses on four steps: education, evaluation, facilitation, and feedback (Piedad). The education step is important because it is where the concepts, principles, and theory behind IT management, security, and high-availability are taught (Piedad). The evaluation step is an examination of “current activities and comparison of current practice versus the defined objectives (Piedad)”. The facilitation step is meant to assist people to implement the measures in order to reach the defined objectives, while the feedback step is for evaluation of the achieved results and determining what adjustments need occur (Piedad).


Training should present examples “to illustrate the threat and exposure”, while covering ways “to resist the attacks to create the right kind of cautious attitudes” (Damle). Insiders should also know “what they are expected to do and not to do, as well as the reaction to any breaches” (Damle).” Penetration tests may also be used to test for weaknesses and correct them, though a briefing and follow-up debriefing are highly recommended to prevent any major disturbances from occurring (Damle).





Conclusion


When looking ahead to the future of social engineering, it is expected that the tricks will become increasingly cunning and intermingled with other hacking techniques (Dubner). In order to combat the rising tide of attacks through social engineering, companies need to recognize the very real risk. One expert implies that the only secure computer is an unplugged one, and that social engineering is such a threat that it could persuade someone to plug it in and switch it on (Harl). Due to fact that even a powered down computer now poses a security threat, “effective information security must be ingrained and backed by strategies and processes that are continually tested, taught, measured, and refined (Damle)”.





References


*Allen, M. (2006). Social Engineering: A Means to Violate a Computer System. Retrieved April 18, 2008 from SANS Institute at: http://www.sans.org/reading_room/whitepapers/engineering/



B. (2008). Social Engineering: How it is Done. Retrieved April 17, 2008 from Data Strong Hold at: http://www.datastronghold.com/security-articles/hacking- articles/social-engineering-how-it-is-done.html



Cox, M. (2008). Interview: Mitnick on Avoiding Fraudsters. http://www.practicalecommerce.com/articles/704/Interview-Ex-hacker-Mitknick- On-Avoiding-Fraudsters/





*Damle, P. (2002). Social Engineering: A Tip of the Iceberg. Retrieved April 02, 2008, from Information Systems Control Journal Web site: http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=17032&TE MPLATE=/ContentManagement/ContentDisplay.cfm





Dubner, S. (2007). Bruce Schneier Blazes Through Your Questions. Retrieved April 02, 2008, from The New York Times site: http://freakonomics.blogs.nytimes.com/2007/12/04/bruce-schneier-blazes- through-your-questions/





Harl. (1997). People Hacking: The Psychology of Social Engineering. Retrieved April 17, 2008, from Packet Storm Security site: http://packetstormsecurity.nl/docs/social-engineering/aaatalk.html


Lineberry, S. (2007). The Human Element: The Weakest Link in Information Security. Retrieved April 17, 2008 at http://www.aicpa.org/pubs/jofa/nov2007/human_element.htm



Piedad, F. (2002). Social Re-Engineering: Hacker-Proofing the Most Vulnerable Part of your IT Organization. Retrieved April 13, 2008 at http://www.harriskern.com/index.php?m=p&pid=377&aid=64




Schneier, B. (2008). IT Security Quotes. Retrieved April 17, 2008, from Native Intelligence Inc. site: http://www.nativeintelligence.com/ni-free/itsec-quips- 03.asp






Sheikh, A. (2008). How to be a Con Artist aka Social Engineer. Retrieved April 19, 2008, from Tech Factor site: http://www.anishshaikh.com/2008/03/how-to-be- con-artist-aka-social.html





Shinder, D. (2004). How to Defend Your Network Against Social Engineers. Retrieved April 13, 2008, from Window Security site: http://www.windowsecurity.com/articles/Social_Engineers.html



About the Author
Student at East Carolina University
Reviews Be the first to review/rate this Article
Home | Articles | Ebooks | Community | Web Directory | SEO Tools | Submit Your Article | Submit Your Website
Latest Articles | Popular Articles | Top Rated Articles | RSS Feed for Articles | ROR Feed for Articles
Latest Ebooks | Popular Ebooks | Top Rated Ebooks | Ebook Authors | Cover Gallery | RSS Feed for Ebooks | ROR Feed for Ebooks
Site Map | FAQ | Privacy Policy | Disclaimer | Advertise With Us | About SmashArticles.com | Contact Us | links
Partners | Resources
 
Copyright © 2006 SmashArticles.com