Social Engineering: The Human Side Of Hacking

brokenroomΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

89 εμφανίσεις

Social Engineering: The Human Side Of Hacking

By
Sharon Gaudin


May 10, 2002: Companies spend millions of dollars on firewalls,
authentication processes and network monitoring software, but few
bother to train em
ployees how to avoid being duped into giving away
critical information.


A woman calls a company help desk and says she's forgotten her password. In a
panic, she adds that if she misses the deadline on a big advertising project her
boss might even fire her
. The help desk worker feels sorry for her and quickly
resets the password
--

unwittingly giving a hacker clear entrance into the
corporate network.

Meanwhile, a man is in back of the building loading the company's paper recycling
bins into the back of a
truck. Inside the bins are lists of employee titles and
phone numbers, marketing plans and the latest company financials. All free for
the taking.


Hackers, and possibly even corporate competitors, are breeching companies'
network security every day. The l
atest survey by the Computer Security Institute
and the FBI shows that 90% of the 503 companies contacted reported break
-
ins
within the last year.

What may come as a surprise, according to industry analysts and security
experts, is that not every hacker i
s sitting alone with his computer hacking his
way into a corporate VPN or running a program to crack executives' passwords.

Sometimes all they have to do is call up and ask.

"There's always the technical way to break into a
network but sometimes it's easier to go through
the people in the company. You just fool them
into giving up their own security," says Keith A.
Rhodes,
chief technologist at the U.S. General
Accounting Office, which has a Congressional
mandate to test the network security at 24
different government agencies and departments.
"Companies train their people to be helpful, but
they rarely train them to be part

of the security
process. We use the social connection between
people, their desire to be helpful. We call it social
engineering.

"It works every time," Rhodes says, adding that
he performs 10 penetration tests a year on
agencies such as the IRS and the D
epartment of
Agriculture. "Very few companies are worried
about this. Every one of them should be."

Playing Off Trust


Security Sidebars

How To Thwart The 'Social
Engineers'
:
Security experts
from both government and the
private sector offer suggestions
to protect your company from
hackers using social engineering
techniques.

The Feds' Top Hacker
Speaks
:
Keith Rhodes, chief
technologist with the U.S.
General Accounting Office,
discusses what companies
should be doing to protect
themselves, what risks are
looming ahead and what
ex
citing security technology is
coming down the road.

Social engineering is the human side of breaking into a corporate network.
Companies with authentication processes, firewalls, VPNs and
network monitoring
software are still wide open to an attack if an employee unwittingly gives away
key information in an email, by answering questions over the phone with
someone they don't know or even by talking about a project with coworkers at a
local
pub after hours.

"Incidents of social engineering are quite high, we believe," says Paul Robertson,
director of risk assessment at Herndon, Va.
-
based TruSecure Corp. "A significant
portion of the time, people don't even know it's happened to them. And wit
h the
people who are good at it, their [victims] don't even know they've been
scammed."

Robertson says for companies with great security technology in place, it's almost
always possible to penetrate them using social engineering simply because it
preys on

the human impulse to be kind and helpful, and because IT executives
aren't training employees to wary of it.

"People have been conditioned to expect certain things," says Robertson. "If you
dress in brown and stack a whole bunch of boxes in a cart, peopl
e will hold the
door open for you because they think you're the delivery guy...Sometimes you
grab a pack of cigarettes and stand in the smoking area listening to their
conversations. Then you just follow them right into the building."

Guard The Perimeter


Eddie Rabinovitch, vice president of global networks and infrastructure operations
at Stamford, Ct.
-
based Cervalis LLC, says he is definitely aware and on alert for
various types of security attacks
--

technical or not. Cervalis is a managed
hosting and I
T outsourcing company.

"We continuously have training about security in general and social engineering in
particular," says Rabinovitch. "People are out there looking for information.
They're always looking for new ways to get at that information. In many

cases,
you can deal with it with tools, but it always comes down to procedures and your
people."

Rabinovitch says he deals with social engineering by focusing a lot of training on
his people on the perimeter
--

security guards, receptionists and help des
k
workers. For instance, he says security guards are trained to check on visitors if
they go out in the smoking area to make sure they're not handing their
admittance badge over to someone else. And he adds that if someone shows up
in a utility worker's un
iform, his visit is confirmed before he is allowed into the
building to do any work.

Rhodes, who has focused on computer security, privacy and e
-
commerce in his
11 years at the GAO, says a lot of companies unwittingly put sensitive
information up for grab
s. Some companies list employees by title and give their
phone number and email address on the corporate Web site. That allows a hacker
to call an office worker and say Sally Jones in the Denver accounting office wants
you to change my user ID. Or Rhodes s
ays a company may put ads in the paper
for high
-
tech workers who trained on Oracle databases or Unix servers. Those
little bits of information help hackers know what kind of system they're tackling.

Brian Dunphy, director of analysis operations at Alexand
ria
-
Va.
-
based RipTech
Inc., a security analyst and consulting firm, says when they do risk assessments
for their corporate customers it's a given that if they use social engineering,
they'll be able to break in.

"It's never been much of an effort to explo
it social engineering and get in," says
Dunphy. "Companies may request that we use social engineering. We really only
do it for the non
-
believers."