Social engineering: It's a matter of trust

Computerworld - Boiled down, social engineering is simply the exploitation of the natural human tendency to trust. It's sometimes used by hackers -- or others with malevolent intent -- to gain unauthorized access to a computer, with the goal of obtaining information that resides therein.

Social engineering uses computer security cracking techniques that rely on weaknesses in human nature rather than weaknesses in hardware, software or network design. Using social engineering, even someone with minimal computer hacking skills can find his way into a supposedly secure computer system and access, modify or destroy the data contained in it.

To see how your system would fare against a social engineering attack, ask yourself the following questions:

1. Would you give your password to someone who told you in person, over the phone or in an e-mail message that he was fixing a problem with your computer or network? Or would you notify your computer security personnel immediately?
   

   
   
   

   
   
   
   
   
   
   
   
   
   

   	Douglas Schweitzer is an Internet security specialist with a focus on malicious code. He is the author of several books, including Internet Security Made Easy and Securing the Network from Malicious Code and the recently released Incident Response: Computer Forensics Toolkit.

   
   
2. Do you lock your workstation before you leave your desk, or do you leave it up to your password-protected screensaver to activate on its own?
   

   
   

3. Do you challenge strangers you come across in restricted areas who don't display proper badges or identification, or do you assume that they are likely authorized to be there (and perhaps are too important to be questioned -- possibly because they're dressed in nice suits)?
   

   
   

4. Would you decline to participate in a phone survey that asks a multitude of questions about your organization's computer systems, or would you be likely to participate if offered a "free gift"?
   

   
   

5. Would you stop a clean-cut uniformed delivery person carrying packages who flashes a smile and asks where the mailroom is as he attempts to tailgate into a secure building with you, or would you politely hold the door open for him and point him toward the mailroom?
   

   
   

6. Do you leave work discussions at work or do you continue discussing business over meals at local restaurants or in other public places?
   

   
   

7. Do you shred your old phone lists, or do you simply dump them in the trash?

Many people believe that computer break-ins are the result of flaws in computer systems that intruders are able to exploit. In reality, social engineering frequently plays a big role in helping an attacker bypass security barriers like firewalls or intrusion-detection systems. Computer users' gullibility or lack of security awareness often provides an easy steppingstone into a protected system in cases where an attacker has no authorized access to the system at all.

Social engineering is successful because the malevolent person attempting to get information (or access) preys upon the good, helpful nature of unknowing and unsuspecting employees. He may use flattery or come across as truly in need of your help, or he may attempt to convince you they are performing a service for you.

In larger organizations, an intruder may pretend to be a fellow employee who needs access because his system is down. He may try to engage you in conversation and may even mention a co-worker's name in an effort to establish a rapport that will lead to a feeling of mutual helpfulness. Or he may assume an authority persona to trick you into supplying "mandatory" information. One trick is for a person to pose as a network troubleshooter who needs an ID and password to verify that a problem on the network is fixed and won't recur; the imposter persuades an employee to provide an ID and password with the access rights he desires.

To outsmart a hacker, the Nonproliferation and National Security Institute offers the following tips:

1. If you can't identify a caller who asks for information such as a badge or employee number, information about your computer system or any other sensitive information, don't provide any information. Insist on verifying the caller's identity by calling him back at the telephone number listed in your organization's telephone directory. This procedure causes minimal inconvenience to legitimate activity when compared with the scope of potential losses.
   

   
   

2. Systems maintenance technicians from outside vendors who come on site should be accompanied by the local site administrator (who should be known to you). If the site administrator isn't familiar to you or if the technician comes alone, it's wise to call a site administrator you know. Unfortunately, many people are reluctant to do this because it makes them look paranoid, and it's embarrassing to show that they don't trust a visitor.
   

   
   

3. A password for your personal account should be known only to you. Systems administrators or maintenance technicians who need to do something to your account don't need your password. They have their own passwords, which grant system privileges that allow them to work on your account without the need for you to reveal your password. If a systems administrator or maintenance technician asks you for your password, be suspicious.

It's unfortunate, but many computer users erroneously assume that network administrators, security personnel and software developers are doing everything necessary to keep networks safe. If users think they don't need to worry about precautions, they can have a false sense of security. Protecting the network isn't just the job of the tech people. It's important to remember that a network -- and every computer on it -- is only as secure as its weakest link. Make certain your network's weakest link isn't you!

Read more about security in Computerworld's Security Knowledge Center.