Monday, October 16, 2006

Social Engineering, Part 3

How to Identify Social Engineering Attempt

There are certain ways of how we can identify possible social engineering attempts. Although it is not fool proof, but will give us a sign of possibility of attempts.

Refusal to Give Callback Number
Social engineer will always refuse to give call back number because this will leave trace of their presence. However, this method is not always true. With today convenience, the attack can simply buy a prepaid phone card for use in his action. After he is done, he can just throw it away.

If you offer to call back the caller at a later time to provide him with the information he is asking for and he refuse to give his contact number, this act should immediately rise suspicious.

Out of Ordinary Request
The goal of social engineering attack is to reveal information which normally difficult to get. If someone is asking for personal information or question which seems to be unrelated such as user name, password, server name or IC number, you should flag a red alarm and find out why the person need those information and look for ways to validate his true identity.

Claim of Authority
The attacker claims that he is someone with authority or act on behalf of the authority. The attacker wills always emphasis on his authority and refuse to provide credential to proof his identity. He may also use the authority to threaten his target.

Threatens Negative Consequences of Non Compliance
The attacker will use negative consequences to threaten his victim if his victim attempt not to comply with his request.

For example, the attacker may threaten that if he cannot get his job done on time because you refuse to provide him with the information he need, then you will be answerable to the company CEO for your action.

Stress Urgency
The attacker will make his request sounds very urgent and stress out his victim so that his victim will panic and reveal the information without careful thinking.

Name dropping
Name dropping is a technique of using the name of someone who is close to the victim, or have authority over the victim or the victim is responsible for to gain information.

For example, the attack could call the victim and say "Mr Big need this document by 3pm! He has authorized me to request the document from you!" If Mr Big is an important customer or executive to the victim, what are the chances that the victim will ever challenge that request?

How to Combat and Prevent Social Engineering

There are certain ways if not eliminate, will certainly reduce the chance that you will be the next victim of social engineering attack.

Training is the primary defense for combating against social engineering. Organize security awareness training and campaign to educate your staffs about social engineering, how to detect and combat it. The training needs to be an on-going program. It needs to be delivered at least once every year. Sophistication of social engineering attack will evolve as social engineer learn and become smarter. Your employees need to be updated with these new technique and knowledge to maintain security effectiveness.

Prevent unauthorized access to office, mailroom, PBX room. The first defense to stop physical social engineering is to stop the attack from entering the office premise and sensitive area. Put up a policy to enforce every employee wear their badge in the office. Restrict employee access to sensitive area such as PBX room or computer data center. Empower employee to challenge anyone who show up in the restricted area without a valid badge.

Do not leave sensitive or valuable information in open area. Information which can be used for social engineering attack such as address book, business documents, and employees contact list should be kept in the drawer. Always lock your computer and drawer when you are away from your desk.

Do not release private information to stranger or someone you cannot confirm their identity. Do not trust who they claim to be unless you know them personally or you can recognize their voice on the phone. If someone is asking for a piece of information which you have access to but does not own it, do not ever give it out. Direct the requestor to the information owner. The information owner will have the discrete right to determine who has the need to know.

Handle trash and rubbish with care. Invest in a more sophisticated shredder to shred the unwanted paper or documents. Do not leave your trash in public area where anybody can access. Classified information should be separated and only be handled by authorized personnel for disposal. If you are throwing out computer hardware or equipment, make sure you physically destroy the storage media such as hard disk and CD. Sophisticated software is available in the market to recover data in hard disk even though it has been formatted or deleted.

Avoid using public computer. Public computer is most subjected to social engineering attack because anybody can have access to it. Spying software or keyboard logger can be silently installed in the public computer to monitor you keystroke and activities. Your user name, password, account number and online conversation with friends can be hijacked in such cases.

Do not simply leave your contact information with unknown party. It is quite common that in a lot of marketing campaign, you will be asked to fill up survey form with personnel information or to drop your name card to stand a chance to win great prizes. You can never be sure how that information will be used against you. If you do not feel comfortable, then don't feel hesitate to say no. Even disclosing simple contact like email can punish you with hundreds of spam mail everyday.

Friends are not always friend after all. Using internet, people can always get to know new friends through online chat room, instant messenger, and online community website or discussion group. Social engineer may have setup trap and make friend with you long before they ask for anything. Never trust anybody who you do not personally know or met. You may be a good guy, but not everyone is like you.

This article is by no mean a complete description and explanation of social engineering. I have only scratched the surface of social engineering. If you are interested in reading more about social engineering, there are two books which I strongly recommend:

The Art of Deception by Kevin Mitnick.
The Art of Intrusion by Kevin Mitnick.

These two books provide a lot of interesting stories, case study on social engineering and a comprehensive list of methods and techniques of how to protect yourself and your company.



Post a Comment

<< Home