People Hacking: the Art of Social Engineering
People Hacking: The Art of Social Engineering
ABSTRACT
Social engineering is one of the most overlooked aspects of information security and yet it is the easiest way for someone usually an employee - to gain access to restricted information on a computer network. Attacks can be either physical or psychological; each can be equally effective in acquiring confidential information. Methods used to get information can be either human- or computer-based, with different psychological reasons why each method works. Protecting against social engineers boils down to policies that guard against their attacks, but these policies must also be complemented with an effective security awareness program in order to be successful.
INTRODUCTION
Imagine a local banking company. The CIO is out of town on business. A group of strangers walks in early one morning, and by lunchtime they walk out with access to anything they want on the company 's network. How did this happen? First of all, these so-called "strangers" researched the company and probably knew more about it than most employees. The intruders showed up at the front door and just followed other employees into secured areas of the building. Each smiled when they searched for their "lost" security badge when trying to enter the top floor where the VIPs were located; a friendly employee smiled back as he let them in. Since these strangers knew the CIO was out of town (something that the HR department revealed when they called earlier in the week), they were able to get into his office, call the Help Desk, and get his password changed because his current one "wasn 't working." After they got access to the network, the intruders were able to successfully hack into the system and become a super-user with access to valuable resources. They then sorted through the CIO 's files and even his trash and were able to find all kinds of useful information. These strangers then walked out
ABSTRACT
Social engineering is one of the most overlooked aspects of information security and yet it is the easiest way for someone usually an employee - to gain access to restricted information on a computer network. Attacks can be either physical or psychological; each can be equally effective in acquiring confidential information. Methods used to get information can be either human- or computer-based, with different psychological reasons why each method works. Protecting against social engineers boils down to policies that guard against their attacks, but these policies must also be complemented with an effective security awareness program in order to be successful.
INTRODUCTION
Imagine a local banking company. The CIO is out of town on business. A group of strangers walks in early one morning, and by lunchtime they walk out with access to anything they want on the company 's network. How did this happen? First of all, these so-called "strangers" researched the company and probably knew more about it than most employees. The intruders showed up at the front door and just followed other employees into secured areas of the building. Each smiled when they searched for their "lost" security badge when trying to enter the top floor where the VIPs were located; a friendly employee smiled back as he let them in. Since these strangers knew the CIO was out of town (something that the HR department revealed when they called earlier in the week), they were able to get into his office, call the Help Desk, and get his password changed because his current one "wasn 't working." After they got access to the network, the intruders were able to successfully hack into the system and become a super-user with access to valuable resources. They then sorted through the CIO 's files and even his trash and were able to find all kinds of useful information. These strangers then walked out
References: Allen, Malcolm (2001). The Use of ‘Social Engineering ' as a means of Violating Computer Systems. Retrieved November 22, 2003, from http://www.sans.org/rr/papers/index.php?id=529 Arthurs, Wendy (2001). A Proactive Defence to Social Engineering. Retrieved November 22, 2003, from http://www.sans.org/rr/papers/index.php?id=511 Golomb, Gary (2003). IDS vs. IPS Commentary. Retrieved December 3, 2003, from http://www.linuxsecurity.com/articles/forums_article-7476.html Gragg, David (2002). A Multi-Level Defense Against Social Engineering. Retrieved November 22, 2003, from http://www.sans.org/rr/papers/index.php?id=920 Gulati, Radha (2002). The Threat of Social Engineering and Your Defense Against It. Retrieved December 3, 2003, from http://www.sans.org/rr/papers/index.php?id=1232 Kessler International (2000, January 4). Employees, Not Hackers, Greatest Computer Threat. Retrieved December 13, 2003, from http://www.investigation.com/articles/library/2000articles/articles18.htm Stevens, George (2002). Enhancing Defenses Against Social Engineering. Retrieved November 22, 2003, from http://www.giac.org/practical/gsec/George_Stevens_GSEC.pdf