Multiple choice: A social engineer is . . .
(a) An oxymoron, like “jumbo shrimp”. “Al, these new circuit designers are all introverts. There isn’t a social engineer in the bunch.”
(b) A Twilight Zone episode. “Wow, The Mysterious Social Engineer gave me chills when he turned out to be a hologram.”
(c) A professional organizer of social occasions. “Martha, I used to be a wedding planner, but now I’ve found my calling as a social engineer specializing in ice cream socials.”
(d) A cat breeder. “The meeting of the Selectively Outcrossed Cats Including Abyssinian Longhairs (S.O.C.I.A.L.) society will now come to order. Welcome, genetic engineers!”
If you selected (a) through (d) you’re just guessing. The correct answer is “(e) an attacker who uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems” as defined in US-CERT ST04-014.
Your computer systems can have the best technical security in place and still be compromised through that Achilles heel of the modern enterprise: humans.
When it comes to divulging information that might be used for a system intrusion, suspicion – perhaps even paranoia – can be a good starting point.
“Just because you’re paranoid doesn’t mean they aren’t after you.” ~ Capt. John Yossarian in the 1970 film, Catch-22.
For many, this suspicious posture is against their nature or might even seem to conflict with their job duties, so it is important to establish policies and guidelines within your organization to guide their behavior when approached by strangers seeking access or information.
For example, if someone shows up and requests access to the computer room to fix the sprinkler system, what should the front desk personnel do to validate that this is a legitimate request? Who should accompany him while he is in the building?
In The Art of Deception: Controlling the Human Element, Kevin Mitnick describes the exploit that led to Stanley Mark Rifkin being cited in the Guinness Book of World Records as the perpetrator of the “biggest computer fraud.” It’s ironic that although computers electronically delivered the loot, Rifkin pulled off the heist without using a computer. His weapon of attack? The telephone.
Do your employees know what to do when a voice at the other end of the line says, “Hi! George [the name of your CIO] asked me to call you and get his access code because he needs to log in from the clubhouse and he kept the code in his wallet, which dropped in the water hazard while we were golfing together.” Okay, that one’s pretty obvious, but there are less blatant voice phishing attacks that can be thwarted by employees who have been trained to recognize them and respond appropriately.
Besides appearing in person and telephoning, the social engineer often uses email as his attack vector. Is your CEO’s suspicion quotient big enough to overcome his ego when he gets an email telling him he’s been nominated for the Exceptional Producers society and just needs to fill out a form to complete the application? Are your employees suspicious and sharp-eyed enough to notice that the email they received telling them to click here to claim 10,000 bonus miles doesn’t identify an airline?
US-CERT’s security tip ST04-014, mentioned earlier in this blog, includes good advice on dealing with social engineering attacks. Regular training on these points and your own security policies and procedures can go a long way toward preventing those social engineering attacks, complementing your physical and technical security.