This article’s aim is to provide you with a little background information about social engineering and how not to become the next in the long line of social engineering victims. Specific emphasis will be placed upon the preventative side of social engineering while at the same time maintaining a simplistic approach to implementing solutions.

The Human Factor

Always bear in mind that security does not stop or start with the technology alone. The simple reality of the world in which we live is that it is/will be us humans who will to some degree or other be using, controlling, implementing, regulating, maintaining, modifying, repairing or adding to the technology’s base functionalities and capabilities.

The reasons as to why any given specific attribute is managed by or manipulated in a particularly way are many and varied. To complicate matters even further many decisions concerning the approach taken in the implementation of many technologies may not even be rationale-based.

Emotive Factors

“I want it all and I want it now” or “Oh! I just love that color”. These are but two of the many immensely powerful emotive factors that can exert great influence at decision time.

The Big Picture

The overall result however; will be such that these factors will oft times equate to uses of any specific technology in a multitude of ways; which those who originally designed and built the technology could not have possibly have ever envisioned.

Solution Usability

Right from the get go it must be said that no matter how good a solution may be in fulfilling the needs of individuals and organizations alike. Failure to address the usability factors will inevitably result in dramatically less than expected uptake and adoption of said solution by individuals, organizations of all forms and sizes and everything in between.

The Weakest Link

We live in a world of humans using technology and time and time over it is the human that is usually the weakest link in any technological chain or strategy. The more complex and sophisticated that chain, strategy, process or project is the more often human actions or lack thereof will result in disruption to said chain and processes etc.

Assumption One

So it is that we can reliably assume that; in the vast majority of instances, humans will; from a security perspective, be any system or technology’s weakest link. We will therefore need to adjust our planning and procedures to reflect this.

Awareness

One key concept in not becoming the next victim of a social engineering attack is to realize that should you or your organization become the target of a social engineering or corporate espionage attack you will have already implemented a number of precautionary measures to ensure that you will not be the weakest link in your organization’s security chain.

The benefits and rationale for doing this is that the social engineering attacker will have based their attack/information gather around the fact that you will be the weakest link for them to exploit. The usual result in this case sees the would-be attacker moving on to other targets where the human element is in fact the weakest link in the security chain.

Simply by ensuring that the humans in your business or organization are well aware of what the social engineering attacker is after, the means by which they might attempt to gain or gather information for later use along with a host of other attacker strategies.

By exposing your users to these attacker strategies and schooling in appropriate responses will go a long way in foiling would-be social engineering-based attacks. In this way you can easily turn your weakest link into one of our greatest assets.

Testing and Social Engineering Preparedness

Today we have numerous tools that can assist us in preventing ourselves, colleagues and organization from falling victim to a social engineering attack. Not surprisingly testing for social engineering susceptibility is now wide-spread throughout the business world. Here are some areas in which you may need to brush up on in order to become proficient in beating social engineering attacks.

Note: As already discussed humans can be the weakest link in a security chain yet with the proper training they can become one of the most vigilant and valuable of all social engineering countermeasures.

Inappropriate Information Requests – Not every request for information is due to someone trying to trick or confuse you into giving them information. Many social engineers today use subtle questioning techniques.

Often this will be manifested in the social engineer requesting only small pieces of what may seem to you to be irrelevant or highly unlikely to be used in perpetrating harm. In addition the social engineer may make multiple contacts with you gleaning a little more information on each occasion. They will be able; over time, to build an incredibly detailed information base for the system(s) that is their ultimate goal.

Name Requests – Be very wary of anybody asking questions concerning the names of individuals and employees known to you and that do in fact work or subcontract for your organization.

Requests for the names of IT personal are of particular concern since these folk usually have the necessary permissions to do just about anything any time. In addition inquiries regarding the names of executives and members of the management team are also of concern since the social engineering attacker can use these names at a later date to cloak themselves in an aura of authority and importance.

User Authentication Credentials – Although this one should need no explanation I will state that if anybody; regardless of reason, asks you for such information as logon names and passwords the warning bells should be ringing loud and clear. This is a very obvious red flag requiring an immediate and appropriate response.

Collateral Information Requests – The warning bells should also start ringing whenever you receive inquiries regarding information that is most definitely not within your normal operating realm. Enquiries of this nature are better directed to those members of staff whose job it is to deal with these types of issues.

Inappropriate User Information Requests – Other suspicious factors to be on the lookout for here include scenarios where people start requesting information that is by default not normally required for use by that individual. They don’t need it nor will they ever be called upon to use said information in the course of discharging their normal activities and responsibilities.

Inappropriate Information Delivery Requests – Many social engineers will pose as legitimate employees of your own organization or that of a third party organization. They will then request information and ask that it be delivered to a particular location (physical address) or to an email address. You must therefore check to verify that the delivery particulars are in fact the appropriate bona fide details of all organizations and individuals involved in the information request.

Thus if a caller claims to be from company ABC and requests that you send the requested information to an email address that does not in fact belong to that organization the alarm bells should be ringing. You will need further evidence that the person making the request is in fact who they say they are and are indeed entitled to view the information which they are currently requesting.

If you work for a large organization the social engineer may use the name of a real employee but due to the size of your organization you don’t recognize the name and in all likelihood have never met or seen said employee. The same applies to other third party organizations that you and/or organization have a standing business relationship with.

Policy – The particulars of information requests and email terms and conditions should be covered in both your email policy and information requests and management policies. These documents will set forth the circumstances and manner in which information disclosure processes are to take place, as well as who should be involved in the information request transaction and any specific security elements that need to be complied with.

Requester Identification – Always double-check and cross reference to validate the authenticity of the person requesting the information. You should also ascertain as to whether or not the requester is in fact entitled to view this information and to what degree of access rights the requester is entitled to.

You must also take into consideration your job requirements. For example it may be totally out of the norm for anybody to request information of this type from you. After all it is not a routine part of the day to day duties and responsibilities you are expected to discharge.

The New Kid on the Block – Social engineers can take advantage of instances where an organization will when employing new or additional staff set the new kid a number of tasks, point them to a work station and then leave them alone to get on with it.

The problem with this type of approach has nothing to do with the way in which these employees being treated. The real problem here is that with careful research and subtle questioning a social engineer can discover as to whether or not any given organization does in fact employ staff under these circumstances. The social engineer will then contact other staff members whilst claiming to be (impersonating) the new kid.

This tactic works a lot better and is successful more often than you would expect. This state of affairs is due to the fact that the social engineer is exploiting the unknown. The dependency that is most relevant here is the fact that other staff members don’t really know much about these new, temporary or casual employees. Nor are they likely to be cognizant of any idiosyncrasies these may have.

From the social engineer’s perspective the big plus in these types of scenarios is that they (the social engineer) will be able to make multiple mistakes during their enquiries. They will not immediately set off the alarm bells since even the organization’s more experienced employees will automatically jump to false conclusions and assume that this error riddled request is due to the newcomer’s inexperience.

Email Spoofing – Some social engineers will masquerade as an employee such as help desk technicians and immediately proceed to issue emails to bona fide employees using spoofed email accounts that look very similar to the real ones used as standard practice by your organization. There will however be subtle differences that will give them away. The easiest of these is to examine the emails URL.

Suppose your organization uses email accounts that adhere to an account naming convention i.e. name@blogs.com and the email requesting the information from you has an email URL like name@blog.com. In which case you should be hearing those alarm bells again.

It is often through subtle attack principles such as these that social engineering can deliver considerable quantities of information to the attacker including security and sensitive personally identifiable information such as user logon account name and password.

In Summary

Social engineering is really the art of deception designed to fool you into supplying an attacker with various pieces of information that you would not normally disclose.

Many perpetrators of social engineering practices are incredibly skilled at asking questions to extract information while at the same time hiding from discovery their true motives and their desired resultant eventualities that will arise from the situation. They can be very skilled at answering any questions you may ask while divulging very little about themselves throughout the duration of the dialogue between them and you.

They are also generally very adept at crafting and transmitting emails that look to be so authentic that many users will not take the time to examine it closely enough to detect the small yet essential deviations contained within in the email and within its networking information (destination and source addresses for example). The result is that they become duped to divulge privy information to non-authenticated entities.

As a rule of thumb whenever you are being asked questions of a nature that makes you somewhat uncomfortable you should immediately bring the call to the attention of the appropriate authority such as security personal, IT personal, IT and network security personal, your immediate superior or some other higher ranking organizational authority, management or executive.