As technology advances to provide a secure barrier between your network and the outside world, malicious people are devising ways to infiltrate your fortress. Often their methods are time tested techniques to manipulate people by appealing to their human natures. These techniques are collectively known as social engineering.
The ability to manipulate others is both a natural personality trait as well as a learnable skill. Many network attackers are taking up this ancient practice to bypass the technically advanced barriers you've erected over all electronic entry points to your network.
So what do social engineering attackers do? Well, basically they exploit common characteristics of people, such as trusting others, being a little lazy, overlooking small discrepancies, assuming someone knows more than they actually do, being willing to help others and the fear of getting in trouble. With just a small amount of truth or facts, an intelligent person can often extract more information from you or get you to perform an activity you shouldn't.
Kevin Mitnick, one of the most publicized computer crackers, admits that most of this break-ins to various commercial and government computer networks, as well as the phone system started with social engineering. He often gained the trust of an employee by claiming to be someone else and providing a small piece of information, then using that trust to get the unsuspecting employee to give him more information or perform a task to grant Kevin easy access.
The only protection against social-engineering attacks is to educate and train your employees. Here are several important points to address or manage when assembling a barrier to social engineering attacks:
- If anything sounds out of place or strange, err to the side of caution.
- Always demand proof of identity over the phone and in person. Verify the ID by calling the proper authority or issuing company.
- Define values for types of information, such as social security numbers, phone numbers, dial-in accounts, user names, passwords, network addresses, etc. The greater the value, the higher the security around those items should be maintained.
- If someone requests privileged information, find out why they want it and whether they are authorized to obtain it.
- Dispose of sensitive documents securely, such as shredding or incinerating. Dumpster diving often provides social-engineering attackers with the kernels of information they need to wedge their way in.
- Never give out or change passwords over the phone.
This was first published in March 2002