Social engineering is the method of gain trust of unsuspecting people and being granting access to unauthorised access to systems in order to obtain intellectual property, commit fraud and / or industrial espionage, or simply steal the identity of people (identity theft). Social Engineering attacks rely heavily upon the human interaction and manipulation of people who are unable to say no to people.
One of the most famous social engineer’s around today is Kevin Mitnick, the famous hacker who used to mislead people in order to achieve his goal of obtaining information. On a side note, I highly recommend you read his book, The Art of Deception: Controlling the Human Element of Security which details the nature of social engineering.
To be successful, the social engineer needs to perform a number of steps, these are as follows:[h2]Phase one – Information gathering[/h2l]
Social engineering attacks aren’t quick; it takes hours, days, even weeks of planning to obtain the perfect cover story, to learn everything you can about the “target” so that they don’t get caught out. With the advent of the Internet and mapping technology like Google Maps and Bing Maps, it becomes very easy to learn the layout of companies.
Google’s street view allows the social engineer to some extent, work out how many entrances / exists there are, where the outside security cameras are placed which allows you to work out their viewing coverage so that they are not noticed by the security guards.
Other methods of obtaining information is making telephone calls to the target company asking questions to try and obtain more information about the whereabouts of the person(s) or object(s) of interest. Points of interest are finding out when the reception is at its quietest so that the social engineer can walk straight in.
Old School tactics such as dumpster diving (which Kevin Mitnick used a lot) can retrieve a lot of useful information; the amount of times confidential information isn’t shredded is outstanding. This also goes for when computers are recycled a lot of companies still don’t securely erase their content allow anyone to view the information contained on their drives.
What sounds like a spy film, but none the less is still done, social engineers will actually wait outside the company for potentially hours and take photographs of people so that they can take pictures of the ID badges and then produce copies hoping to blend in with other members of staff.[h2]Phase two – Physical breach [/h2]
Once the social engineer has obtained all the information necessary and they feel comfortable to move onto the next stage, the physical breach, they will try and gain access to the object or person of interest. This is most likely going to be the server room of which ever room the IT department reside in.
This can be in a number of ways, the first is sometimes the simplest, simply walk in the building with a number of other people, making people believe you belong there. Social engineers can make this more believable by using name badges that have been coped and look believable from far away.
Tail gating, is the process of following someone else in through locked doors is an easy way to gain access, if they are close enough to someone else, human nature ensures that the person in front will leave the door open. Employees need to be made aware that they should close the door straight after them and allow the member of staff behind them to swipe in.
Once the social engineer is in, they will make their way to the area of interest, they will more than likely try and attempt to compromise a part of the network which will grant them access to everything, the server room or a computer in the IT department.
Some social engineers will plant external access points (usually wireless in nature) so that they can gain access to the building once they leave, allowing them to do what they will at their own pace.[h2]How to prevent social engineering?[/h2]
There’s no real solution to preventing social engineering attacks unfortunately, it relies solely upon the person currently being approached. It’s our nature to help people in need out without asking much information.
However education is key, ensure that members of staff are educated about the possibility of social engineering, make staff aware of things to look out for.
People who sit at the front of the building (reception / security) need to be made aware of tactics that are used by social engineers. People need to be made aware to confront tail gators, people who are unknown and not wearing name badges (if used).
Staff should ensure that they make sure that their computers are locked when they leave their consoles and that all laptops are encrypted with full disk encryption.