Monday morning, 6am; the electric
rooster is telling you it's time to start a new work week. A
shower, some coffee, and you're in the car and off. On the way
to work you're thinking of all you need to accomplished this week.
Then, on top of that there's the recent merger between your company and a
competitor. One of your associates told you, you better be on
your toes because rumors of layoff's are floating around.
You arrive at the office and stop by
the restroom to make sure you look your best. You straighten your tie,
and turn to head to your cube when you notice, sitting on the
back of the sink, is a CD-ROM. Someone must have left this behind by
accident. You pick it up and notice there is a label on it.
The label reads "2005 Financials & Layoff's". You get a sinking
feeling in your stomach and hurry to your desk. It looks like
your associate has good reasons for concern, and you're about to find
out for your self.
And The "Social Engineering" Game Is In Play: People
Are The Easiest Target
You make it to your desk and insert the
CD-ROM. You find several files on the CD, including a spreadsheet
which you quickly open. The spreadsheet contains a list of employee
names, start dates, salaries, and a note field that says "Release" or
"Retain". You quickly search for your name but cannot find it.
In fact, many of the names don't seem familiar. Why would they, this
is pretty large company, you don't know everyone.
Since your name is not on the list you feel
a bit of relief. It's time to turn this over to your boss. Your boss thanks you and you head back to your desk. You have just
become a victim of social engineering.
When Did I Become a Victim of Social Engineering?
Ok, let's take a step back in time.
The CD you found in the restroom, it was not left there by accident.
It was strategically placed there by me, or one of my employees. You
see, my firm has been hired to perform a Network Security Assessment on your
company. In reality, we've been contracted to hack into your company
from the Internet and have been authorized to utilize social engineering techniques.
The spreadsheet you opened was not the only
thing executing on your computer. The moment you open that file you caused a
script to execute which installed a few files on your computer. Those
files were designed to call home and make a connection to one of our servers on the
Internet. Once the connection was made the software on our servers
responded by pushing (or downloading) several software tools to your
computer. Tools
designed to give us complete control of your computer. Now we have a
platform, inside your company's network, where we can continue to hack the
network. And, we can do it from inside without even being there.
This is what we call a 180 degree attack.
Meaning, we did not have to defeat the security measures of your company's
firewall from the Internet. You took care of that for us. Many
organizations give their employees unfettered access (or impose limited
control) to the Internet. Given this fact, we devised a method for
attacking the network from within with the explicit purpose of gaining
control of a computer on the private network. All we had to do is get
someone inside to do it for us - Social Engineering!
What would you have done if you found a CD
with this type of information on it?
What Does It Mean to Be "Human"
As human beings we are pretty bad at
evaluating risk. Self preservation, whether it be from physical
danger or any other event that could cause harm, like the loss of a job or
income, is a pretty strong human trait. The odd thing is, we tend to
worry about things that are not likely to happen. Many
people think nothing of climbing a 12 foot ladder to replace an old ceiling fan (sometimes doing so with the electricity still
on), but fear getting on a plane. You have a better chance severely inuring
yourself climbing a ladder than you do taking a plane ride.
This knowledge gives the social
engineer the tools needed to entice another person to take a certain
course of action. Because of human weaknesses, inability to properly assess
certain risk, and need to believe most people are good, we are an easy
target.
In fact, chances are you have been a victim
of social engineering many times during the course of your life. For
instance, it is my opinion that peer pressure is a form of social
engineering. Some of the best sales people I've known are very
effective social engineers. Direct marketing can be considered a form
of social engineering. How many times have you purchased something
only to find out you really did not need it? Why did you purchase
it? Because you were lead to believe you must.
Conclusion
Defining The Term "Social Engineering":
In the world of computers and technology, social engineering is a
technique used to obtain or attempt to obtain secure information by tricking
an individual into revealing the information. Social engineering is normally
quite successful because most targets (or victims) want to trust people and
provide as much help as possible. Victims of social engineering
typically have no idea they have been conned out of useful information or
have been tricked into performing a particular task.
The main thing to remember is to
rely on common sense. If some one calls you asking for your login and
password information and states they are from the technical department, do
not give them the information. Even if the number on your phone
display seems to be from within your company. I can't tell you how
many times we have successfully used that technique. A good way of reducing
your risk of becoming a victim of social engineering is to ask questions.
Most hackers don't have time for this and will not consider someone who asks
questions an easy target.
