Protecting yourself from Social Engineering Attacks
Due to technical advances in today's society, traditional boundaries, borders and personal privacy have been redefined. This has resulted in a new freedom of expression for many people throughout the globe, providing advances such as the availability of educational resources and the collaboration of great minds in every discipline regardless of their physical location or language. This worldwide connectivity has effectively collapsed a once-expansive world into a small, tightly-packaged virtual neighborhood.
As is the case in any community, there are different areas in this virtual neighborhood that cater to different types of people. Some of these areas are respectable while others are filthy and debased. Using the Internet and the services it provides puts us in immediate contact with all of these social elements: from teachers, doctors and scientists to pedophiles, killers and terrorists. This article will reinforce this consciousness, discuss ways that social engineers use information located on the Internet and strategies we can adopt to protect ourselves from these attacks.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
When writing this article, I decided to check the dictionary to see how it defined "social engineering" and I found it interesting that it's listed as: "management of human beings in accordance with their place and function in society." This is precisely what a social engineer does – manage people or situations to a predetermined outcome. The word management in turn is defined as: "the conducting […] of something."
This was also interesting because conducting can be likened to "steering" or "controlling" and most of us reject being "controlled" when we're conscious of what's happening. This is seen when people try to force others into a course of action against their will – a conflict or war usually ensues. To avoid this conflict, the "controller"must convince their victim that they are "voluntarily" agreeing to or are "in control" of their conduct in a given situation. This begs the question…
How can a Social Engineer achieve this goal of "steering" or "controlling" their victims?
This is accomplished by making the victim accept the Social Engineer's version of reality.The Social Engineer accomplishes this goal by making use of information and a confident attitude. Projecting a confident attitude combined with the right information are invaluable tools that can be used to convince the victim that a situation is normal and should be accepted.
To illustrate, consider the following example… Some time ago I was conducting a social engineering assessment for a financial organization. Part of this assessment involved "dumpster diving", where I had to physically go through the garbage dumpsters looking for sensitive information. On this occasion, I was able to locate printed company email exchanges between one of the organization's representatives and one of their clients. There was enough information in these emails to provide me with a background of the client, their type of work, business travel habits and the relationship they had with the organization. I was also able to gather the name and title of the business rep responsible for their account. Armed with this information, I entered the organization's office asking for that business rep - by name.
I confidently introduced myself as an associate of the client organization and explained that I had been sent to discuss certain financial details of this client's account. When asked why I had been sent in instead of the client they were accustomed to, I was able to provide a plausible answer based on the client's background and travel informationI had learned about in the emails. This specific and detailed information combined with a confident attitude convinced this business rep that the reality I was presenting to him was – normal. This led him to lower his defenses and start to treat me as a trusted person. He invited me into his office, offered me a seat and began to take out documents pertaining to the client in question. Before he divulged anything about the client – I informed him that I was a security consultant engaged by his organization to conduct a Social Engineering assessment. As you can imagine, his initial reaction was not a pleasant one but he later accepted the lesson learned and thanked me for the work I was doing. That representative assured me that from that point on, he would be making use of the office's shredder bins and checking face value details more thoroughly. This turned out well, but most cases don't have a happy ending.
This case highlights the Social Engineer's need to keep his victims ignorant of his true motives and strategy to achieve the desired result. This is such an effective technique, partly due to our natural human tendency to avoid being different, as well as social stereotypes which mold us into trusting others that seem to fit a particular description. With this in mind, one of the first steps in mitigating these types of attacks is to understand the threat and be aware of the tactics that are employed.
SECURITY AWARENESS
Clearly understanding what criminals are after and how they may go about gaining this information is very important. Take the time to understand what your company considers "sensitive" and "public" information. Then think about your specific job function and identify ways in which you may come into contact with this type of information. This will help you to see where more security in your work habits may be required and where you can relax a bit.
The next step in becoming security conscious individuals is to rid our minds of all the "accepted standards." We need to be free of any reluctance to ask questions and challenge "face value" explanations regardless of whom or which entity is providing them. Many people are very fearful of the prospect of being labeled "stupid" by asking a supposedly "foolish question." This fear forces people to suppress their personal doubts and accept what seems to be normal to the majority.
In many cases involving security, it's the small details that prevent a crime or alert law enforcement to a larger situation. This is one of the reasons crime scenes are protected immediately after a crime – law enforcement realizes that small details such as a partial thumbprint or a piece of cotton fiber may be the key to unlocking the next clue.
So what's the practical application of this information? When confronted by an individual asking for information, do not be afraid to confidently stand your ground by asking questions and thoroughly understanding what they need and why. Verify credentials to ensure that individuals are actually part of certain organizations before granting them access to sensitive areas or information. If the person becomes adamant or makes a scene – remember that this is often a ploy used by social engineers to intimidate and make the victim feel as if they are being foolish or unreasonable.
So what happens if the person who got angry actually turns out to be the CEO or some hotshot client – then what?
UNDERSTAND AND COMPLY WITH YOUR CORPORATE POLICIES
Before we start thinking "pink slips" and unemployment lines, one avenue of defense is to thoroughly understand and comply with your corporate policy. Obviously having good manners, a professional demeanor and tactful responses are invaluable when dealing with an angry individual. In many cases this approach alone will disarm a situation as you continue with your necessary verification of credentials.
In the off chance that your charm and good looks don't work, then having a clear understanding of your corporate policies will not only help you maintain your personal confidence in the situation but also help you defend your actions to upper management and if necessary to HR. The corporate policies should clearly outline the security goals of the enterprise as well as delineate company sanctioned actions to ensure that security on every level of the business.
If you don't have a copy of the employee handbook or are having difficulty locating the company security policy then make a point of obtaining copies of each and keeping them nearby. Understand who in the company is responsible for information security and physical security then become acquainted with these individuals.
In many cases there are only three to four sections that may pertain to your corporate responsibility. If you're a system administrator then perhaps the sections you should focus on are similar to:
-
Ethical Responsibilities of Employees
-
Data Security and company responsibility to protect client data
-
Acceptable use of corporate assets like Internet access, Email and computing systems
-
Access Control and proper procedures to grant access to employees
In previous places of employment I've personally made it a habit to read and even highlight areas of the policy that pertained to my job responsibility. When faced with pressure to compromise, quoting or focusing attention to the corporate policy can also assist greatly when trying to uphold security measures. This tactic takes attention off of you and assists you by helping you remember that your actions are not only sanctioned by the company but that you are also held accountable for any negligence.
By clearly understanding your corporate security policies you won't have to be familiar with every single social engineering tactic out there, you'll just know what your company allows and disallows. This understanding will help you weed out suspect suggestions or demands.
Another area in which it is highly important to generate a heightened awareness of security to avoid these attacks is when…
PROTECTING YOUR DIGITAL IDENTITY
As mentioned previously, the Internet can be likened to one huge neighborhood, so it's very important to keep this in mind and constantly ask yourself before posting…
-
Would I feel comfortable if my intimate thoughts were posted on a billboard in Times Square?
-
Would I hand out pictures of the inside of my home to a thief?
-
Would I give pictures of my small children to a pedophile?
Every time something is posted on the Internet, it is now available to everyone equipped with an Internet connection from loving grannies to hardened killers. Aside from this, everything you post online starts to identify you IN DETAIL. Information pertaining to your past vacations, past and current employment, professional title, significant others and the list goes on and on. In the case of certain tech blogs, some have even posted detailed information about their company network in an effort to search for assistance!
All of this information paints a very accurate picture of WHO YOU ARE. Equipped with this information, a Social Engineer can craft a very specific and personal attack tailored just for you. In view of this, take the time to exercise good judgement before posting information on the Internet and be sure to protect your personal information from prying eyes.
PERFORM PERIODIC ASSESSMENTS OF YOUR ONLINE PERSONALITY
Run an online search for yourself. See what the world knows about YOU. Use a search engine like Yahoo or Google and type your name in brackets like this: "John Doe". This will instruct your search engine to look for any occurrence of "John Doe"in that specific order and spelling online. Try different
variations of this search by including your city of residence or your occupation along with your name. Try a search similar to this: "John Doe" and "City of Residence" and "Type of Employment".
(Here is a link to an article that will explain how to use different symbols to make your search more accurate: http://www.googleguide.com/crafting_queries.html)
Running this kind of search can allow you to get an idea of the type of information floating around the Internet about YOU. You may be very surprised at what you find!
CREATE A PERSONAL RATING SYSTEM FOR YOUR INFORMATION
Before you post ask yourself questions like:
-
Would I feel comfortable if this information was seen by my children, my spouse, neighbors, co-workers, a potential employer, my clients or a criminal?
-
What does it say about me as a person or about my character?
-
Does this violate any of my current employment agreements?
Rating your posts in this way before you blast all your personal information to the world will help you to be very selective about the type of information you post. This manner of thinking will help you by limiting the availability of information that can be used against you enabling you to protect yourself against Social Engineering attacks!
References:
Definition of Social Engineering - http://www.merriam-webster.com/dictionary/social%20engineering
Definition of Management - http://www.merriam-webster.com/dictionary/management
Phishing simulations & training
Google Guide Making Searching even easier - http://www.googleguide.com/crafting_queries.html