Lohman: You don’t seem like a bad guy.The conversation captures a fundamental truth of all con games, whether they are played in the digital world or the physical one – getting someone to lower their guard with a clever ruse makes the life of a thief that much easier. In the vernacular of hackers, this is called social engineering.
Cage: That’s what makes me good at it.
Social engineering is about hacking the human mind, something that in many ways is significantly easier than finding a new software vulnerability and using it as a gateway into your enterprise. These vulnerabilities, called zero-days, can cost tens of thousands of dollars in the hacker underground – money that can be saved if someone can be conned into installing a computer virus on their own machine. After all, there is no need to go through the effort of picking a lock when you can talk someone into letting you into their home.
But just what makes for a good social engineering attack? The key is the lure, which can vary from an attention-grabbing post on Facebook about a celebrity to e-mails with subject lines about your company’s business. One of the most publicized attacks of the past year was the attack on RSA, which started with an employee opening up an email entitled: ‘2011 Recruitment Plan.’ When the employee opened the accompanying attachment, the person set off a series of events that led to data being compromised. While hacking a system requires knowledge of programming vulnerabilities, hacking the human mind requires a different kind of knowledge – specifically, what types of e-mails or links is the victim most likely to click on.
One way to get a hold of that information is to target people according to their jobs and interests – and there is perhaps no greater source of data on those subjects than social networks. A cruise through a LinkedIn profile can reveal a person’s work history and position; a gander at Facebook accounts can uncover their friends and hobbies. While social networks have done a lot in the past few years to bolster their privacy controls, many users may not use them or may inadvertently render them ineffective by ‘friending’ someone they do not really know. Research has shown the average fake profile on Facebook has an average of 726 ‘friends’ – more than five times as many as a typical user of the site.
Hacking the human mind also takes other forms as well. For example, search engine optimization is a favorite technique of hackers. The idea behind SEO is to increase the ranking of your website on search engines such as Google. In the right hands, this is perfectly legitimate; in the wrong ones, it increases the likelihood people will land on a malicious site. There are also techniques that are far less technical, such as an old-fashioned telephone conversation that gets someone to let their guard down.
Just recently, Check Point sponsored a study by Dimensional Research that revealed that 43 percent of the 853 IT professionals around the globe surveyed said they had been targeted by social engineering schemes. The survey also found that new employees are the most susceptible to attacks, with 60 percent citing recent hires as being at “high risk” for social engineering. Unfortunately, training does not seem to be keeping up with the threats, as just 26 percent of respondents do ongoing training and 34 percent said they make no attempts to educate employees at all. The good news is the tides are changing and more businesses are raising awareness about security threats – and what social engineering techniques employees may be susceptible to.
Education is a key element of defending against attacks, but the process begins with having sound policies for protecting data. This includes controlling who has access to what information, and setting policies that are enforceable and conducive to business operations. From there, employees should be educated on what the policies are and then tested on them. Key to this is sharing information about attacks that are detected so employees can better understand how they are being targeted. Ofte a good dose of caution can go a long way – if an unexpected e-mail arrives asking for private information, follow up with the purported sender to make sure it is legitimate.
Buttressing all this should be networks and endpoints protected by best practices and the latest security fixes, but at its heart, fighting hacks against the human mind requires attitudinal changes more than technological weapons. If there is antivirus for the human mind, it has to be updated with knowledge of corporate policies and an understanding of how attackers are targeting their victims. Incorporating that information into a training program can be the difference between a data breach and a quiet night at the office.
Social engineering in the computer security sense of the term collectively refers to any of the methods used to gain desired information such as passwords or credit card numbers (or in my case, files on a network) via the exploitation of certain attributes of human decision-making known as cognitive biases, often referred to as “bugs in the human hardware”. “Social engineering is the application of the scientific method for social concern.” (Wikipedia) In layman’s terms, psychologically manipulating people to get what you want.
There are 4 main types of Social Engineering.
Pretexting is by far the most common method of social engineering. it involves inventing an elaborate story, often concealing ones identity in order to gain information from a target who otherwise would not release it. Law Enforcement agencies often use this method. In May of 1956, under the direction of John Edgar Hoover The Federal Bureau of Investigation produced a classified document intended to teach successful methods of social engineering to FBI Special Agents. In 2008 the document was released under the Freedom of Information act, though large sections have been whited out. the original document is now available to the public at Governmentattic.org.
Diversion theft - The process of persuading the person responsible for the delivery of desired goods that the delivery was requested elsewhere. The attackers then intercept the package.
Reverse Social Engineering - An attacker hacks a network leaving malware, while subtly leaving messages convincing the target that he is the one to contact for help. When the target calls, he fixes the problem, while in the process, gaining the desired information (passwords, log in info).
Phishing - Similar to pretexting, only it is done over the phone or via internet, and targets large groups of people. An attacker may send emails to a group of targets claiming to be their ISP/bank/doctor requesting sensitive information.
Though the term is most commonly used in computer security, social engineering goes way beyond hackers and computers. In fact, social engineering predates computers entirely. The term “sociale ingenieurs” was first used in an 1894 in an essay by J.C. Van Marken, a Dutch industrialist. His idea of social engineering was basically that employers needed a psychologist on site to keep the human side of things running smoothly just as a typical engineer would prevent problems in machinery and oversee other aspects of production.
Social Engineers these days use their persuasive skills to gain anything from free pizza, to scoring with the opposite sex.
No comments:
Post a Comment
Don't Troll, if you can't add anything helpful, don't post.