Friday, December 30, 2011

Social Engineering and Countermeasures

What is Social Engineering?

By definition, Social engineering is the attempt to trick or manipulate a person into disclosing confidential information to an individual that is not authorized to receive such information.
It is a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking people into breaching standard security procedures.
Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it.

Some major social engineering techniques include:

Pretext Calling
Pretext calling is a fraudulent means of obtaining an individual's personal information. Armed with limited information, such as a name, an address, job position etc… Pretext caller may pose as a client, an employee, a service provider "depending on the situation"
During this call the pretext caller attempts to convince you into giving him confidential information.
For example: A caller claiming that he is from the Internet Service provider tries to distract you by being over friendly in a effort to change and diverse your focus from the fact that he is seeking information about your work description, work habits, what time do you usually use your computer, what operating system do you have, what is your antivirus etc…..

Protection against Pretext calling:

A healthy dose of paranoia is certainly a good way to fight pretext calling, you shouldn't answer any question regarding issues that expose your private information and especially to unknown people.

Dumpster Diving
Dumpster diving simply involves searching through trash to collect sensitive information; the objective is to gather information that has been carelessly thrown away. (Sounds yucky! but believe me it's very effective)

Protection against dumpster driving:
  • Paper shredders: all documents that contain confidential or customer information must be shredded when no longer required.
  • Sanitization: all media CDs, floppies, USBs, Hard Disks that contain sensitive information should be destroyed prior to throwing these things in the dumpster.
Shoulder Surfing
Shoulder surfing is where someone may obtain information while standing close to you, skimming and scanning across your desk where you left your papers.

Note that "well trained people" may stand a little far away facing your keyboard and watch you login to your email or even e-banking webpage.
And bye-bye , you lost your email account.……
Protection against shoulder surfing:
  • Ensure that computer monitors are positioned in a way that prevents individuals from seeing confidential information.
  • When you want to type or enter sensitive text "such as username and passwords" make sure that no one is watching your typing, even if you consider yourself a fast typist.
  • Refrain from leaving sensitive information spread on your desk.

Baiting is my favorite social engineering technique, because I find it very effective and interesting at the same time.
In this attack, the attacker leaves a malware infected media device such as a CD ROM, or USB flash drive in a location sure to be found. (Bathrooms, elevators, parking lots), he also spares no effort in giving this media a legitimate look, and simply waits for the victim to use the device.

For example, an attacker might create a disk featuring a corporate logo, readily available from the target's web site, and sticks the labels "Salaries Increases 2011" on the front.
The attacker would then leave the disk on the floor of an elevator or somewhere in the lobby of the targeted company.
Now who wouldn't take advantage of this opportunity and use this memory stick in order to view the salary increases file to satisfy their curiosity.
In case of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network.
Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted.

"Quid pro quo" or "Something for Something"
An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help "solve the problem and in the process have the user type commands that give the attacker access or launch malware.

In the End, humans have proven to be the weakest link when it comes to information security. But with proper awareness and proper diligence staying safe is not that hard to achieve.

1 comment:

  1. Thanks for pointing out these infiltration methods for us.. I especially like the 4th technique, Ingenious...!!
    Keep up the good work.. Best of luck to you and HNY...!!!