The focus of the IT industry over the past several years has been to lock down networks with whatever tools we have available to us. This includes the use of basic things like firewalls and anti-virus software to more advanced security features like IPS systems, full anti-malware software, Network Threat Monitoring Services, log retention services, hardened server and workstation configurations, comprehensive patching solutions, and Next Generation Firewalls.
Well, the good news is that as an industry we've largely succeeded at that. Networks have never been more secure. Hackers have noticed and they have switched their focus, to something little bit less protected by security technology. That would be your employees. Employees have become the soft underbelly of the security of a company's network. Attacks on employees are made through the use of Social Engineering.
One of the most famous and highest profile incidents of Social Networking is when the technology reporter, Mat Honan had his entire digital identity stolen from him. He was literally watching one device after another be wiped right before his eyes through Apple's good intentioned remote wipe functions built into iCloud. There was nothing he could do at the point because hackers had complete control of his iCloud and other accounts.
The motivation for the attack was to steal his Twitter handle which is apparently desirable because it is very short (@mat). The attackers didn't hack into Twitter or even Honan's firewall to get his account. They hatched an elaborate scheme that involved calling Amazon and Apple to gather information about Mat's accounts, relaying the information that was discovered between the two vendors, eventually gathering enough information to appear to be Honan so that they could request a password reset.
Full details of the event and the techniques used can be found here:
The basic premise of the attack is something called pretexting. This is when you pose as someone else in order to acquire information you have no need to know. Often the person who uses a technique like this will pretend to be under some duress in order to make the person they're talking to think that it is dire that they provide the information, making them ask less questions.
An example of this would be if someone were to call the IT department of a company saying, "Hi, I'm John Smith, I'm out on the road and I'm trying to give a sales presentation for a perspective client. This darn VPN won't connect though and I can't get my PowerPoint presentation! I think my account is locked! Can you please reset my password so I can get into my account! Why does this technology have to be so hard! I'm going to lose this sale because this and my boss is going to have my head!"
Now this could very well be an actual sales person, but it also could be someone trying to social engineer their way into knowledge of a users password. This type of attack obviously won't work at a small company where everyone knows each other, but it would be something that would occur at a larger organization. In cases like this there should be policies in place defining under what circumstances password resets can occur and how they should be completed. There should be some verification steps defined to ensure that the person calling is who they say they are.
It is also important to realize that Social Engineering attacks can occur in person, over the phone, or through email (this is in essence what Phishing is). With that in mind, here are some simple steps that can be taken to attempt to prevent social engineering attacks:
- Never provide sensitive personal or company related information to unauthorized individuals.
- If you aren't sure who someone is and they claim to be an "authorized individual" take steps to verify their identity first by steps such as:
- Ask for ID if in person.
- If on the phone ask if you can call them back at their main company number which you look up at the company website.
- If via email send them an email directly to an address you are sure is legitimate and request that they respond to it (this is to protect against spoofed sender email).
- Always be on the look out for fake domains. Review the domain to ensure that it fully matches what you expect, e.g. contoso.com is not the same as contoso.biz - If you receive an email from a domain that appears just little bit off requesting information, that is likely a social engineering attempt.
- Never send sensitive information over insecure means. It should only be provided in person or via secure encrypted communication.
- Outside of sensitive information, other seemingly innocuous information, such as your schedule or what Anti-Virus software you use, may be used later to gain more sensitive information. If someone that is unknown to you starts asking for information they have no reason to know, do not provide it to them.
- Be careful about which information you post about your company on your website and other public forums. Certain types of information could be used as a seed to begin a pretexting hack against your company.
- Be sure not leave sensitive information out at workspaces.
- Ensure that sensitive information is securely deposed of.
- Be vigilant and be aware that this type of attack exists. If something doesn't seem right, stop the interaction with the individual and bring it to a superior's or the authority's attention.
Regular training should be conducted by IT Management to ensure that all employees within an organization are aware of social engineering and its dangers.