23 Oct 2012
A man calls the receptionist at a competitors company and asks for the name of the Sales Manager. The receptionist says the person you are looking for is Bob Jones. Later, the man calls back to the same company and says he needs to speak with the IT helpdesk. When the helpdesk operator answers the man says “Hi, my name is Bob Jones and I seem to have forgotten my new password. I am on my way to an important meeting can you reset it right away?” In an effort to help the user regain access to the system, the helpdesk operator resets the password and tells the man the new password. The man then accesses the employee area of the corporate website and logs onto the email system of Bob Jones and subsequently reviews all of Mr. Jones’s contact information and correspondence. The above scenario is not over-simplified and is being played out in corporations worldwide every day. The names, pitch, and access methods vary, but the underlying attack method is the same. If you ask, it is quite possible you will receive. It is the overlooked security threat called Social Engineering. At BAI Security we regularly perform Social Engineering audits and we consistently find companies that are vulnerable. Social Engineering is a way of hacking corporate users instead of corporate networks and it is not uncommon or even difficult. In fact, it doesn’t really require any technical knowledge or elaborate planning as demonstrated in the above scenario. Not all hackers are sitting at home with his/her computer hacking into the corporate network or trying to crack executives’ passwords. Sometimes all they have to do is call up and ask for it! While the number of networks being hacked is on the rise, the overall growth is not limited to the lack of security devices or personnel protecting the network. Social Engineering is also becoming a high-growth area, because it is not limited to only those technical savvy computer engineers. The Who, What, Why, and How The growth and use of email in the corporate world has sky-rocketed. This increased usage has made the email system a new holding place for a myriad of proprietary or otherwise confidential information. In addition, the need to access that information has driven companies to provide external access to their email systems as a normal part of doing business. This makes the email system a desirable target for Social Engineering attacks. Some of the most common Social Engineering attacks against email systems involve very similar methods mentioned above. The corporate Extranet is also a target to would-be hackers, because of the wealth of information on company employees, events, and policies. The very policies that are put into place to help protect a company’s assets are often used against it. The outsider can follow the policy manual as a roadmap on how internal employees are suppose to act in regards to certain security procedures. References to corporate policies and procedures are further used to gain the trust of unsuspecting internal employees to launch more sophisticated Social Engineering attacks. The single sign-on for user authentication is increasing in popularity because of the myriad of multiple logons and passwords. However, the risk associated with a single sign-on, without additional methods of verification, is proven out by the following scenario. An individual that uses the above or similar Social Engineering attack and gains the user name and password of an internal employee now has access to all of the externally accessible systems as the original user. Actually, the risk is often much greater, because in many environments Virtual Private Networks (VPNs) are used to gain direct access into the internal network. Since VPNs do not always properly restrict users to particular systems, the same user name and password could be used to gain full access to the internal network itself. This would then allow a hacker the ability to launch more sophisticated attacks against other key systems than the original user may not have even had access too directly. Testing IT Systems associated with your information security program with annual audits has become a standard. A Social Engineering test within the audit process will identify the risks associated with internal employees surrendering ultra-sensitive information directly to outsiders. Even with a high-level overview as discussed here, the risks associated with Social Engineering are clear. It is vitally important for those responsible for information security to identify the risks within your environment by including Social Engineering as part of any ongoing auditing program.