Social Engineering as a Hacking Technique

Objectives of this paper

• Understand the principles of social engineering
• Define the goals of social engineering
• Recognize the signs of social engineering
• Identify ways to protect yourself from social engineering

What is Social Engineering?

Political science refers to social engineering as an attempt by government or private groups to change the views and behaviour of citizens. In computer security, social engineering is the art and science of tricking people into revealing confidential information and (or) performing actions that may result in the hacker gathering sensitive personal or business information.

It allows an attacker to bypass technical controls by attacking the weakest element (human element) in the security chain usually by persuasion, impersonation, coercion or friendliness. This saves the hassle of breaking in or using technical cracking techniques. Why hack and use time consuming methods when you can just ask?

Goals of Social Engineering

Social engineering goals are the same as hacking in general. Listed below are some of those goals

• Hacking for profit
• Access to corporate or personal secretes
• To commit fraud
• Identity theft
• Damage corporate image
• For fun
• To cause harm to business or an individual
• To cause service disruption
• Industrial espionage
• To access unauthorized information
• To get a competitive edge over a competitor

Human behaviours vulnerable to attacks

In order to launch a successful attack, Social Engineer Hackers will take advantage of common human behavioural traits such as trust, ignorance, fear, greed and moral duty.

Hackers can invest a lot of emotional energy in establishing a sense of trust with their intended victim and this can sometimes be a long term engagement after which targets are asked for help, and they comply out of a sense of moral obligation.

When fear is being exploited, Social Engineers might threaten severe losses or consequences if their requests are not met. As an example, a hacker might place a call with the IT service desk and pretend to be the company’s top executive who requires a password reset urgently.

Greed has also been used to lure potential victims by promising them huge returns for little or no effort. An example is notification of winning an online lottery that one never entered!!

In all reported successful Social Engineering attacks, ignorance about Social Engineering and its effects is usually the common denominator. This is why the best defence against this form of hacking is centred on user awareness.

Social Engineering attacks can broadly be categorized into human based attacks, whereby sensitive information or access to protected resources is obtained by interaction, or computer-based whereby the attack emanates online.

Falling under the human-based category is personal approaches, telephone-based and waste management methods.

Human-based attacks

The simplest way to get information is to ask for it directly, and this forms the basis for the personal approaches method. Various ploys such as intimidation, impersonation, persuasion and ingratiation are employed to either build a relationship with the victim or tricking them into complying. These methods can also be used over the telephone, which offers a unique attack vector in that the victim cannot see the attacker. IT Service Desks usually fall victim to this attack method because support staff are normally trained to help and support callers.

Waste Management Methods
Business paper waste can contain information that is of immediate benefit to a hacker and can serve as background information to a Social Engineering attack because it makes the hacker look credible when launching an attack. Dumpster diving is going through the company’s garbage seeking to find improperly disposed documents that can contain useful information to an attacker. It is very important that employees understand the value of information that they protect.

Many computer users are not aware that by just deleting data from their computers does not remove the actual data but just deletes index and pointers to the actual data. Also improper method of disposing media (hard drives, tape drives etc) that is deemed useless in the organization will also give an opportunity to hackers. Unless proper disposal methods are implemented, data remains readable on the media, and can be useful to hackers.

Online Threats

The Internet enables hackers to make Social Engineering approaches through the relative anonymity of the Internet.  Phishing attacks are the most common types of email based threats. Spoofing Email Headers can be used by hackers to make emails to appear from an internal source in situations where email is being used to trick the recipient into parting with company secrets or sensitive information. Email can also be used into bringing malware through hyperlinks which can be used to launch further attacks or in the theft of confidential information from the infected host.

Personal browsing brings employees in contact with general social engineers.  The most common method involves enticing a user to click a button inside a dialog box warning of a problem (displaying a ‘realistic’ OS or application error) or offering additional service (free download, improve the performance of the computer).

Instant messaging has gained wide-spread popularity as a personal and business communications tool which also makes it a rich hunting ground for Social Engineering attacks. Familiarity relaxes the victim’s defences which enable hackers find a way of asking for sensitive information or to deliver malware links or actual files through instant messaging.

Defending against Social Engineering Attacks

• Continuous user awareness, users me be able to indentify Social Engineering attacks
• Develop a security management framework.
• Undertake risk management assessments.
• Implement social engineering defenses within your security policy

Method	Defences
Personal Approaches	Cultivation of  a no-fear culture within a business Escalation of confrontational situations Strict guidance on what an individual can / cannot do Security screening of contract staff Awareness by staff Adherence to the Security Policy Specify in Security policy that the service desk is the only point to which users should report issues Well-structured procedure for how to handle calls or requests for assistance or access
Telephone –Based Threats
Waste Management Threats	Data classification Sanitization of any electronic media before disposal Invest in a shredder to dispose of classified info Organization must have policies for media that will be made available to those outside the company  e.g  Off-site backups or Computers going for repairs
Email Threats	Approach with scepticism anything unexpected  from online sources Develop  email usage guidelines that cover Attachments in documents Hyperlinks in documents Requests  for personal or company information Awareness campaign Technical Solutions :- Perimeter Solutions Endpoint Protection
Pop-Up Applications &  Dialog Boxes
Instant Messaging

Conclusion

Let us conclude by mentioning Kevin David Mitnick a computer security consultant and author.  In the 90s Mitnick was convicted of numerous hacking crimes. The most-wanted computer criminal in the United States when he was arrested in 1995, Mitnick admitted that the greatest hack was purely Social Engineering in nature. The best defence against Social Engineering is user awareness; computer users must be able to detect any form of social Engineering. Firms must continually train its employees.

This guest post was written by: