Analytics
8/6/2010
10:30 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Building The Right Defense Against Social Engineering

Defcon capture-the-flag contest shows humans are still the enterprise's weakest link

Was your company targeted during last week's Social Engineering Capture the Flag event at the Defcon conference? If it was, would you know?

The contest caused quite a stir in several industries -- in fact, the FBI contacted the contest's organizers to discuss concerns that sensitive, personal information would be targeted.

So what's the big deal? Social engineering is certainly nothing new. However, the contest -- and the associated press coverage -- managed to raise a new level of concern. Some companies went as far as to send out information to their employees and customers warning them about the upcoming contest.

We've all used social engineering to get what we want -- even when we were children. Now we're faced by attackers who are using it against our companies to get what they want. The question so many future victims ask is what would an attacker want from them? The answer is simple: information.

Maybe your company is the direct target of an attacker, or maybe it's simply a stepping stone to a bigger fish. Either way, social engineering is the most effective tool that an attacker can use against your company. You can patch every desktop and segregate every sensitive network segment, but you can't accurately predict your employees' behavior when facing a cleverly designed attack.

The best defense against social engineering is awareness and training -- with policies to back both. You and your employees should know the most common technical forms of social engineering attacks. Phishing, instant messaging, and social networks are the three attack vectors your users face.

Those three attack vectors have two things in common: They insulate attackers from face-to-face communications, and they're extremely effective. Novice social engineers often opt for these online methods because they require less skill to perform successfully than talking to a target on the phone or walking through the front door.

Using any of these three vectors, an attacker can entice users into providing their credentials. The most common targets are the places where the credentials are collected via email or through a form on a Website. The attack site is set up to mimic a legitimate site the user would expect to see and trust.

In many cases, users are tricked into thinking there is an urgency to provide their user names and passwords. They fall for a scam that threatens to terminate their access to bank or email accounts; they're convinced to take swift steps to help a co-worker.

Sophisticated social engineering techniques, like those demonstrated in the Social Engineering CTF, require preparation to know details about the target organization and those who work there. But that's not always enough, even when combined with confidence. An understanding of human behaviors is needed, and knowing the correct gestures and language to use in specific situations is often necessary to be successful.

The most common personal attack vectors, as described by the Social Engineering Framework at Social-Engineer.org, include customer service, tech support, and delivery persons. Each of these vectors requires talking to the victims on the phone or interacting in person. This is where attacks often fail because the attacker doesn't know enough about the target -- or fails to gain the victim's confidence.

Chris Hadnagy, organizer of the Social Engineering CTF contest, said, "Every company where we were able to contact a human, [the contestants] were successful at social engineering them." Two employees at a target company did thwart one contestant's efforts because the questions sounded "fishy."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

CVE-2014-3694
Published: 2014-10-29
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and ob...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.