Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/16/2006
09:05 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Social Engineering Gets Smarter

Good old-fashioned schmooze still the best way to get information and access, particularly if the target works in IT

Here's a new phish: An attacker recently created a fake phishing message and, posing as a bank customer, forwarded it to the bank's security officer. When the security manager clicked the link to find the alleged phishing site, the message secretly launched malware that highjacked his workstation for a month.

That's just one of many creative methods of social engineering attackers are using these days to commandeer user accounts or steal sensitive corporate data. As enterprise defenses improve, these "social engineering" exploits are becoming more sophisticated, tricky, and selective than ever. Security experts are seeing more targeted approaches, where a would-be attacker sets his sights on a key person within an organization, or on regional organizations, whose networks are typically not as secure as those of their larger counterparts.

"If [attackers] can get 10,000 Social Security numbers and credit card numbers, it's enough to justify the attack" on a regional financial institution, says Michael Maloof, CTO for TriGeo, a security software maker.

Social engineering schemes are typically a precursor to an electronic attack, such as spamming or phishing, or even the physical theft of a laptop or USB storage device. And all of those mobile laptops, Wi-Fi networks, PDAs, and USB devices floating around out there are making it even more tempting and simple for an unsavory attacker to pick his mark.

It's all about manipulating the trust of a user: the security manager who believes the attacker is a real customer, or the receptionist who lets a "consultant" into the conference room, where then he jumps onto an open network port.

The targeted attack on the security manager is more typical of today's exploits than the traditional mass-user attack, where an attacker sends out an email blast to try to collect personal information. "This was not about a browser exploit to compromise your machine," says Todd Hooper, vice president of business development for Granite Edge Networks, who describes the attack. "The goal was to get the security officer…[the attackers] got a toehold on one of the most critical machines. That's pretty scary."

Scary indeed. There's a big black market out there for customer records, names, and addresses an attacker can pilfer. So these attackers aren't your script kiddies. Social engineers are typically profit-driven, white collar criminals –- some with ties to organized crime who launch their schemes electronically, Hooper says.

Electronic attacks can be effective, but it's often easier to enter a business, sweet-talk the receptionist, and hop onto a network port in the conference room, experts say. Penetration testers and white-hat attackers (who usually make their attacks to test their clients' defenses) still say they rarely have trouble getting in the front door when they make a physical entry.

"We have yet to fail at a social engineering attack" for our clients, says Sean Kelly, business technology consultant for Consilium1.

Same with Secure Network Technologies, which also launches mock social engineering exploits on its clients to help them assess security. Social engineers will usually take the path of least resistance, says Steve Stasiukonis, vice president and founder of Secure Network Technologies. (See Social Engineering, the USB Way.) "Social engineering is more efficient," he says. Why spend hours [in front of your computer] at Starbucks if you have enough nerve to come in and jack in? You don't have to pass through [the company's] IDS or IPS. If you plug into a localized jack, you just hop on their network."

Stasiukonis says he and his team once waited in the parking lot at a bank client's site, then walked in with some smokers who believed a story about how the white-hats had lost their badges. "Then we commandeered their conference room, scanned the net and became domain administrators," Stasiukonis says. "And we walked out totally undetected."

Other electronic social engineering schemes are just as effective. Consilium1's Kelly says that while working for one client, his firm sent out a spoofed email posing as the company's network administrator and asking for user passwords. Many users took the bait.

Social engineers also target helpdesks. "They get yelled at all day long, and if you're nice to them, they can be really helpful," says Doug Shields, president of Secure Network Technologies. Shields says his team has found that helpdesks don't always check who's calling them, and can be duped into giving out a "forgotten" password or other information. "These are the weak links in the armor," he says. "These folks need to be trained [on social engineering]."

Social engineering may be the most visible, or invisible, part of an attack, but it's usually less than 20 percent of the overall attack, Shields says. How can companies close this relatively small door?

There's no security tool to combat social engineering, but you can lock down user access and even run some behavioral monitoring tools, experts say. The most important defense is ongoing education and training of your employees, says Mike Carpenter, vice president of IT and security officer for National Research Corp.

"You've got to educate your entire staff, from the receptionist on up," says Carpenter, whose company measures patient healthcare experiences and trends for the hospitals, healthcare systems, and insurers. "Someone shooting the breeze with you on a smoke break might have intentions other than just being friendly."

Pilfered passwords are a big problem in most organizations, especially when you can find them taped under a keyboard, as Secure Network Technologies often does when it infiltrates a client's site. A newly-published survey of 200 IT professionals by security vendor Cyber-Ark Software found that 38 percent write their own administrative passwords down on paper.

NRC's Carpenter says users should lock their workstations when they leave their desks and companies should institute multi-factor authentication and strong passwords, as NRC is doing. "Over time, biometrics is going to be a must," Carpenter says. NRC is working on protecting its passwords with encryption, and is considering biometrics, he says.

"A biometrics device can be attached or integrated with hardware to eliminate the need for remembering a password," Carpenter says.

But there's also an insider threat with social engineering: the employee running a spam email service from his desk (true story), or a disgruntled employee plotting revenge. The best way to prevent an inside job is to limit your users' access to only the information or tools they need to do their jobs, Consilium1's Kelly says. "I've seen fraudulent behavior, and this is huge concern," he says. Be sure an employee transferred to another department doesn't keeps his old access privileges, he advises.

But in the end, social engineering comes down to human nature: the attacker's greed, and the victim's naiveté, or apathy. "End users are still the weakest links if they are leaving their screen unlocked when they walk away form their desks. There's no point to having a login ID or password if you leave the apps open and anyone can log on and get them, or use your email," says Consilium1's Kelly.

Security technology is useless without training, experts say. "You spent all this money on security, but you didn't tell Mary to disable the network in the conference room, and to not let people walk around the building," says Secure Network Technologies' Shields. "[Social engineering] is a big wakeup call."

Even the most security-savvy person can get duped. "It's always been easy to get inside, because a business needs a certain level of openness, and it can't be put in a prison," says Rich Mogull, research vice president of security for Gartner. Mogull admits he was once duped by a non-technical social engineering scam as a tourist in Europe. "We try to put in the best security controls to reduce risk overall."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Organizations mentioned in this article:

  • TriGeo Network Security Inc.
  • Secure Network Technologies Inc.
  • Gartner Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    Black Hat Q&A: Hacking a '90s Sports Car
    Black Hat Staff, ,  11/7/2019
    The Cold Truth about Cyber Insurance
    Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-16863
    PUBLISHED: 2019-11-14
    STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
    CVE-2019-18949
    PUBLISHED: 2019-11-14
    SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
    CVE-2011-1930
    PUBLISHED: 2019-11-14
    In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
    CVE-2011-1145
    PUBLISHED: 2019-11-14
    The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
    CVE-2011-1488
    PUBLISHED: 2019-11-14
    A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...