Users, however, are an integral part of the business and often require more Tender-Loving-Care than we give them credit for. No one will dispute that the technical work is required but unless the organisation provides security awareness training to users in an effort to help protect the organisation’s information the risks are high. The purpose of this article is to highlight the dangers of the growing phenomenon of social engineering, and to offer some practical advice for dealing with the same.
In a nutshell, social engineering is a method of gaining access privileges to an organization and its assets by querying personnel over communications medium such as telephone, e-mail, chat, bulletin boards, face-to-face etc. from a fraudulent “privileged” position. The methodology employs a number of techniques to determine the level of 'security awareness' that exists in the organization under review. In fact, reformed computer criminal and security consultant Kevin Mitnick popularized the term social engineering, pointing out that it's much easier to trick someone into giving you his or her password for a system than to spend time hacking in. He claims it to be the single most effective method in his arsenal.
I’ve worked on many projects over the years where we’ve attempted to gain access to a network and the data on it using social engineering techniques. One of the more common tactics used involves calling end-users and impersonating IT staff and other, usually non-existent, companies. The % of username and passwords given away by staff always astonishes me, typically we have a 75% plus success rate. This carries across private and non-private companies, medium to large organizations and works equally well against high-end business managers who are likely to have remote access. When this is combined with scanning for publicly accessible services, it can prove a highly effective way to gain remote access to a system or network. External PPTP VPN and SSL VPNs are prime examples of such services.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.