Social Engineering And Other Threats To Internal Security
by Ari Tammam - Promisec - Monday, 19 December 2005.
Consider the following scenario. A good looking woman is wandering around your premises and approaches you asking to show her how to use some functions in Excel or any other application. Do you start quizzing her on who she is, from what department does she come from or do you invite her to your PC and show her what she needs to know? Let’s say you choose the latter and then she asks you for a drink, would you leave her unattended at your PC or do you get her to accompany you?

If you leave her at your PC, how long would it take for her to insert a USB device and install a Trojan horse, key logger, or any other application to steal information or gain access to the rest of your corporate network? By the time you return she may have installed all sorts of surveillance applications and have the ability to access classified information whenever she feels like it from her home computer. This is not such a far fetched scenario, especially in large organizations with no real physical security beyond the reception. According to this year’s CSI/FBI survey on Computer Crime and Security more than $30 million worth of damage was caused by insiders stealing proprietary information. FBI and other security analysts still maintain that the majority of threats originate from insiders or people with insider privileges.

Kevin Mitnick explained in his testimony to a senate panel on computer security: “When I would try to get into these systems, the first line of attack would be what I call a social engineering attack, which really means trying to manipulate somebody over the phone through deception. I was so successful in that line of attack that I rarely had to go towards a technical attack. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it's money wasted, because none of these measures address the weakest link in the security chain”

Even in more simplistic scenarios where a promotional CD is sent to a basic employee, for example a secretary or data entry clerk, would they think twice before running it on their PC? It may have a stealth application embedded that secretly installs itself onto that PC and may spread across the network enabling criminals access to your most sensitive information.

The above is a real example of an event that actually took place in Israel and was reported by the BBC of a Trojan horse that was planted into a number of organizations by competitive companies and by parent companies. In some cases an e-mail was sent to a secretary asking her to click on a few items that basically released the application and installed it onto her machine. Once installed it ran in the background for over a year before being detected. In another company a CD was sent to an employee with the same Trojan embedded in it and without a second thought the employee’s curiosity caused him to run the CD and see what he had received. Of course without his knowledge the Trojan had installed itself onto his PC, gradually found its way around the network and transmitted data regularly to its target.

These are just a couple of examples where company networks have been easily infiltrated from within or by insiders and suffered major financial damage which in extreme cases have been difficult to recover from.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th