Adeptus-Mechanicus

Main
Codex
Librarium Whitehat
Advisories
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


HACKING WETWARE - SOCIAL ENGINEERING

All computer systems are made up of three essential systems which are all co-dependent. These three are:
Wetware is the weakest link in this setup. These days you need at least some technical expertise to perform an attack on the hardware or the software systems. Hacking people -or conning them- is a lot easier. You ask any IT person who has been around the block once or twice; "What is the easiest way to get someone's password?", and I am certain they will answer something along the lines of  "Ask them for it".  And you know what? It works! This is called "Social Engineering" which can be nicely defined as manipulating people to gain information or access you should not have. The weakest link in any setup is always the people using it or looking after it. So lets look at this problem in more detail.

Why is there a problem?
Attackers can perform these types of attacks over the phone, with email or direct contact. Basically anyway that they can "access" the people using the system. But how do they use that access? thats the catch...
They won't catch my staff...
Social engineering can include a person trying to go in "cold", in other words, without knowing anything about your company and it's people. Sometimes they may even succeed, but generally they do a bit of research in order to make their "attacks" more realistic, more tailored. How do they do this? Quite easily as it turns out...
But so what?
The scope for social engineering attacks is limited only by the attackers imagination and the gullibility of people, this means that it is a very diverse field and the attacks can have different "payloads". They are also a class of attacks which are difficult to fully list, but lets take look at some of the more common types of these attacks...
It cannot get worse..
Yes it can. A lot worse. Remember that the information gained from social engineering attacks may not of itself mean a compromise, but it can be easily used to make a normal cyberattack more successful. For example, if you have a list of names, it makes choosing usernames to bruteforce a lot easier. If you have the titles of people, you can further refine your attempts. Social engineering can at worst result in an easy compromise, and at best can make a normal attack more focused and successful. Social engineering attacks have spawned many other areas which are complete topics and attacks in their own right;
What do I do?
This one is difficult, you see the only real protection is education. The problem is that (and I know I am going to get nailed for this), some people are either too thick to listen or just do not want to listen. Assuming you are one of those lucky and blessed people who do not have to worry about these 2 classes of people, then you must educate your users. Teach them what information they should never give out, teach them to always make sure about who they are talking to, phoning a person back is a helpful step. Also consider the idea of a chokepoint applied to social engineering, instead of asking the users to think, just tell them to redirect all queries to one person, and make sure that person knows what they are doing. Lastly, when doing a penetration test on your network, remember to test the staff as well.

Final Words
Social engineering attacks are not a nice neat package of attacks, there is no easy answer or fix (Well actually there is no real easy fix for any class of attacks, but the vendors would like you to think otherwise). There is no software or appliance you can buy to sort the problem out. This is when a company's commitment to information security is tested, because only with proper management support, proper policies in place, training and vigilance will you have a chance of stopping these attacks. Have fun and learn.