Articles & Press Releases Are Your Employees Unknowingly Opening the Door for Hackers? A man calls the receptionist at a competitors company and asks for the name of the Sales Manager. The receptionist says the person you are looking for is John Smith. Later, the man calls back to the same company and says he needs to speak with the IT helpdesk. When the helpdesk operator answers the man says “Hi, my name is John Smith and I seem to have forgotten my new password. I am on my way to an important meeting can you reset it right away?” In an effort to help the user regain access to the system, the helpdesk operator resets the password and tells the man the new password. The man then accesses the employee area of the corporate website and logs onto the email system of John Smith and subsequently reviews all of Mr. Smith’s contact information and correspondence. The above scenario is not over-simplified and is being playing out in corporations worldwide every day. The names, pitch, and access methods vary, but the underlying attack method is the same. If you ask, it is quite possible you will receive. It is the overlooked security threat called Social Engineering. At BAI Security we regularly perform Social Engineering audits and we consistently find companies that are vulnerable. Social Engineering is a way of hacking corporate users instead of corporate networks and it is not uncommon or even difficult. In fact, it doesn’t really require any technical knowledge or elaborate planning as demonstrated in the above scenario. Not all hackers are sitting at home with his/her computer hacking into the corporate network or trying to crack executives’ passwords. Sometimes all they have to do is call up and ask for it! The latest survey by the Computer Security Institute (CSI) and the FBI shows that 90% of the 503 companies contacted reported a break-in within the last year. While the number of networks being hacked is on the rise, the overall growth is not limited to the lack of security devices or personnel protecting the network. Social Engineering is also becoming a high-growth area, because it is not limited to only those technical savvy computer engineers. The Who, What, Why, and How The growth and use of email in the corporate world has sky-rocketed. This increased usage has made the email system a new holding place for a myriad of proprietary or otherwise confidential information. In addition, the need to access that information has driven companies to providing external access to their email systems as a normal part of doing business. This makes the email system a desirable target for Social Engineering attacks. Some of the most common Social Engineering attacks against email systems involve very similar methods mentioned above. The corporate Extranet is also a target to would-be hackers, because of the wealth of information on company employees, events, and POLICIES. The very policies that are put into place to help protect company’s assets are often used against it. The outsider can follow the policy manual as a roadmap on how internal employees are suppose to act in regards to certain security procedures. References to corporate policies and procedures are further used to gain the trust of unsuspecting internal employees to launch more sophisticated Social Engineering attacks. The single sign-on approach to user authentication is increasing in popularity, because of the confusion of multiple logons and passwords. However, the risk associated with a single sign-on without additional methods of verification are proven by the following scenario. An individual that uses the above or similar Social Engineering attack and gains the user name and password of an internal employee now has access to all of the externally accessible systems as the original user. Actually, the risk is often much more, because in many environments Virtual Private Networks (VPNs) are used to gain direct access into the internal network. Since VPNs do not always properly restrict users to particular systems the same user name and password could be used to gain full access to the internal network itself. This would then allow a hacker the ability to launch more sophisticated attacks against other key systems that the original user may not have even had access to directly. In conclusion Even with a high-level overview as discussed here, the risks associated with Social Engineering are clear. It is vitally important for those responsible for information security to identify the risks within your environment by including Social Engineering within any ongoing auditing program. Testing the technology associated with your information security program with at least annual audits has become a standard. Including a Social Engineering test within the audit process will also help to identify the risks associated with internal employees surrendering ultra sensitive information directly to hackers. An additional byproduct of this form of auditing is the ability to judge the effectiveness of your information security program as it relates to divulging logon name and/or password information. Kevin Mitnick, a well know computer hacker, was placed in solitary confinement in 1995, because of fears that he had exposed one of the biggest new security risks in corporate networks. Of course, it is well documented that one of Kevin’s talents was his ability of coaxing passwords out of unsuspecting people. In fact, many said that Mitnick’s abilities spooked the Judge assigned to the case into physically separating him from any person he could “influence”. Even today Social Engineering does not get the attention it should considering the impact, frequency, and ease at which these attacks are being carried out. (Click hear for more information on real-world solutions)
|
