Social engineering research paper

Social Engineering: People Hacking



Historically speaking, humans have always been great social engineers. You'd have to agree that it probably started out around
the time when the first caveman husband told his wife that she wasn't fat and, in fact, looked fitter than her wedding day in
that latest dinosaur-skin dress of hers. While this is, debatably, less malicious, history has witnessed more spiteful incidents of
social engineering.

As far back as the 1600s, George Psalmanazar falsely claimed to be the first Formosan to visit Europe and even wrote a success-
ful book on Formosa. Jefferson Smith, better known as Soapy Smith, sold bars of soap to onlookers duping them into believing
that some of the "lucky" bars had money strung to them. Victor Lustig is best known as "the man who sold the Eiffel Tower
twice." More recently, Frank Abagnale, whose exploits were immortalized in books and movies, committed forgery in 26
countries and assumed multiple identities, all before he was 21 years of age.

Manipulation of words or actions to build up a false sense of trust and confidence and ultimately evoke a desirable response is
known as social engineering. This, however, has taken a sinister turn in the modern world where we depend on technology
and lightning-fast communications. The rules are still the same, but the consequences are more severe.

Peopl
p e Ha
H c
a king
Social engineering aims to exploit the weakest link in information security - people. Just as in historical examples in which
people were manipulated into meeting one's ends, social engineering is grounded in the same principle. Yet social engineering
does not necessarily need the use of technical methods. By nature, people tend to be helpful and polite. Social engineering
techniques take advantage of this intrinsic nature to manipulate people into divulging sensitive information. In fact, many
people who divulge information do not really think they are even giving away anything too critical. The social engineer's goal
then is to put pieces of information, gathered from various sources, together.

In ancient times, assassins used extremely subtle information gathering techniques and spent several months in preparation for
the final assassination attempt. Pieces of seemingly innocuous information were assembled in this pursuit and ultimately led to
fatal consequences for a number of kings and men of power. Social engineers in the modern day use a very similar modus op-
erandi.

Organizations today spend heavily on their information security infrastructure and employ the latest and best technological
advancements in security. However, security is only as strong as the weakest link. If the human firewall is weak, an organiza-

tion will fall prey to the oldest tricks in the book. The expensive technical security infrastructure will be rendered useless if
social engineers can have their way through people hacking.

(c) 2009 Enterprise Risk Management, Inc. All rights reserved.

---

Old Do
D g, New Tr
T i
r cks

To combat social engineering, it is important to understand the tricks that social engineers use. One needs to know the way a
social engineer thinks and operates to protect against the threat of social engineering. Let us take a look at some of the common
methods employed by social engineers:

*
Pr
P e
r te
t x
e ti
t n
i g

Social engineers often create a believable pretext to dupe their target into divulging precious sensitive information. The
creation of such a pretext is often the result of serious planning and homework. The main objective for the social engi-
neer is to be able to establish a sense of legitimacy in the mind of the target victim.

Human emotions like fear, guilt, sympathy, confusion, intimidation, flattery, and friendship are a social engineer's best
friends when pretexting. For instance, nobody would want to mess with an enraged vice president, especially one that
you've never even seen before. A fire marshal coming in to "inspect" your workplace would obviously be an intimidat-
ing uniform-clad authority to challenge. It could sometimes be as simple as a social engineer putting up a pitiable face
asking for your help, without which he/she "would be completely lost."

A typical example of pretexting is a social engineer pretending to call from your cellular telephone provider informing
you that you need to pay for $5000 worth of international calls that it claims you made. Since you are completely taken
aback at the accusation, your thoughts are in disarray. The caller then steps up to provide the much-needed support by
telling you that he/she will waive the amount you owe and place a hold on your account to prevent further calls of the
kind. However, he/she tells you that you need to confirm your credit card details for "identification purposes." You
then quickly provide your card details, and the social engineer's job is done.

Social engineering techniques in pretexting are highly evolved today. Social engineers use acronyms and company jar-
gons to target organizations, lending great credibility and believability. One technique involves social engineers re-
cording the target organization's on-hold music. The social engineer then calls someone at the organization posing to be
a co-worker at the same organization. He/she then tells the person to hold the line because there is "another call on line
two." The on-hold music is then played to the listener who then is inclined to believe that the caller works for the same
organization. The use of Voice over IP (VoIP) technology today even allows a caller to spoof the caller ID to show up as
a number from within the target organization. Such meticulous arrangements could fool even the well-prepared.

*
Ph
P is
i hin
i g a
nd Sp
S ea
e r
r Ph
P is
i hin
i g

Phishing techniques have become all too common. It is likely that anyone who owns an e-mail account has received at
least one `phishy' e-mail. These e-mails look highly legitimate and solicit personal information. Often, these e-mails will
appear to come from commonly used services and websites like eBay and PayPal. The e-mail may have a link that takes
the unsuspecting target who clicks on it to a webpage that looks strikingly similar to the original. The webpage would
contain a form that asks for all levels of personal and account details.





(c) 2009 Enterprise Risk Management, Inc. All rights reserved.

---

Again, human emotions play a critical role in phishing. Social engineers often add presumed credibility on their e-mails
by asking the target to "validate" his/her account, failing which it will be "blocked permanently." Alternatively, the e-
mail could state that the account has already been blocked and that the recipient needs to "click this link" to go to the
activation page.

The Nigerian scam, also called the 419 scam, has been a menace in the history of social engineering. The scam uses an e-
mail to persuade the target into divulging advance sums of money with the lure of an "unclaimed will" or "lottery
money" amounting to millions of dollars. This scam has utilized a wide array of variations over the years, to great suc-
cess.

Spear Phishing techniques are very similar to phishing, except that these are more targeted and often directed at organi-
zations. Legitimacy, in this case, is established with the help of information gathering. For instance, a social engineer
could find out that an organization uses ADP services for payroll. The social engineer would then craft his/her spear
phishing e-mail as if it was being sent by ADP to employees within the target organization who are on payroll via ADP.
The e-mail would state that the employee's payroll was not processed and that this situation could be "sorted" by
"clicking this link" and logging in. Few individuals would want to mess around with their payroll.

*
Vi
V s
i hin
i g

A relatively new development in social engineering that is fast gaining ground is vishing. Vishing uses interactive voice
response (IVR) systems to dupe a target into divulging personal information such as card details, Personal Identification
Numbers (PINs), and Social Security numbers.

Typically, legitimate IVR messages and commands are recorded by social engineers and then played back over a toll free
number that targets are enticed to call using an advertisement/notification of some sort. Alternatively, social engineers
could design an automated calling system wherein a string of telephone numbers are fed into the system and the system
sequentially calls the numbers in an automated manner. The system plays a recorded message which asks a target to
"renew" or "validate" his/her services with a popular bank/credit union/service. The IVR commands are then played to
make the target enter the much-valued personal information.

*
Mali
l c
i io
i us Co
C de

Social engineers at times also send out e-mails that have attachments enticing the target to open them. The pretext
could be a "failed UPS package delivery", an "important work-related file," "free Britney Spears wallpaper," a "critical
anti-virus upgrade" from your "tech support team," or even an "I love you" letter. The target that succumbs to the mes-
sage opens the attachment which contains malicious code like a keylogger, Trojan, backdoor, virus, or worm.

Malicious code has evolved to become highly intelligent these days. Such code is designed to detect and respond to a
target's suspicions and relevant actions.






(c) 2009 Enterprise Risk Management, Inc. All rights reserved.

---

*
Dum
u pste
t r
e
r Div
i in
i g

A great supplement to technical methods of social engineering is dumpster diving. The technique involves literally
rummaging through the target's garbage for confidential information. While this technique may sound dirty, it is a
highly rewarding one. One possible reason for the widespread use of this technique is its non-technical nature.

Social engineers may even use pretexts to support their dumpster diving initiatives. These include posing as a salesper-
son, a law enforcement officer, pest control, a repairman, or a technician. Posing as a cleaner could prove to be one of
the best pretexts a social engineer can adopt. A cleaner usually comes in after work hours when there are no suspicious
eyes scanning the workplace.

A social engineer usually looks for targeted information using dumpster diving. This includes confidential reports, sales
forecasts, salary data, network diagrams, source code, configurations, internal communications, post-it notes, and dis-
carded applications. Something as simple as a full departmental telephone list is often a social engineer's dream.

*
Sh
S ould
l er
e
r Su
S rf
r i
f n
i g and Pi
P g
i g
g y
g ba
b ckin
i g

As the name suggests, shoulder surfing involves stealthily observing the target to obtain or deduce confidential informa-
tion. This is usually done to observe password keystrokes on a keyboard or a PIN entered into an ATM machine. Expert
social engineers have even been known to observe and memorize signatures.

A social engineer does not necessarily need to have a full view of a keyboard or an ATM keypad. This would actually be
undesirable, considering that social engineers try to be inconspicuous. Positional awareness of keys can be a helpful tool
for social engineers.

A technique that follows similar principles is called piggybacking. Social engineers use piggybacking to get physical ac-
cess to premises. Preying on common politeness, this is generally accomplished by stealthily slipping into the premises
along with another authorized individual, when the authorized individual is kind enough to hold the door open for the
social engineer.

*
Quid
i Pr
P o
r Qu
Q o

The quid pro quo technique involves giving something to get something in return. A survey1 once found that more than
70% of people would reveal their computer password in exchange for a bar of chocolate. Even more surprising, 34% of
the respondents of the survey volunteered their password without even needing to be bribed.

As an example of this technique, a social engineer would call a target posing as a technical support agent. The social en-
gineer finds a harassed soul who is grateful that someone is calling back from his/her service provider. The social engi-
neer then directs the target to type some commands that gives him/her full access to the target's computer or even has
malicious code installed onto it.






(c) 2009 Enterprise Risk Management, Inc. All rights reserved.

---

*
Ba
B it
i in
i g

Imagine that you're finishing up with lunch in the break room and you notice a CD lying on a table. The CD has your
company's logo on it and has "Layoffs 2009 - Private and Confidential" printed on it. You're all alone in the room and
decide to take the CD to your office. You open the CD and you find that it's exactly what you thought it was. The CD
contains an excel file that has a list of employees, perhaps the ones you think are to be laid off. The names of the excel
file are not familiar, but you work for a big organization so you assume they are all legitimate. You are thrilled to see
that your name is not on the list.

This is a perfect baiting scenario. A script installed a keylogger on your computer when you opened the excel file. All
your keystrokes are now being logged and sent via lightweight text e-mails to a social engineer sitting in a remote loca-
tion.

Baiting is a highly potent weapon in a social engineer's arsenal and can have devastating effects for a target.


Con Re
R pe
p llent

While social engineering is a very real and ominous threat to organizations, employing the right countermeasures in the
right way can fortify an organization very effectively against social engineering threats:

*
Po
P li
l c
i ie
i s
e and Pr
P o
r ced
e u
d re
r s
e

Policies and procedures provide a solid foundation to counter the threat of social engineering. Having specific policies
and procedures that are clear, concise, and well-documented is the first step. The critical second step is consistently en-
forcing these policies and procedures. Organizations should make it well-known internally that non-compliance will be
dealt with strictly. Further, policies and procedures need to be highly comprehensive and all-inclusive. These need to
have a long-term vision and factor in the future of the organization, including a growth in size.

*
Tr
T a
r in
i in
i g and Aw
A a
w re
r n
e es
e s

An organization's employees are the very first line of defense against social engineering and yet are, more often than
not, the weakest link. Training your employees is the best possible investment you could make to combat the threat of
social engineering. An employee with an awareness of social engineering techniques will be able to proactively identify
the traps and pitfalls commonly used.

Employee training and awareness programs should be tailored to meet audiences of varying technical levels. The
"human firewall" can be strengthened by making employees fully aware of the organization's policies and procedures.
Targeted and focused programs are the most effective long-term tool against social engineering.







(c) 2009 Enterprise Risk Management, Inc. All rights reserved.

---

*
So
S cia
i l
l Engin
i ee
e r
e i
r n
i g Eng
n agem
e en
e ts
t

The best way to beat a social engineer at his/her game is to be one. Social engineering engagements performed by ex-
perts are highly effective in exposing your organization's vulnerability to social engineering attacks. These engagements
use the same techniques used by social engineers to test an organization's level of preparedness.

Any awareness and training program employed by an organization needs to have a focused direction. Social engineering
engagements provide this direction. These engagements give an organization a clear picture of exactly where it is vul-
nerable. Awareness and training programs can then be directed to address these specific areas and ultimately lead to a
well-prepared organization.

*
Aw
A are
r n
e es
e s To
T ols
l

When using awareness and training programs, awareness tools should be employed to make the entire learning process
more interesting and engaging. Articles and newsletters about security are one way of spreading awareness in an or-
ganization. Webcasts and podcasts are other tools that could be made available on the organization's intranet.

Humorous posters are another means of communicating messages about social engineering. Periodic quizzes, seminars,
presentations, and live demos are other successful methods of spreading awareness. An organization could also hire a
team of professional social engineers to perform tests and present their results to the employees. Such interactive ses-
sions are often entertaining, eye-opening, and highly educational.

Overall, awareness tools should instill an environment of security in the organization to encourage everyone to accept
security as a personal responsibility.


Hac
a k-Pro
r of Yo
Y ur
ur Peopl
p e

Social engineering has proven to be the wake-up call for all those who believed that technology alone could solve the problem
of information security. In fact, users of all security measures will always be the weakest link. While investing in your organiza-
tion's information security infrastructure, do not forget to hack-proof your employees.


Amateurs hack systems, professionals hack people.








- Bruce Schneier



Ref
e e
f r
e en
e ces
e

http://news.bbc.co.uk/2/hi/technology/3639679.stm




(c) 2009 Enterprise Risk Management, Inc. All rights reserved.

---

ERM wants to hear from YOU....


With this edition of our newsletter, we're rolling out a new format and new features. Tell us what you think!

What features or topics would you like to see covered in future issues? Who else should receive this newsletter?

Your feedback is welcome and encouraged. Please send your comments to editor@emrisk.com.

Enterprise Risk Management: At a Glance

ERM brings clients the highest level of expertise to assess and address risks, comply with standards and
regulations and mitigate risks, using integrated and reasonably priced security services and solutions.

Our practice provides organizations with the tools they need to address the compliance and risk manage-
ment issues of today, as well as the broader and ever-increasing security challenges of the future.
Services
e
Some
m o
f o
ur C
lien
e ts

IT Security
ABN-AMRO Private Banking
Regulatory Compliance
Bacardi-Martini, Inc.
IT Audit
Bancafe International
Banco Industrial de Venezuela
Computer Forensics
Banco ITAU
Risk Management
Bank United
Attestation
Caja Madrid Bank
Carnival Cruise Lines, LLC
CitiBank
Cer
e tificat
a ions
Coconut Grove Bank
Commerce Bank
Certified Public Accountant (CPA)
E-data Financial
Certified Information Systems Security
Florida International University
Professional (CISSP)
Florida Power & Light Company
Certified Information Systems Auditor (CISA)
Heico Aerospace
Helm Bank
Certified Information Systems Manager (CISM)
Knight Ridder
Certified Information Technology
Nova Southeastern University
Professional (CITP)
Rinker Materials
GIAC Security Essentials Certification
Rudy, Exelrod & Zieff, LLP
Seabourn Cruise Line
GIAC Systems and Network Auditor
TecniCard, Inc.
Qualified Security Assessor (QSA)
The International Bank of Miami
Approved Scanning Vendor (ASV)
TransAtlantic Bank

U.S. Century Bank
For mo
m re inf
n orma
m tion,
n visi
s t www.emrisk.com
E-mail: info@emrisk.com
Phone: 305-447-6750
800 Douglas Road
North To
wer, Suite 835
Coral Gables, FL 33134

---