Social engineering is often a taboo topic that has very little resources available for research.
Often, network security professionals and students focus on the digital side of the equation, while still recognizing that the human vulnerability weighs heavily on the landscape.
One of the strongest methods to thwart attempts by social engineers is raising the organizations level of awareness. Just as we teach our children not to get into cars with strangers, individuals in organizations need to be trained on the possible ways in which a social engineer may potentially breach their trust.
Policy development must be constructed around the conversations that will take place during an attack, and strongly reinforced after the policy has been deployed. Constant re-training of individuals on security awareness will help to decrease the amount of risk involved in day-to-day operations.
Many organizations have internal or contracted helpdesk departments that assist with the overall IT infrastructure. Recently I had the opportunity to study and listen to the conversations taking place within a HIPAA based organization’s helpdesk.
Typically a call would start off with an employee’s name from where ever they might be calling from, followed by a request for password reset or help. The following example could be used to breach a helpdesk personnel’s trust to gain access to user name, password, or other confidential information.
“Hello this is John Doe, I just came back from a leave of absence and my password doesn’t work…can you reset it for me please?”
In most cases there will be a set of challenge questions for confidential information. However, during the course of the day repetition may break down this process and a helpdesk person may simply forget to challenge the individual. Further more, there may be several layers to confidential information. For example:
“That’s fine Mr. Doe, I can assist you with that. Can you please give me the first four digits of your Social Security number, as well as your month and day of birth?”
John Doe responds correctly to the month and day of birth, but fails on the social security number. Escalating the situation, John Doe now becomes frustrated and aggressive towards the helpdesk individual. Typically, at this point the helpdesk individual will lower their guard and assist the client.
However, if the helpdesk analyst is security minded, a third challenge question may be used. The third challenge question could be something as simple as an employee number. Because John Doe has done his homework on the organization he may have achieved the employee number for the individual whom he is trying to gain password access.
If the attacker has challenged the system before and discovered the challenge criteria there is a good possibility that somehow the attacker has achieved enough pieces to breach the policy.
Achieving challenge information could be a very simple process in large open environments such as hospitals. Typically, hospitals are so large that individuals within the organization do not know with enough certainty who exactly works in other departments. A very simple attack on the staff may occur in such a fashion:
First the attacker develops a document looking very official in the style and name of the organization. Secondly the attacker then poses themselves as an intern or someone of lower standing within the IT department of the organization. The attacker takes the document, which in this case is in survey form, and prowls the halls of the organization looking for victims. The attacker would simply approach people and say:
“Hello, my name is John Doe, and I was sent out by my manager to collect random samples of data for study. We recently have noticed that the calls to our helpdesk show that what we have in our database is incorrect. Because we want to have the most accurate and efficient system as possible would you mind taking a few moments out and filling out this quick survey?”
The survey would ask for parts of the challenge criteria, as well as false survey questions like:
“How do you like the service of the IT department?” or, “Do you feel the IT department meets all of your IT needs?”
By adding in false survey questions, it lowers the alarm level of the individuals targeted for the attack. Out of fifty people surveyed a 5-10% return would give the attacker 3-5 names along with enough information to attack the helpdesk for a password reset. Once this has been achieved the attacker now has the ability to set the user’s password to whatever he wishes.
Attack scenarios such as this show how easy it would be to compromise the challenge system. This is why it is very critical for security personnel to constantly train an organizations staff on safe information handling. Also, during training it gives the security personnel the opportunity to create relationships with the staff.
It is very important that the staff feel comfortable with security personnel, and that they feel they can come to the security staff when they feel there has been a breach of confidentiality. In the case of social engineering there is no comment from the staff that should go uninvestigated.