Hacking the Human

Tuesday, September 14, 2010

Brent Huston

E313765e3bec84b2852c1c758f7244b6

He stood before the receptionist, patiently waiting until she was finished with the phone call. He fiddled around with his fake badge while glancing at the security door that led into the main office area, waiting to see if someone would exit or enter soon.

Finally, two employees engaged in conversation exited the door while a small group headed toward it. He darted to join the group while the receptionist continued to look down at her list of R.S.V.P.’s, searching for the business’ name.

As the group entering the office area quickly glanced his way, he shot them an easy grin. “Phone lines,” he quipped as he showed them the badge. “Just upgraded on our end and we want to make sure you don’t miss your phone calls!”

As the group laughed and joked about not really missing calls if they had the opportunity, he scanned the cubicle areas to make a note of which ones were empty. In a few minutes, he’d double-back , slip into one, hacked into the network and started snooping around.

In larger corporations, that is how social engineering can happen.

Employees are trusting and often distracted by their own sense of security. They see the same people in the office but realize every once in awhile, there is “the new girl” or “new guy.” They trust this person has gone through the proper channels that authorized their presence. And that’s their mistake. Very few ask questions.

Many times, employees find that their desire to be helpful is exploited.

What is usually portrayed as good customer service (“Is there anything else you need?”), can be cleverly manipulated by attackers. Often a hacker will appear to be IT staff who needs to verify an employee’s password.

When the unsuspecting victim is presented with a plausible reason for taking shortcuts (“I’m so sorry, but it could really help me if you just gave me the password instead of having to bother my supervisor…”), they often comply.

How can employers prevent social engineering attacks?

The quick answer is, they can’t. Hackers are becoming more resourceful as organizations initiate more complex security measures. But employers can still take precautions that will help employees recognize that a potential threat exists. Here are some tips:

  • Be aware of your surroundings. Know who is in charge of vetting outside service people so when a strange face appears, they know who to call. Tell employees that entering a secured area means using their badges to gain entry and to make sure everyone follows procedure.
  • Be suspicious. When callers ask for personal information, ask if there is a number you could return their call and then verify their credentials with an internal source.
  • Pay attention to the URL of a website. The page may look the same but the URL will expose it as a fake. Contact the company when in doubt.

Using these tips will help your organization avoid becoming a victim. Be alert and you’ll keep your data safe!

Cross-posted from State of Security

3073
Impersonation
Post Rating I Like this!
Default-avatar
Jon Fisher Interesting article!
There is a book on this topic 'Hacking the Human' by Ian Mann.
1285345194
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.