Social Engineering Threats and Defenses – To carry out attacks on any organization, social engineers need to exploit employee behavior (manners, enthusiasm toward work, laziness, innocence, etc.). Social engineering attacks are difficult to guard against, as the victim might not be aware that he or she has been duped. They are very much similar to other kind of attacks to extract a company’s money, information, or IT resources.
Social Engineering Threats and Defenses
To guard against social engineering attacks, a company needs to evaluate the kinds of attacks, estimate the possible loss, and spread awareness among employees. The following are some major attack methods a social engineering hacker uses:
• Personal approaches
• Reverse social engineering
Social Engineering Threats and Defenses
Employees often respond to requests and use information that comes electronically from both inside and outside the company. This gives hackers the opportunity to approach staff through the Internet. Online attacks are in the form of e-mail, pop-up applications, and instant messages consisting of Trojan horses, worms, or viruses. This malware damages resources. Antivirus programs and other defenses can prevent attacks.
Social engineering hackers persuade staff members to provide information through a believable ruse. Instead of infecting a computer with malware through a direct attack, social engineering hackers use this information to make subsequent malware attacks.
Social Engineering Threats and Defenses
Social engineering hackers often choose to use the telephone as a route for attack. As with computer-based attacks, the target typically cannot see the hacker. These attacks include stealing either credit card or telephone card PINs at telephone booths. Most people are aware that they should be careful when using an ATM, but people are less cautious when using a PIN in a telephone booth.
VoIP is a developing market that offers cost benefits to companies. Currently, VoIP hacking is not considered to be a major threat. However, as more businesses embrace this technology, VoIP spoofing may become as widespread as e-mail and IM spoofing is now.
Private Branch Exchange (PBX)
There are three major goals for a hacker who attacks a PBX:
- Request information, usually through the imitation of a legitimate user, either to access the telephone system itself or to gain remote access to a computer system.
- Gain access to “free” telephone usage.
- Gain access to the communications network.
Each of these goals is a variation on a theme, with the hacker calling the company and attempting to get telephone numbers that provide access directly to a PBX or through a PBX to the public telephone network. This type of hacking by using the phone system is called phreaking. The most common approach is where the hacker pretends to be a telephone engineer, requesting either an outside line or a password to analyze and resolve the problems reported on the internal telephone system.
Requests for information or access over the telephone are relatively risk-free forms of attack. If the target becomes suspicious or refuses to comply with a request, the hacker can simply hang up. But realizing that such attacks are more complicated, a hacker simply calls a company and asks for the user ID and password. The hacker usually presents a scenario, asking for or offering help, before the request for personal or business information, almost as an afterthought.
The most direct way for a hacker to get information is to ask the victim in person. The following are the four main successful approaches for social engineers:
- Intimidation: This approach may involve the impersonation of an authority figure. In all cases, this approach is about coercing a target to comply with a request.
- Persuasion: This approach involves flattery and name-dropping.
- Ingratiation: Using this approach, a social engineering hacker gains a coworker’s trust over time and then uses that trusting relationship to gain information.
- Assistance: In this approach, the hacker offers to help the target. The hacker will, of course, need personal information from the target in order to provide this assistance.
Defending Against Personal Approach Attacks
Defending users against these types of attacks is very difficult, as at least one of these types of attacks will work against a particular user. To defend against an intimidation attack, management needs to foster an environment in which employees feel comfortable escalating confrontational situations. Employees then know that they can take such situations to a higher authority. In this way, employees are less likely to make rash decisions when faced with a confrontation. It will be much more difficult for a social engineering hacker to force them into doing something they don’t want to do.
Persuasion is a very powerful tool, especially in the hands of a skilled social engineering hacker. The best defense against persuasion is to make employees aware of basic security procedures, such as keeping passwords secret at all times.
Hackers need time to ingratiate themselves with users. The hacker will need to be in regular contact. Most hackers will try to become employed by the target company. For most mid-sized companies, the main threat comes from regular service or contract personnel.
Management can minimize assistance attacks by making the service desk the single point of contact for service calls. In this way, the service desk staff members become the gatekeepers of information. Management then has to make sure that the service desk staff members follow a rigid security policy. Regular audits of the service desk ensure that staff members are following established policies and protocols.
Reverse Social Engineering
Generally, reverse social engineering is difficult to carry out. This is primarily because it takes a lot of preparation and skill to execute.
In reverse social engineering, a perpetrator assumes the role of a person in authority and has employees asking him or her for information. The attacker usually manipulates the types of questions asked to draw out required information. Preliminarily, the social engineer will cause some incident, creating a problem, and then present himself or herself as the solver of the problem through general conversation, encouraging employees to ask questions as well. For example, an employee may ask about how this problem has affected particular files, servers, or equipment.
This provides pertinent information to the social engineer. Many different skills and experiences are required to carry out this tactic successfully. The following are some of the techniques involved in reverse social engineering:
• Sabotage: Once the attacker gains access, the workstation will be corrupted or will appear to be corrupted. Under such circumstances, users seek help as they face problems.
• Marketing: In order to ensure that the user calls the attacker, the attacker must advertise. The attacker can do this by either leaving his or her business cards around the target’s office or by placing his or her contact number on the error message itself.
• Support: Although the attacker has already acquired needed information, he or she may continue to provide assistance to users so that they remain ignorant about the hacker’s identity.
A good example of a reverse social engineering virus is the “My Party” worm. This is a reverse social engineering virus that doesn’t rely on sensational subject lines, but makes use of inoffensive and realistic names for its attachments.By using more realistic words, the attacker gains the user’s trust, confirms the user’s ignorance, and completes the task of information gathering.
General Defenses Against Social Engineering Threats
Three steps are necessary to design a defense against social engineering threats from the staff within the company. An effective defense requires a great deal of planning. Social engineering attacks can be costly, so a proactive approach to defense is necessary. The following are the three steps management should take:
- Develop a security management framework: Management should develop a set of social engineering security goals and identify those staff members who are responsible for reaching those goals.
- Undertake risk management assessments: Different types of social engineering threats are more likely at certain companies. Management should assess the risk involved with different types of attacks in order to build an appropriate defensive strategy.
- Implement social engineering defenses within the company’s security policy: Management needs to integrate social engineering defenses into the company’s security policy. If employees know how to handle social engineering threats and are aware of the forms these threats can take, they will be less likely to fall victim to these attacks.
Why Social Engineering Is Effective
The following are some of the reasons social engineering is so effective:
• Even a good security policy cannot prevent people from being socially engineered, since the human factor is the most susceptible to variation.
• It is difficult to detect social engineering attempts. Social engineering is the art and science of getting people to comply with an attacker’s wishes. Often, this is the way that attackers get a foot inside a corporation’s door.
• No one method can guarantee complete security from social engineering attacks.
• No hardware or software is available to defend against social engineering attacks.
Warning Signs of an Attack
The following are some signs that a person might be an attacker:
• Unwillingness to give a valid callback number
• Making informal requests
• Claiming authority
• Showing haste
• Giving compliments or praise excessively
• Showing discomfort when questioned
• Dropping a phony name inadvertently
• Threatening negative consequences if information is not provided
Impact on an Organization
The following are some of the impacts of social engineering attacks against an organization:
• Economic losses: Economic loss occurs when the cost of input exceeds the sale of input. Economic loss has a negative impact on an organization.
• Damage of goodwill: The goodwill of an organization is key in attracting customers.
• Loss of privacy: Loss of privacy shows a negative impact on an organization if competitors acquire sensitive information.
• Dangers of terrorism: Terrorism and antisocial elements pose a threat to an organization’s people and property.
• Lawsuits and arbitration: Lawsuits and arbitration result in negative publicity for an organization.
• Temporary or permanent closure: Temporary or permanent closure of venues results in a negative reputation for an organization.
If You Want More Blog On This Please Follow ExploitBytes