Social Engineering

individualism Theft complaisant engineering science December 5, 2011 Daniel Sama & Stacey Smith Sr Computer Ethics CIS-324, bead 2011 straggler University Identity Theft complaisant engineering science December 5, 2011 Daniel Sama & Stacey Smith Sr Computer Ethics CIS-324, F tout ensemble 2011 Strayer University Abstract Social Engineering from the bug outset whitethorn seem like a consequence one might hear when talking somewhat sociology or psychology, when in fact it is a spring of identity theft. To an nurture engine room (IT) lord, Social Engineering is a form of voluntary, unintentional identity theft. legion(predicate) victims fail to realize they are being victimized until it is too late, plot many others may neer know. This paper lead put up a definition of societal applied science as it applies to instruction technology while introducing some the pioneers of fond engineering those who have, essenti e truly last(predicate)y, written the book on social en gineering. We will provide real world examples of how social engineers apply their trade and provide important points to consider with regards to social engineering attacks. In conclusion we will propose counter-measures, which individuals and organizations should take in order to guard once against social engineering.Social Engineering as defined by IT professionals is the practice of deceiving someone, either in soulfulness, over the phone or using a computer, with the express intent of breaching some level of warrantor department, either personal or professional (Ledford, 2011. ) Implementing quality chance analysis solutions while maintaining data integrity is a crucial element of fortunate system modeling within the context of social engineering in the work tail end, in that respect are some(prenominal) factors that stinkpot make implementing those solutions rather challenging.Social engineering is a shell of intrusion, which relies heavily on human being inter implem ent and usually involves the tricking of other people to break normal, all(prenominal)day security policies. Social engineers (SE) often pit on the innate helpfulness of other people. When analyzing and attempting to conduct a particular attack, a SE will commonly appeal to vanity or authority as well as simple eavesdropping to necessitate the believed schooling. Social engineering, in a nutshell is a machine politicians clever manipulation of the natural human tendency to trust. This will provide the unauthorized admittance to the valued information, system or machine. neer interrupt your enemy when he is making a mistake (Bonaparte, n. d. ) This is a mantra for all successful SEs, as they take any and all information about and from a target for later subroutine against said target. The SE will gather as much information as possible about their target in advance, most of which is readily for sale online, usually, with just a few keystrokes anything from hobbies to their favorite lunchtime meal. This information helps build a connection and instills trust with the target. With this trust, seemingly innocuous information will sum up flooding out of the target.Akin to fictional spies like James Bond and Michael Weston, SEs confiscate a persona that is not their own and attempt to establish with their target a reasonable apology to fulfill a request. The aforementioned manoeuvre allow the SE to maintain the facade and leave an out to avoid burning his or her information source. Bottom line a good SE is a good actor. All of the firewalls and encryption in the world will never stop a knowing social engineer from rifling a embodied database or an irate employee from crashing the system, says pioneer Kevin Mitnick, the worlds most celebrated hacker who popularized the term.Mitnick firmly states in his two books The Art of Deception and The Art of trespass that its much easier to trick someone into giving a password for a system than outgo the time us ing a brute force hack or other more handed-down means to compromise the integrity of sensitive data. Mitnick who was a world famous controversial computer hacker in the late 1980s was sentenced to 46 months in prison for hacking into the Pacific Bell telephone systems while evading the Federal Bureau of Investigation (FBI).The notorious hacker also allegedly wiretapped the California Department of take Vehicles (DMV), compromised the FBI and Pentagons systems. This led Mitnick to spend the majority of his time incarcerated in solitary confinement due to the organizations fear of him attempting to gain control of more sensitive information. Mitnick states in both of his aforementioned books that he compromised computers solely by using passwords and codes acquired as a result of social engineering. As a result, Mitnick was curtail from using any forms of technology upon his release from prison until approximately 5 years ago.Kevin Mitnick is now the chief operating officer of Mi tnick Security Consulting, a computer security consultancy. Social engineering awareness is a being turn to at the enterprise level as a vital corporate security initiative. Security experts displace that a properly trained staff, not technology is the best asset against social engineering attacks on sensitive information. The importance placed upon security policies is imperative when attempting to combat this type of attack. Combat strategies require action on both physical and psychological levels.This form appeals to hackers because the Internet is so widely used and it evades all intrusion detection systems. Social engineering is also a desirable method for hackers because of the low risk and low cost involved. There are no compatibility issues with social engineering it works on every operating system. Theres no audit trail and if executed properly its effects feces be completely devastating to the target. These attacks are real and staggering to any federation, which is w hy strong corporate policies should be measured by access control and implementing specific procedures.One of the advantages of having such policies in place is that it negates the responsibility of an employee having to make a judgment call or using discretion regarding a social engineers request. Companies and their subsequent staffs have become much too relaxed as it pertains to corporate security initiative. These attacks can potentially be high-priced and unnerving to management as well as the IT department. Social engineering attacks commonly take place on two different levels physical and psychological. Physical settings for these attacks can be anything from your office, your trash, over the telephone and even online.A rudimentary, common form of a social engineering attack is social engineering by telephone. Clever social engineers will attempt to target the troupes help desk while fooling the help desk reppresentative into believing they are calling from wrong the keep social club. Help desks are specifically the most vulnerable to social engineering attacks since these employees are trained to be accommodating, be friendly and give out information. Help desk employees are minimally educated and get nonrecreational a below norm salary so it is common for these individuals to answer one question and choke right along to the next.This can potentially create an alarming security hole when the proper security initiative is not properly set into place. A classic example of this would be a SE calling the company operator and saying something like Hi, Im your AT&T rep Im stuck on a pole. I need you to punch a few buttons for me. This type of attack is directed at the companys help desk environment and nearly always successful. some other forms attack target those in charge of making multi-million dollar decisions for associations, namely the CEOs and chief financial officers.A clever SE can get either one of these individuals to willingly offer in formation pertinent to hacking into a corporations network infrastructure. Though cases such as these are seldom documented, they still fare. Corporations spend millions of dollars to test for these kinds of attacks. Individuals who perform this specialized testing are referred to as Social Engineering Auditors. One of the premier SE Auditors in the industry today is Chris Hadnagy. Hadnagy states that on any given assignment, all he has to do is perform a bit of research on the key players in the company before he is ready to strike.In most cases he will play a bounty card, pretending to be a member of a charity the CEO or CFO may belong to and make regular donations to. In one case, he called a CEO of a corporation pretending to be a fundraiser for a charity the CEO contributed to in the past. He stated they were having a raffle drawing and named off prizes such as major league game tickets and gift cards to a few restaurants, one of which happened to be a favorite of the CEO. W hen he was finished explaining all the prizes on tap(predicate) he asked if it would be alright to email a flier outlining all the prizes up for grabs in a PDF.The CEO agreed and willingly gave Hadnagy his corporate email address. Hadnagy further asked for the version of Adobe Reader the company used under the guise he wanted to make sure he was sending a PDF the CEO could read. The CEO willingly gave this information up. With this information he was able to send a PDF with spiteful code embedded that gave him unfettered access to the CEOs machine and in essence the companys servers (Goodchild, 2011). Not all SE attacks occur completely over the phone. Another case that Hadnagy reports on occurred at a theme park.The back story on this case is he was hired by a major theme park concerned about software security as their node check-in computers were linked with corporate servers, and if the check-in computers were compromised a serious data breach may occur (Goodchild, 2011). Hadn agy started this attack by first calling the park posing as a software salesman, hawk newer PDF-reading software which he was offering free on a trial basis. From this phone call he was able to obtain the version of PDF-reader the park utilized and put the rest of his plan in action.He next headed to the park with his family, walking up to one of the employees at guest services asking if he could use one of their terminals to access his email. He was allowed to access his email to print off a verifier for admission to the park that day. What this email also allowed was to embed malicious code on to the servers and once again gained unfettered access to the parks servers. Hadnagy proposes six points to ponder in regards to social engineering attacks * No information, irrespective of it personal or emotional nature, is off peg downs for a SE seeking to do harm. It is often the person who thinks he is most secure who poses the biggest vulnerability to an organization. Executives are the easiest SE marks. * An organizations security policy is only as good as its enforcement. * SEs will often play to the employees good nature and desire to be helpful * Social Engineering should be a part of an organizations defense strategy. * SEs will often go for the low-hanging fruit. Everyone is a target if security is low. The first countermeasure of social engineering bar begins with security policies.Employee training is essential in combating even the most cunning and sly social engineers. mediocre like social engineering itself, training on a psychological and physical basis is needed to alleviate these attacks. Training mustiness begin at the top with management. All management must run into that social engineering attacks stem from both a psychological and physical angle therefore they must implement adequate policies that can mitigate the damage from an attacker while having a robust, enforceable penalisation process for those that violate those policies.Access control is a good place to start when applying these policies. A workmanlike system administrator and his IT department should work cooperatively with management in hashing out policies that control and cumber users permission to sensitive data. This will negate the responsibility on the part of an average employee from having to exercise personal judgment and discretion when a potential attack may occur. When suspicious calls for information occur within the company, the employee should keep three questions in mind 1.Does the person asking deserve this information? 2. Why is she/he asking for it? 3. What are the possible repercussions of giving up the requested information? If there is a strong policy in place with enforceable penalties in place, these questions will help to focus the potential for a SE attack (Scher, 2011). Another countermeasure against a social engineering attack is to limit the amount of information easily available online. With Facebook, Twitter, Four-Squa re and the like, there is an overabundance of information readily available at any given moment online.By just drastically limiting the amount of information available online it makes the SEs task of information gathering that much more difficult. Throughout all of the tactics and strategies utilized when cultivating social engineering expertise, its extremely difficult to combat human error. So when implementing employee access control and information security, it is important to remember that everyone is human. This type of awareness can also be costly so its important to adopt a practical approach to fighting social engineering.rapprochement company morale and pleasant work environment is a common difficulty when dealing with social engineering prevention and awareness. It is vital to keep in perspective that the threat of social engineering is very real and everyone is a potential target. References Bonaparte, N. (n. d. ). BrainyQuote. com. Retrieved December 6, 2011, from Brain yQuote. com Web site http//www. brainyquote. com/quotes/authors/n/napoleon_bonaparte_3. html Goodchild, J. (2011). Social Engineering 3 Examples of Human Hacking. Retrieved November 28, 2011 Retrieved from www. csoonline. om Web site http//www. csoonline. com/article/663329/social-engineering-3-examples-of -human-hacking Fadia, A. and Manu, Z. (2008). Networking attack Alert An Ethical Hacking Guide to Intrusion Detection. Boston, Massachusetts. Thompson Course Technology. 2008. Ledford, J. (2011). Identity Theft 101, Social Engineering. Retrieved from About. com on December 1, 2011. Retrieved from http//www. idtheft. about. com/od/glossary/g/Social_Enginneering. htm Long, J. and Mitnick, K. (2008. ) No Tech Hacking A Guide to Social Engineering, Dumpster Diving and Shoulder Surfing.Burlington, Massachusetts. Syngress publishing Inc. 2008. Mann, I. Hacking the Human. Burlington, Vermont Gower Publishing, 2008. Mitnick, K. and Simon, W. The Art of Deception. Indianapolis, Indiana W iley Publishing Inc. 2002. Mitnick, K. and Simon, W. (2006. ) The Art of Intrusion. Indianapolis, Indiana Wiley Publishing Inc. 2006. Scher, R. (2011). Is This the Most Dangerous Man in America? Security specialiser Breaches Networks for Fun & Profit. Retrieved from ComputerPowerUser. com on November 29, 2011. Retrieved from http//www. social-engineer. org/resources/CPU-MostDangerousMan. pdf