Social Engineering
|
Whatis.com states: ''In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.” In short, social engineering is essentially a con game. Consider the following real world examples: “Jane enters a government facility by simply talking to employees and ‘piggybacking’ through the doors. Guards ignore her since she is with a group of employees, some of who swipe their cards to unlock the door. Once inside, she breaks off from the group and finds her way to the server room. She finds an administrator along the way and convinces him that she is with a vendor to install some software and accidentally locked herself out of the server room. He dutifully lets her in the server room without further question. From there she is left alone with the core servers, ready to do her theft or harm”. Jane bypassed many checks in the normal identification system since she was friendly and quickly gained the trust of others and did nothing to raise suspicion. She was in many situations where someone could have challenged her to so an ID, but no one did since she was effective at quickly changing topics and posed as being friendly. Most people are not willing to offend someone by asking for an ID if the person is acting as they ‘fit in’ or belong.
“A cyber audit is being performed at a company. The auditors know about an upcoming layoff and create a CD with bogus data containing a virus, label it ABC Corp Layoffs, and plant it in a bathroom at the company. An employee finds the CD, inserts it into his machine to see if he or others he knows are on the list. Afterwards, he dutifully turns it in to his supervisor who does the same, then continues to pass it up the management chain, each infecting their machines. The auditors were easily to gain access to senior managements machines through the natural human curiosity.” This example played upon the fears and curiosity of an upcoming layoff. It is human nature to see if you will be affected by a potential life changing event such as a potential layoff. Each person who received the malicious CD let curiosity get the best of them and unknowingly infected their computer systems with a back door permitting and attacker to gain silent access.
“A research firm stations themselves in the middle of a busy downtown district and offered chocolate bars in exchange for passwords. The results were mixed, and care was taken to determine if the password given is legitimate or falsified just to obtain the treat. This was done through various observations, including determining how long the person paused before giving their password, and how effectively they repeated it when challenged. One woman freely gave up her password, but stated they didn’t know her username or where she worked. At the end of the business day, the researchers approached the woman as she was leaving work, telling her that they could easily gain access to her computer accounts for her employer. Puzzled, she asked how since all she had given them was her password earlier that day. ‘Easy’ the researchers replied. She had worn her ID badge indicating her name, and they watched as she entered the XYZ corp building.” While many people gave bogus information in order to get the offered treat. Many freely gave up this information with little forethought. Those who thought this information was innocent since they did not offer up the rest of the required details to gain access failed to notice the rest of the details were freely given away unknowingly. The displayed ID badge prominently displayed the name of the person which can be used to discover the username given common account naming practices. Observing the office where the person entered gave away the place of employment. Any singular instance of this data is useless, but combined, can be detrimental.
“Auditors are contracted to perform a test of cyber security at ACME corp. One of the auditors call random users, posing as a system administrator. The auditor states they need the users account information including a password to perform some maintenance. ACME corp has an effective training program, and the users refuse to give out this information. The auditors then call the help desk to get a password changed for a user account, and were deterred by the help desk user identity process for changing passwords. The auditors, determined to get a user password, found an office for a user that had gone to lunch, called the helpdesk from the users phone extension, and pretended to be said user. The help desk verified the users phone extension via caller ID, and matched the name to the assigned extension and happily changed the users password. The auditors had now exploited the help desk user identification process”. Users were well educated on proper password handling policies, and the helpdesk even had deterred the attacker through their policies. However, the attacker was able to use the policies against the help desk to get a password reset by simply adhering to the policies!
What you can do to prevent being conned: - Question people to see their badges if you do not recognize them - Don’t permit ‘piggybacking’ or the following of an unknown person into locked areas, especially Property Protection Areas - Do not trust or open unsolicited email attachments, web links, phone calls or other electronic media. - Don’t give out personal information or login/passwords. A Fermilab administrator should never need to know your passwords. - Be observant. When in doubt or suspect something is not quite right, report it to the appropriate people (reporting to the security guards is a good start). |
For assistance contact helpdesk@fnal.gov. |
