Ralph O’Brien MBCS, from IT Governance, explains how one morning a few years back he walked into a police headquarters and easily walked back out again with some very sensitive information, without going past reception:

Of course this was ethically done, with agreement from all concerned. But as an information security professional you would think that I utilised some sort of hi-tech attack on the corporate network to steal information via the latest IP spoofing or crafted Trojan attacks.

But the truth is I’ve always found it much easier to rely on getting the staff to do my work for me. To simply ask for the information I need, a bit at a time, until I have enough to potentially access anything I need. Simple. The weakness is ordinarily never the automated IT systems themselves, but the people who use them, operate them and have legitimate information access.

Definition

Social engineering is a common term with many definitions. As an avid watcher of BBC’s Hustle and C4’s Derren Brown, I can’t help but compare social engineers, or people who ‘blag’ information over the phone, to con-artists, grifters or simply students of human psychology and neuro-linguistic programming. For what this subject is really about is the abuse of human trust and of their desire to help their fellow man.

Reliance on IT security

Whilst it is never unwise to invest in IT security, the problem with this approach is it simply isn’t holistic enough. Unfortunately you have to trust somebody - people. These people you give legitimate authorised access to. And unfortunately 99 per cent of people are too easily conned. 

Perhaps the most famous social engineer is Kevin Mitnick - a ‘phreaker’ (person who uses the phone and phone exchanges to commit fraud and gain access). He is now a well respected ‘poacher turned gamekeeper’ in this field after being caught carrying out high profile attacks on US defence and central government organisations. His famous quote from Security Focus sums it up well.

‘You could spend a fortune purchasing technology and services... and your network infrastructure could still remain vulnerable to old-fashioned [human] manipulation.’

In fact the over reliance on IT security and its’ disconnect from the business can sometimes be a great asset to the social engineer. Often pretending to be someone who is from the IT department, or even in need of IT support can be the most effective tool in their arsenal.

Methods

The basic goals of the social engineer are the same as for all hackers in general. This is to gain unauthorised access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network.

Typical targets will include telephone companies and answering services, big-name corporations and financial institutions, public services, legal and research.  Particularly vulnerable are call-centres and customer facing roles, where the role is based around access to information and the desire to help is strong.

Regardless of the method used, the main objective is to convince the person disclosing the information that the social engineer is in fact a person that they can trust with that information. The other important key is to never ask for too much information at a time, but to ask for a little from each person in order to maintain the appearance of an easy and natural relationship.

The psychology of persuasion

So let’s return to my example of the ethically agreed attack on the police HQ. I dressed in a smart, but not stand out, business suit, and carried a laptop case. On arrival I approached the public reception area and asked for the chief constable and / or the head of IT, names of whom I had researched earlier on the internet and via phone.

I watched the receptionist actually physically ‘switch on’ at the mention of the chief. I then claimed to be an hour early for the meeting, “so please don’t disturb these busy and important people yet, instead, was looking if there was somewhere I could quietly work until the correct time”. She showed me to a meeting room near reception, and I said I’d pop back out nearer the time.

The meeting room had an internal phone line and an internal telephone directory, and a network point. So far so good. I now knew all the staff names, extensions and roles in the business, probably the most valuable tool the social engineer can find. I phoned someone in IT, claimed to have the wrong number and asked to be redirected out to another caller. 

Coming through on an internal line it was a simple matter to convince any recipient that I was indeed new in the IT department and the head of IT had given me the boring job of checking that not too many users had the same password - a clear security risk (when actually it’s not a risk unless they know they have the same password!). If too many people had the same password we would of course ask them to reset, so it’s of no risk to tell.

In a few calls I had several individuals’ log on credentials. Usernames are easy to establish (first initial surname, or firstname.surname, and nobody minds confirming these!). Using the handy network point supplied in the meeting room I was able to browse their accesses and leave when I had what I needed. 

Equally I might have tried to talk the information out of them, getting them to log in whilst on the phone, getting them to do the technical work as well. Telling the receptionist I’d left something in the car, I left with the information I wanted and returned to base to write my report.

Analysis

On site a social engineer is a consummate actor, the pregnant woman carrying a heavy box, the maintenance engineer who has lost his badge or a new member of staff who is lost.

Off site, they are the poor wife of the customer who must have the information or bad things will happen to her, the disgruntled customer who must be placated, the member of staff working remotely who has lost their access or the senior management who must have that information now or we will lose the big deal. Staff should be aware of the issue and how to defend against it.

Training is always the best defence

Employees should be trained in spotting the social engineering techniques and should be made aware regularly of the latest tricks and scams being employed by tricksters. Particular staff that are more vulnerable, include customer services personnel, help desk staff and receptionists - these roles should be made a training priority.

The receptionist and security guards in an organisation are often one of the first lines of physical defence, so these people need to be educated to spot possible physical social engineering attempts.

Staff should be trained to attempt reverse social engineering in that if they are suspicious of a caller, for example, they should try and gather information about the caller. One of the best defences is simply to ask for the caller’s land line number to either check against your records, or to call them back to check that they are who they say they are.

Secure authentication methods such as passwords on accounts and shared secrets can be employed too. However, be aware that national insurance numbers, addresses, telephone numbers, mothers maiden names and other details can be easily found by research on the internet, especially through social networking sites. 

Creating a culture of security

The company policy should be highlighted through training and enforced. The situation should be monitored and even suspicions reported to management attention. Audits and measurements of this area should be carried out for management assurance. An ISO 27001 or other management system framework can assist.

Temporary staff will also need both training in the company security policies and should only be employed in sensitive positions once their authenticity is verified. Remote workers need to be made aware of the risks. Their main contact with the parent company is via email or telephone, both classic social engineering tools. These staff need to ensure they verify any request for information and the identity of the requester.

Social engineering is a dangerous tool, mainly because investment is often in IT technologies, rather than on training staff to guard against old fashioned manipulation. Investment priorities should always be the staff, second to the machines they use.