Businesses spend billions every year to secure computer networks and digital data. So why do serious security breaches continue to happen? Mike Howse looks at how companies can defend themselves against social engineering attacks.

Millions of words have been written about the best software to use, the correct policies to implement. Conferences are held, experts pontificate. Governments and industries pass regulations. Security solutions are amazingly effective at preventing attacks - even the dreaded zero-day flaws. We have the tools, the information and the impetus to lock down systems and data. The only things we don't have are truly secure systems.

Yes some businesses simply make a hash of security, leaving gaping holes that malicious hackers are all too happy to crawl into. But for many companies people are the weakest link in their defences. Until businesses focus on creating a culture of security, and until employees understand exactly how and why to protect data, even the best-protected system will be vulnerable to attack - particularly social engineering attacks.
A social engineer extracts information from people in order to gain access to networks and data. They prey on basic human emotions: our desire to be helpful and nice, to avoid conflict, our curiosity and fears. By capitalising on these human vulnerabilities, an attacker can often extract enough information from one or more people to penetrate a company network.

The bottom line is that we can't rely on applications to do all the work for us. Smart policies, procedures and people are just as important as choosing the right security solution.

Know your enemy

Effective social engineering scams are often amazingly simple. One popular method involves loading a few USB flash drives with a key logger and leaving them where employees of the target company are likely to pick it up. Inquisitiveness will compel some to plug the drive into their computers and the key logger is installed behind the firewall.

Variations of this scam include leaving CDs or DVDs with tempting labels - perhaps a music compilation or a popular movie - in office toilets, lunchrooms and other places where someone might logically have left something behind. Someone is bound to pop it in their CD drive, if not at work then certainly at home. And chances are good that many employees log onto the company system from their home machines, or use the same user ID and password on Amazon as they do on your corporate network. Once the hacker has that information, he can use it to gain access

But most often social engineering attacks are conducted over the phone. Many people will be suspicious of a randomly-found disk or drive, and security systems may block software installs and filter out malware. But people are off-guard when a request for help is coming from another human via the phone, especially when caller ID indicates the person is calling from inside the building, or from their home or a hotel. We tend to assume caller ID is a secure system, but a reasonably skilled hacker can alter caller ID information. And employee names and their office and mobile phone numbers can often be found with a quick internet search.

Attackers may also scour press releases, industry conference information, and other sources to determine when key personnel will be out of town, in order to call in - perhaps posing as a helpful hotel or airline employee - to pries information out of people. A social engineer may also pretend to be senior management in order to extract information from an employee who is eager to help, and perhaps worried about getting into trouble if they refuse a superior's requests. Or the social engineer may purport to be a poor guy that has forgotten his password, can't log into the system and will blow his big presentation if he can't log in right now.

Smart attackers - and social engineers tend to be intelligent - will extract seemingly trivial bits of information from several sources rather than risk alarming one person by probing too deeply. Piece by piece it's possible to pull together enough data to execute a successful attack.

Then again, sometimes they can hit the jackpot with just one call. What would your helpdesk employees do if a middle manager called from the hotel where a conference she's attending is being held, to get help logging into the company VPN? Would they reset her password if she sounded really frantic? Would an employee, called by someone apparently from the IT department, offer their log-in name and password if they were told that a virus attacking the network is emanating from their desktop, and IT needs to remotely log onto that desktop right now?

If you don't think your people could be silly enough to fall for such obvious tricks consider this: virtually every emailed virus relies on social engineering to coerce people to click on the attachment or link. If people could be trusted never to fall for these scams, the antivirus industry wouldn't exist.

Methods of defence

Security policies that are backed up by software enforcement and auditing, encryption of sensitive data, well-defined access controls and ongoing training are all, used in tandem, extremely effective defences against social engineering.

Training comes first. Ensure that employees know how to identify confidential information, the importance of protecting data and systems, how to choose and protect passwords, acceptable use of system resources, the company's security policies and procedures, and how to spot scams. Like computer viruses and worms, many social engineering attacks are repeated over and over with just slight twists.

New employees should be required to complete a security orientation before they are given access to the network, and annual refresher classes for every employee should be required. Employees can be alerted to new threats and issues by way of a monthly newsletter or RSS feed.

Security policies need to be reviewed on a regular basis to ensure that they not only support the then-current business needs but also provide protection against the ever developing techniques that are used by the bad guys. Mergers and acquisitions often bring turmoil to those involved and turmoil can result in gaps appearing in policies and procedures from the pre-merger/acquisition days.

Security policies should detail the topics addressed in training, and define in clear terms how to respond to requests for information. By making these issues a matter of policy an employee can deny inappropriate information requests without worry.

Automated enforcement and monitoring of policies further takes the onus off employees - they no longer need to make judgment calls, nor can they be pressured, bullied or coerced into responding to a social engineer's attack. Develop policies in tandem with representatives from throughout the company: every employee is a stakeholder in security and should feel as if they are a valued participant in protecting company data, not a mistrusted child who is being watched and controlled every moment of the day.

The security policy must detail how an employee should report requests for information that they feel are suspicious. This information should be noted and tracked. If a company has been targeted by a social engineer, chances are they will attempt repeated attacks - forewarned is forearmed. And never make an employee feel silly for reporting anything they find suspicious.

Most social engineers are ultimately after the information contained in corporate databases. It's critical to encrypt, audit and segregate duties for sensitive data in databases. A mature encryption solution will enable centralised management of security parameters as well as a system of integrity checks and self-protection of individual modules, user accounts, and database extensions in distributed environments and across relational databases, including internet-enabled database applications.

Database auditing is another essential requirement for truly comprehensive security and privacy implementations. Logs that track activities performed by security officers, records of user reads and updates, and unauthorised access attempts are critical. Managers can use this information to track trends, analyse potential threats, support future security planning, and assess the effectiveness of the solutions, policies and procedures already in place.

Final word

Until businesses focus on creating a culture of security and until employees understand exactly how and why to protect networks and digital assets, systems and data will remain wide open to social engineering attacks. Many businesses have made a huge mistake in making security solely an IT problem. Security has to be everyone's problem, and the processes that support real security need to be embraced by everyone from the summer student to the CEO. 

About the author

Mike Howse is European managing director of Protegrity, a provider of enterprise-wide data security management solutions for end-to-end protection for applications and sensitive data, enabling companies to deploy comprehensive security policies with centralised management and auditing.