Like con men and grifters,
criminal hackers (a.k.a. crackers) are talented people persons. The infamous Kevin Mitnick
, for example, conducted most of his corporate intrusions by using the telephone, relying on the gullibility and friendly helpfulness of real people to gain access to corporate networks. These social-engineering attacks,
often precursors to computer-network attacks, are still a real and present danger, which is why they were a hot topic at this year's RSA Conference in San Francisco
. That's why I thought it would be good to further explain social-engineering attacks and offer some pointers on how to protect both your company and yourself.
Loose lips sink ships
Speaking at this year's RSA, Ira Winkler, a former financial analyst for the National Security Agency (NSA) and now a security consultant, offered several examples of real-world social-engineering attacks. Winkler himself was once hired by a large financial institution and given just four days to try to gain access to their internal network. Did he start his mission on the Internet? No, he began by calling the local office of the financial institution and asking for the company's annual stockholder report.
These so-called social-engineering attacks, often precursors to computer network attacks, are still a real and present danger.
The report--rich in detail of the company's internal structure, including the names and contact info for corporate officers--allowed Winkler to select one upper-level manager who had launched a new corporate initiative. Winkler then called that manager's office, posing as a corporate human resources agent wanting to do a news bit for the internal company newsletter. While gushing on about her boss, the manager's secretary confirmed to Winkler the manager's employee ID number, along with other details.
Winkler could have followed any number of roads to get this information. He could have called pretending to be from the company's travel department or listened to out-of-the-office phone messages providing dates of the absence, names of internal projects, or the name and number of an immediate supervisor. In other words, what might be random, trivial information to you is sometimes just enough to help an outsider crawl deep into the heart of your corporation.
What ultimately worked for Winkler, however, was a copy of the company's internal phone directory. He obtained it by first calling the company's graphics department with a bogus PowerPoint order so that he could learn how the company uses its internal billing process; he then called the mail room to obtain the company's Federal Express account number. With both pieces of information, Winkler ordered himself a company directory, charged to a department he didn't work for and delivered to him overnight by FedEx.
Using the directory and his conversation with the upper-level manager's secretary, Winkler called the company's IT department. He pretended to be a middle manager out on the road with a new laptop, unable to log on to the company's VPN. Needless to say, Winkler beat the institution's four-day deadline for accessing their internal network.
It's only human nature to want to help others, but this instinct can also undo tight security practices within companies.
Aside from using the telephone, Winkler cited other ways crackers score information. Among them: good old dumpster diving, shoulder surfing
(reading typed passwords over someone's shoulder, say, on the train), outright theft (stealing a backup tape, a notebook, a PDA, or a prototype model), and finally, getting hired into a low-level job at the company. It's common, said Winkler, for criminal hackers to apply for jobs as janitors
or mail-room assistants within a targeted company.
Protect yourself and your company
Want to protect yourself and your company? Realize that it's only human nature to want to help others, but this instinct can also undo tight security practices within companies. Winkler's security mantra is "No common sense without common knowledge." He feels (and I agree) that if everyone on staff is aware of the hidden dangers in leaking even trivial corporate information, outsiders won't be able to gain an easy foothold.
So here are 10 things that you and your company can do to prevent potential losses through a social-engineering attack:
- Activate caller ID at work. Calls within my company, for example, display the name of the person calling.
- Set your company's outbound caller ID to display only the front desk's phone number, not individual phone extensions.
- Implement a company call-back policy. If someone calls asking for information about the company, say you'll call them back, then dial the number from within your corporate directory or go through their company's switchboard operator.
- Be mindful of information posted in out-of-the-office messages. For example, don't leave the full name of your supervisor. A skilled cracker could now call another department and say that your supervisor is on his back because you're out on vacation and the cracker really, really needs access to this one particular account. In this case, a little knowledge can go a long way.
- Never allow anyone you don't know to piggyback physical access into a room on your security ID card.
- Confront strangers. Ask if you can take them to someone's office or help escort them outside.
- Get to know your IT support staff. That way, if someone else calls saying they're from IT and needs your network password, which you should never give out anyway, you can say no and hang up with confidence.
- Never write down your network password on a Post-it Note or tape it to the bottom of your keyboard; crackers, if inside the building, know where to look.
- Periodically perform a Google search on your company and scrutinize whether sensitive company information is available outside your corporate firewall.
- Institute a companywide security alert system. Have anyone who receives a suspicious phone call report it to a simple e-mail address, something like email@example.com.