April 2008 Volume 1, Issue 3
From the Desk of David Badertscher
SOCIAL ENGINEERING: ARE YOU AT RISK?
The term “social engineering” can be defined in various ways, relating to both physical and cyber aspects of that activity. For the purposes of the discussion in this newsletter, social engineering is referred to as an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals. It involves the conscious manipulation of people to obtain information without the individual realizing that a security breach is occurring. Most users are familiar with email phishing scams (a form of social engineering) and have been taught not to open attachments from unknown or untrusted sources or to visit untrusted web sites. There are other ways that a perpetrator may prey on the trusting human nature to gain access to information or systems.
Below are several examples of social engineering methods, many of which rely on direct contact with an individual, along with suggestions to minimize the likelihood that such methods will be successful.
IMPERSONATION
In this situation, the perpetrator pretends to be someone else – for example, impersonating a senior official from your organization or someone from your Help Desk. The impersonation may occur over the telephone, in person, or via email. The perpetrator may try to make you feel obligated to assist, or under pressure to follow their directions. They may use intimidation or a false sense of urgency to seek your cooperation – prompting you to react before you’ve fully thought through the consequences.
Remember to follow your internal procedures when responding to requests for sensitive or confidential information. Never give out your password to anyone, even if they claim to be from “technical support.”
PIGGYBACKING or TAILGATING
All too often, people will hold the door open for someone entering into a secure area or building without even knowing who the individual is or asking where they are going. The unauthorized individual may pretend to be a delivery person, a visitor, or even a fellow employee. Be cautious if an unknown or unauthorized individual is trying to follow you through access doors.
SHOULDER SURFING
This scenario refers to the ability of an attacker to gain access to information by simply watching what you are typing or seeing what is on your computer screen. This is known as “shoulder surfing,” and can also be done by looking through a window, doorway, or simply listening in on conversations. Be aware of your work environment and who is around you when you are working with confidential information, or even when you are typing in your password. Do not let others see you type your password, and protect your computer screen from unauthorized viewing. Computers in public areas should not have the monitors facing outward.
BAITING
This scenario involves an attacker asking a variety of seemingly innocuous questions designed to “catch” the right answers. The attack is often done over the telephone but can also be done in person. Items of conversation can also be introduced based upon replies received. Small amounts of facts are interjected at the right time into the conversation to make requests for information sound legitimate. Information you know could be valuable to an attacker–whether that information is about your work environment, fellow employees, projects, or personal information–must be handled with extreme care. Be mindful of what you say to whom.
SURVEYS
Many of us have no doubt been recipients of requests to participate in surveys-whether online, via telephone or otherwise. The surveys may be for legitimate purposes or might be a scam. In either case, be aware of unwittingly disclosing information that may be used inappropriately. For example, disclosure of details about your organization, its network or infrastructure could prove extremely useful to someone with malicious intent. If you receive a survey request, you should contact the sponsoring organization to ensure the survey is legitimate, and make sure you are not sharing sensitive or confidential information with unauthorized individuals or organizations.
DUMPSTER DIVING
Do you shred all unneeded confidential or sensitive documents? Searching through trash (“dumpster diving”) is a method used by perpetrators to obtain sensitive information. When confidential and sensitive documents are no longer needed, be sure to shred or properly destroy them in accordance with your organization’s records retention policy.
PUTTING IT ALL TOGETHER
The scenarios above represent just a few types of social engineering attempts you may encounter. By following some common sense rules and using your best judgment, you can defend against these attacks and better protect yourself and your information:
1 Before releasing any information to anyone, it is essential to at least establish: the sensitivity of the information, your authority to exchange or release the information, the real identity of the third party (positive identification), and the purpose of the exchange.
2.Be aware of your surroundings. Make sure you know who is in range of hearing your conversation or seeing your work. Computer privacy screens are a great way to deter shoulder surfing in public places.
3.Before you throw something in the trash, ask yourself, “Is this something I would give to an unauthorized person or want to become publicly available?” If you are not certain, always err on the side of caution and shred the document or deposit it in a secure disposal container.
4.If you don’t know someone who is in a restricted area, look for a badge or a visitor pass. If you are unsure about their authorization or access permission, report the situation to the appropriate staff.
SECURITY NEWS UPDATE FROM CERTSTATION TMA:
Dutch transit card crippled by multihacks Wed, Apr 16 2008
The introduction of the Dutch public RFID transit pass will be delayed because it can be easily hacked. The final blow was given by researchers from Royal Holloway, University of London, who confirmed earlier findings by Dutch Institute TNO that the card isn’t properly secured.
Researchers uncover undetectable chip hack Wed, Apr 16 2008
For years, hackers have focused on finding bugs in computer software that give them unauthorised access to computer systems, but now there’s another way to break in: hack the microprocessor.
Regulatory compliance ‘irrelevant’ to security Tue, Apr 15 2008
Companies who get hung up on regulatory compliance are developing a false sense of security which leaves them just as open to malware attacks the chief exec of tools vendor Protegrity has warned.
Criminals phish for CEOs via fake subpoenas Tue, Apr 15 2008
Panos Anastassiadis didn’t click on the fake subpoena that popped into his in-box on Monday morning, but he runs a computer security company. Others were not so lucky.
For more monthly cyber security tips, please visit: www.msisac.org/awareness/news/
Brought to you by: