Secure your Data – Social Engineering Techniques and Prevention

[javajolt]

A recent news made me realize how human emotions and thoughts can be (or, are) used for others’ benefit. Almost every one of you knows Edward Snowden, the whistleblower of NSA snooping the world over.

Reuters reported that he got around 20-25 NSA people to hand over their passwords to him for recovering some data he leaked later¹. Imagine how fragile your corporate network can be, even with the strongest and best of security software!

What is Social Engineering

Human weakness, curiosity, emotions, and other characteristics have often been used in extracting data illegally – be it any industry. The IT Industry has however, given it the name of social engineering. I define social engineering as:

“The method whereby an external person gains control over one or more employees of any organization by any means with intention to obtain the organization’s data illegally”

Here is another line from the same news story¹ that I want to quote – “Security agencies are having a hard time with the idea that the guy in the next cubicle may not be reliable“.  I modified the statement a bit to fit it into the context here. You can read the full news piece using the link in References section.

In other words, you do not have complete control over the security of your organizations with social engineering evolving much faster than techniques to cope with it. Social engineering can be anything like calling up someone saying you are tech support and ask them for their login credentials. You must have been receiving phishing mails about lotteries, rich people in Mid East and Africa wanting business partners, and job offers asking you your details.

Unlike phishing attacks, social engineering is a much of a direct person-to-person interaction. The former (phishing) employs a bait – that is, the people “fishing” are offering you something hoping that you will fall for it. Social engineering is more about winning the confidence of internal employees so that they divulge the company details you need.

Known Social Engineering Techniques

There are many, and all of them use basic human tendencies for getting into the database of any organization. The most used (probably outdated) social engineering technique is to call and/or meet people and making them believe they are from technical support who need to check your computer. They can also create fake ID cards to establish confidence. In some cases, the culprits pose as state officials.

Another famous technique is to employ your person as an employee in the target organization. Now, since this con is your colleague, you might trust him with company details. The external employee might help you with something so you feel obliged, and that is when they can make out the maximum.

I also read some reports about people using electronic gifts. A fancy USB stick delivered to you at your company address or a pen drive lying in your car can prove disasters. In a case, someone left some USB drives deliberately in the parking lot as baits².

If your company network has good security measures at each node, you are blessed otherwise these nodes provide an easy passage for malware – in those gift or “forgotten” pen drives – to the central systems.

As such we cannot provide a comprehensive list of social engineering methods. It is a science at core, combined with art on the top. And you know that neither of them have any boundaries. Social engineering guys keep on getting creative while developing software that can also misuse wireless devices gaining access to company Wi-Fi.

Prevent Social Engineering

Personally, I do not think there is any theorem that admins can use to prevent social engineering hacks. The social engineering techniques keep on changing and hence it becomes difficult for IT admins to keep a track on what is happens.

Of course, there is a need to keep a tab on social engineering news so that one is informed enough to take appropriate security measures. For example, in the case of USB devices, admins can block USB drives on individual nodes allowing them only on the server that has better security system. Likewise, Wi-Fi would need better encryption than most of the local ISPs provide.

Training employees and conducting random tests on different employee groups can help identify weak points in the organization. It would be easy to train and caution the weaker individuals. Alertness is the best defense. The stress should be that login information should not be shared even with the team leaders – irrespective of the pressure. If a team leader needs to access a member’s login, s/he can use a master password. That is just one suggestion to stay safe and avoid social engineering hacks.

Bottom line is, apart from the malware and online hackers, the IT people need to take care of social engineering too. While identifying methods of data breach (like writing down passwords etc.), the admins should also ensure their staff is smart enough to identify a social engineering technique to avoid it altogether. What do you think are the best methods to prevent social engineering? If you have come across any interesting case, please share with us.

Sources: TWC

Indepth Research Reference;  if you notice below I have added spoilers, by clicking Show, the text will appear internally, and eliminating the need to open a source outside W8NI....system admin.

¹

Spoiler for :

(Reuters) - Former U.S. National Security Agency contractor Edward Snowden used login credentials and passwords provided unwittingly by colleagues at a spy base in Hawaii to access some of the classified material he leaked to the media, sources said.

A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments, said a source close to several U.S. government investigations into the damage caused by the leaks.

Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator, a second source said.

The revelation is the latest to indicate that inadequate security measures at the NSA played a significant role in the worst breach of classified data in the super-secret eavesdropping agency's 61-year history.

Reuters reported last month that the NSA failed to install the most up-to-date, anti-leak software at the Hawaii site before Snowden went to work there and downloaded highly classified documents belonging to the agency and its British counterpart, Government Communication Headquarters.

It is not clear what rules the employees broke by giving Snowden their passwords, which allowed the contractor access to data that he was not authorized to see.

Snowden worked at the Hawaii site for about a month last spring, during which he got access to and downloaded tens of thousands of secret NSA documents.

COVERING TRACKS

"In the classified world, there is a sharp distinction between insiders and outsiders. If you've been cleared and especially if you've been polygraphed, you're an insider and you are presumed to be trustworthy," said Steven Aftergood, a secrecy expert with the Federation of American Scientists.

"What agencies are having a hard time grappling with is the insider threat, the idea that the guy in the next cubicle may not be reliable," he added.

Officials with the NSA and the Office of Director of National Intelligence declined to comment due to a criminal investigation related to Snowden, who disclosed previously secret U.S. government mass surveillance programs while in Hong Kong in June and then fled to Russia where he was granted temporary asylum.

People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records.

The sources did not know if the NSA employees who were removed from their assignments were given other duties or fired.

While the U.S. government now believes it has a good idea of all the data to which Snowden could have accessed, investigators are not positive which and how much of that data Snowden actually downloaded, the sources said.

Snowden and some of his interlocutors, such as former Guardian writer Glenn Greenwald, have said that Snowden provided NSA secrets only to media representatives such as Greenwald, filmmaker Laura Poitras, and a reporter with the British newspaper.

They have emphatically denied that he provided any classified material to countries such as China or Russia.

The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data.

One provision of the bill would earmark a classified sum of money - estimated as less than $100 million - to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization.

The bill also requires that the Director of National Intelligence set up a system requiring intelligence contractors to quickly report to spy agencies on incidents in which data networks have been penetrated by unauthorized persons.

²

Spoiler for :

Workers at the Dutch offices of DSM, a chemical company, report finding USB sticks in the company parking lot, which appeared to have been lost. However, when the company's IT department examined the sticks, they discovered that they were loaded with malware set to autorun in company computers, which would harvest employee login credentials. It appears that criminals dropped the keys in the hopes of tricking a employees into getting them into the company network.