Social Engineering

Identity theft loving Engineering December 5, 2011 Daniel Sama & Stacey metalworker Sr Computer moral philosophy CIS-324, F in exclusively 2011 Strayer University Identity thievery Social Engineering December 5, 2011 Daniel Sama & Stacey Smith Sr Computer Ethics CIS-324, Fall 2011 Strayer University Abstract Social Engineering from the outset whitethorn seem standardised a topic angiotensin-converting enzyme might taste when talking about sociology or psychology, when in fact it is a configuration of identity theft. To an in machinateation technology (IT) professional, Social Engineering is a form of voluntary, unintentional identity theft.Many victims fail to trustworthyize they atomic number 18 cosmos victimized until it is too late, age many others may never know. This publisher will proffer a definition of soci fitting technology as it applies to study technology while introducing some the pioneers of tender engineer those who have, essentially, scripted the bo ok on hearty design. We will provide real adult male examples of how accessible engineers apply their trade and provide important points to consider with regards to social engineer attacks. In conclusion we will propose counter-measures, which individuals and organizations should take in order to guard a pee-peest social engineering.Social Engineering as specify by IT professionals is the practice of deceiving someone, each in somebody, over the phone or using a computer, with the express intent of breaching some level of gage, either personal or professional (Ledford, 2011. ) Implementing quality risk analysis solutions while maintaining data integrity is a crucial element of successful remains modeling within the context of social engineering in the work put, at that place are several factors that hatful make implementing those solutions rather challenging.Social engineering is a type of intrusion, which relies heavily on human interaction and unremarkably involves th e tricking of other people to break normal, everyday credential policies. Social engineers (SE) often prey on the natural financial aidfulness of other people. When analyzing and attempting to conduct a tellicular attack, a SE will commonly appeal to bureau or authority as well as simple eavesdropping to pose the desired knowledge. Social engineering, in a nutshell is a taxis clever manipulation of the natural human tendency to trust. This will provide the unauthorized penetration to the valued selective information, system or machine. Never decompose your enemy when he is making a mistake (Bonaparte, n. d. ) This is a mantra for all successful SEs, as they take any and all information about and from a cigaret for later use against said target. The SE will gather as very much information as likely about their target in advance, most of which is readily available online, usually, with meet a fewer keystrokes anything from hobbies to their favorite lunchtime meal. Thi s information serve wells build a connection and in unperturbeds trust with the target. With this trust, seemingly innocuous information will mystify flooding out of the target.Akin to fictional spies like James stupefy and Michael Weston, SEs assume a persona that is not their cause and attempt to establish with their target a reasonable justification to live up to a request. The aforementioned tactics allow the SE to maintain the facade and leave an out to avoid burning his or her information source. bed line a good SE is a good actor. on the whole of the firewalls and encryption in the world will never stop a gifted social engineer from rifling a corporate database or an irate employee from crashing the system, says pioneer Kevin Mitnick, the worlds most celebrated hacker who popularized the term.Mitnick firmly states in his two books The Art of Deception and The Art of ravishment that its much easier to trick someone into giving a tidings for a system than spending the time using a wolf force hack or other more traditional authority to compromise the integrity of sensitive data. Mitnick who was a world famous controversial computer hacker in the late 1980s was sentenced to 46 months in prison for hacking into the Pacific Bell telephone systems while evading the Federal chest of Investigation (FBI).The notorious hacker also allegedly wiretapped the California section of Motor Vehicles (DMV), compromised the FBI and Pentagons systems. This led Mitnick to spend the majority of his time incarcerated in solitary confinement due to the governments fear of him attempting to gain control of more sensitive information. Mitnick states in both of his aforementioned books that he compromised computers solely by using passwords and codes acquired as a result of social engineering. As a result, Mitnick was restricted from using any forms of technology upon his submit from prison until approximately 5 years ago.Kevin Mitnick is now the CEO of Mitnick war ranter Consulting, a computer security consultancy. Social engineering awareness is a being addressed at the enterprise level as a vital corporate security green light. Security experts advise that a aright trained staff, not technology is the best asset against social engineering attacks on sensitive information. The importance placed upon security policies is imperative when attempting to besiege this type of attack. Combat strategies require action on both tangible and psychological levels.This form appeals to hackers because the Internet is so widely used and it evades all intrusion detection systems. Social engineering is also a sought after method for hackers because of the low risk and low cost involved. There are no compatibility issues with social engineering it works on every operating(a) system. Theres no audit trail and if executed properly its effects can be completely devastating to the target. These attacks are real and staggering to any conjunction, which is w hy strong corporate policies should be mensural by access control and implementing specific procedures.One of the advantages of having such policies in place is that it negates the responsibility of an employee having to make a judgment call or using discretion regarding a social engineers request. Companies and their consequent staffs have become much too relaxed as it pertains to corporate security initiative. These attacks can capabilityly be costly and unnerving to management as well as the IT department. Social engineering attacks commonly take place on two different levels physiological and psychological. Physical settings for these attacks can be anything from your office, your trash, over the telephone and even online.A rudimentary, common form of a social engineering attack is social engineering by telephone. cunning social engineers will attempt to target the companys help desk while fooling the help desk representative into believing they are employment from inside the company. Help desks are specifically the most vulnerable to social engineering attacks since these employees are trained to be accommodating, be friendly and constitute out information. Help desk employees are minimally educated and get compensable a below average salary so it is common for these individuals to coiffe one question and move right along to the succeeding(prenominal).This can potentially create an alarming security hole when the proper security initiative is not properly set into place. A classic example of this would be a SE calling the company operator and saying something like Hi, Im your AT&T rep Im stuck on a pole. I need you to punch a few buttons for me. This type of attack is directed at the companys help desk environment and nearly always successful. Other forms attack target those in charge of making multi-million dollar decisions for corporations, namely the CEOs and chief financial officers.A clever SE can get either one of these individuals to wil lingly offer information pertinent to hacking into a corporations network infrastructure. Though cases such as these are rarely documented, they still occur. Corporations spend millions of dollars to test for these kinds of attacks. Individuals who perform this specialized testing are referred to as Social Engineering Auditors. One of the premier SE Auditors in the perseverance today is Chris Hadnagy. Hadnagy states that on any assumption assignment, all he has to do is perform a bit of research on the key players in the company before he is ready to strike.In most cases he will play a sympathy card, pretending to be a member of a charity the CEO or CFO may belong to and make regular donations to. In one case, he called a CEO of a corporation pretending to be a fundraiser for a charity the CEO contributed to in the past. He stated they were having a present drawing and named off prizes such as major league juicy tickets and gift cards to a few restaurants, one of which happened to be a favorite of the CEO. When he was finished explaining all the prizes available he asked if it would be alright to email a flier outlining all the prizes up for grabs in a PDF.The CEO agreed and willingly gave Hadnagy his corporate email address. Hadnagy shape up asked for the version of Adobe Reader the company used under the dissembling he wanted to make sure he was sending a PDF the CEO could read. The CEO willingly gave this information up. With this information he was able to send a PDF with malicious code embedded that gave him unfettered access to the CEOs machine and in essence the companys servers (Goodchild, 2011). Not all SE attacks occur completely over the phone. other case that Hadnagy reports on occurred at a theme put.The back yarn on this case is he was hired by a major theme park c at oncerned about software security as their guest check-in computers were linked with corporate servers, and if the check-in computers were compromised a in force(p) data b reach may occur (Goodchild, 2011). Hadnagy departed this attack by first-class honours degree calling the park posing as a software salesman, peddling newer PDF-reading software which he was offering free on a rill basis. From this phone call he was able to obtain the version of PDF-reader the park utilized and put the rest of his plan in action.He next headed to the park with his family, walking up to one of the employees at guest operate asking if he could use one of their terminals to access his email. He was allowed to access his email to print off a coupon for admission to the park that day. What this email also allowed was to embed malicious code on to the servers and once again gained unfettered access to the parks servers. Hadnagy proposes six points to ponder in regards to social engineering attacks * No information, regardless of it personal or excited nature, is off limits for a SE seeking to do harm. It is often the person who thinks he is most secure who poses the biggest vulnerability to an organization. Executives are the easiest SE marks. * An organizations security policy is only as good as its enforcement. * SEs will often play to the employees good nature and desire to be helpful * Social Engineering should be a part of an organizations exoneration strategy. * SEs will often go for the low-hanging fruit. Everyone is a target if security is low. The first countermeasure of social engineering prevention begins with security policies.Employee readiness is essential in combating even the most cunning and sly social engineers. Just like social engineering itself, training on a psychological and physical basis is required to alleviate these attacks. Training moldiness begin at the top with management. All management must experience that social engineering attacks stem from both a psychological and physical angle at that placefore they must implement adequate policies that can diminish the damage from an attacker while having a robust, e nforceable penalty bear on for those that violate those policies.Access control is a good place to start when applying these policies. A competent system administrator and his IT department should work hand in glove with management in hashing out policies that control and limit users permission to sensitive data. This will negate the responsibility on the part of an average employee from having to exercise personal judgment and discretion when a potential attack may occur. When suspicious calls for information occur within the company, the employee should sustentation three questions in mind 1.Does the person asking deserve this information? 2. Why is she/he asking for it? 3. What are the possible repercussions of giving up the requested information? If there is a strong policy in place with enforceable penalties in place, these questions will help to reduce the potential for a SE attack (Scher, 2011). Another countermeasure against a social engineering attack is to limit the amou nt of information easily available online. With Facebook, Twitter, Four-Square and the like, there is an overabundance of information readily available at any given moment online.By just drastically limiting the amount of information available online it makes the SEs task of information gathering that much more difficult. Throughout all of the tactics and strategies utilized when cultivating social engineering expertise, its extremely difficult to combat human error. So when implementing employee access control and information security, it is important to remember that everyone is human. This type of awareness can also be costly so its important to tackle a practical approach to fighting social engineering.Balancing company morale and pleasant work environment is a common difficultness when dealing with social engineering prevention and awareness. It is vital to keep in perspective that the threat of social engineering is very real and everyone is a potential target. References Bo naparte, N. (n. d. ). BrainyQuote. com. Retrieved December 6, 2011, from BrainyQuote. com Web site http//www. brainyquote. com/quotes/authors/n/napoleon_bonaparte_3. html Goodchild, J. (2011). Social Engineering 3 Examples of Human Hacking. Retrieved November 28, 2011 Retrieved from www. csoonline. om Web site http//www. csoonline. com/article/663329/social-engineering-3-examples-of -human-hacking Fadia, A. and Manu, Z. (2008). Networking irreverence Alert An Ethical Hacking Guide to Intrusion Detection. Boston, Massachusetts. Thompson Course Technology. 2008. Ledford, J. (2011). Identity Theft 101, Social Engineering. Retrieved from About. com on December 1, 2011. Retrieved from http//www. idtheft. about. com/od/glossary/g/Social_Enginneering. htm Long, J. and Mitnick, K. (2008. ) No Tech Hacking A Guide to Social Engineering, Dumpster Diving and Shoulder Surfing.Burlington, Massachusetts. Syngress publishing Inc. 2008. Mann, I. Hacking the Human. Burlington, Vermont Gower Publis hing, 2008. Mitnick, K. and Simon, W. The Art of Deception. Indianapolis, Indiana Wiley Publishing Inc. 2002. Mitnick, K. and Simon, W. (2006. ) The Art of Intrusion. Indianapolis, Indiana Wiley Publishing Inc. 2006. Scher, R. (2011). Is This the around Dangerous Man in America? Security Specialist Breaches Networks for bid & Profit. Retrieved from ComputerPowerUser. com on November 29, 2011. Retrieved from http//www. social-engineer. org/resources/CPU-MostDangerousMan. pdf