CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [147]
Social engineering attacks like these are easy to accomplish in most organizations. Even if your organization uses biometric devices, magnetic card strips, or other electronic measures, social engineering attacks are still relatively simple. A favorite method of gaining entry to electronically locked systems is to follow someone through the door they just unlocked, a process known as tailgating. Many people don’t think twice about this event—it happens all the time.
Famed hacker Kevin Mitnick wrote a book called The Art of Deception: Controlling the Human Element of Security (Wiley Publishing, Inc., 2002), in which 14 of the 16 chapters are devoted to social engineering scenarios that have been played out. If nothing else, the fact that one of the most notorious hackers known—who could write on any security subject he wants—chose to write a book on social engineering should emphasize the importance of the topic to you.
As an administrator, one of your responsibilities is to educate users on how to avoid falling prey to social engineering attacks. They should know the security procedures that are in place and follow them to a tee. You should also have a high level of confidence that the correct procedures are in place, and one of the best ways to obtain that confidence is to check your users on occasion.
Preventing social engineering attacks involves more than just training on how to detect and prevent them. It also involves making sure people stay alert. One form of social engineering is known as shoulder surfing and involves nothing more than watching someone when they enter their sensitive data. They can see you entering a password, typing in a credit card number, or entering any other pertinent information. The best defense against this type of attack is simply to survey your environment before entering personal data.
Social engineering is easy to do, even with all of today’s technology at our disposal. Education is the one key that can help.
Don’t overlook the most common personal motivator of all: greed. It may surprise you, but people can be bribed to give away information. If someone gives out the keys, you won’t necessarily know it has occurred. Those keys can be literal—as in the keys to the back door—or figurative—the keys to decrypt messages.
The movie and book The Falcon and the Snowman detailed the accounts of two young men, Christopher Boyce and Daulton Lee, who sold sensitive United States codes to the Russians for several years. The damage they did to U.S. security efforts was incalculable. In another case, U.S. Navy Petty Officer John Walker sold electronic key sets to the Russians that gave them access to communications between the U.S. Navy and the nuclear submarine fleet in the Atlantic. Later, he sold information and keys on ground forces in Vietnam. His actions cost the U.S. Army countless lives. During the height of his activities, he recruited family members and others to gather this information for him. In each of these cases, money was the motivating factor that led them to commit these crimes.
It is often a comforting thought to think that we cannot be bought. We look to our morals and standards and think that we are above being bribed. The truth of the matter, though, is that almost everyone has a price. Your price may be so high that for all practical purposes you don’t have a price that anyone in the market would pay, but can the same be said for the other administrators in your company?
Social engineering can have a hugely damaging effect on a security system, as the previous note illustrates. Always remember that a social engineering attack can occur over the phone, by e-mail, or by a visit. The intent is to acquire