Last week we took a look at some of the main social engineering threats that you, your company or your employees should be looking out for. In a nutshell, social engineering is similar to a confidence trick whereby an attacker gains access, information or money by gaining the victim’s trust.
These techniques can range from phishing scams via email to elaborate phone tricks and invasive pretexting attacks. While there’s no definitive way of stopping social engineers there are a few things to remember to prevent these kind of attacks becoming too serious. As ever, your best defence is knowledge and constant vigilance.
Protecting Against Physical Attacks
Many companies educate their network security team about the dangers of physical attack. A method known as “tailgating” is used in many physical attacks to gain access to areas restricted without authorization. This attack preys on basic human courtesy – holding a door for someone – but once the attacker gains physical access the security breach becomes very serious.
While this doesn’t really apply in a home scenario (you’re unlikely to hold your front door open for a stranger now, are you?) there are a few things you can do to reduce the chances of falling victim to a social engineering attack that depends on physical materials or a location.
Pretexting is a technique used by attackers who first find information about their victim (e.g. from a bill or credit card statement) which they can then use against their victim by convincing them they have a sense of authority. The most basic protection against this kind of attack (sometimes referred to as “dumpster diving”) is by destroying any materials that contain important, personal information.
This also goes for digital data, so old hard drives should be adequately destroyed (physically) and optical media can also be shredded. Some companies even take this to such an extent that they lock their refuse and have security monitor it. Consider the unshredded paperwork you throw away – calendars, receipts, invoices and even personal memos – and then consider if this information could be used against you.
The thought of a burglary isn’t a particularly nice one, but if your laptop was stolen tomorrow would it be adequately locked down? Laptops, smartphones and other devices that access your personal information, email and social networking accounts should always be protected with secure passwords and codes. If you’re really paranoid about theft you might even want to encrypt the data on your hard drive using something like TrueCrypt or BitLocker.
Remember – any information a thief can extract may be used against you in future attacks, months or years after the incident.
Baiting – leaving a malicious device such as compromised USB stick where it can be easily found – is easily avoided by not letting your curiosities get the better of you. If you find a USB stick on your porch, treat it with the utmost suspicion. USB sticks can be used to install keyloggers, trojans and other undesirable software to extract information and present a very real threat.
Preventing Psychological Attacks
Nearly all social engineering attacks are psychological by their very definition, but unlike pretexting which requires prior knowledge, some attacks are purely psychological. Protecting against these sorts of attacks is currently a big priority for a lot of companies, and this involves education, vigilance and often thinking like an attacker.
Companies are now beginning to educate staff on every level, as most attacks start with the security guard on the gate or the receptionist at the front desk. This generally involves instructing employees to beware of suspicious requests, pushy individuals or anything that just doesn’t add up. This vigilance is easily transferable into your daily life but depends on your ability to identify requests for information that is confidential.
While online attacks via email and instant messaging are increasingly frequent, social engineering attacks via telephone (and VoIP, which makes it harder to trace the source) are still a real threat. The simplest way of avoiding an attack is to terminate the call the second you suspect anything.
It is possible that your bank will call you, but rare that they would ask for your password or other information outright. If such a call takes place, request the bank’s telephone number, double-check it and call them back. It might take an extra five minutes, but your funds and personal information are safe and the bank will understand. Similarly, a security company is very unlikely to call in order to warn you of problems with your computer. Treat all calls as a scam, be suspicious and don’t compromise your PC or buy what they’re selling!
Education is the best defense, so keeping abreast of security techniques and news will help you spot a potential attack. Resources like Social-Engineer.org attempt to educate people of the techniques used by social engineers, and there is a lot of information available.
A Few Things To Remember
Confidence is a social engineer’s main tactic and will be used to gain access to physical locations, confidential information and, on a grander scale, sensitive company data. A system is only as strong as its weakest defence, and in the case of social engineering this means individuals who are unaware of the threats and techniques used.
To quote Kevin Mitnick who managed to wander around the largest security conference in the world, unbadged and unchecked (RSA 2001): “You could spend a fortune purchasing technology and services from every exhibitor, speaker and sponsor at the RSA Conference, and your network infrastructure could still remain vulnerable to old-fashioned manipulation”. This is true for the locks on your doors and the alarm in your house, so keep an eye out for social engineering tactics at work and at home.
Have you experienced any such attacks? Do you work for a company that’s recently begun educating employees about the dangers? Let us know what you think, in the comments below.