Information Systems Control Journal, Volume 2, 2002
Social Engineering: A Tip of the Iceberg
By Pramod Damle, CISA, CQA, CAIIB
With the evolution of information technology towards constructive
causes, antisocial elements have quickly followed and today one of the
biggest problems faced by IT is hacking. Though many talk about
firewalls, encryption and digital signatures as means of protection,
too little is known, and still less practiced, to protect against the
phenomenon of social engineering.
Well-known author Rudyard Kipling wrote of his six most obedient servants—what, when, why, who, where and how.1 Using Kipling's concept to better understand social engineering, ask:
- What is it?
- When did it all start?
- Why is it a threat worth considering?
- Who could do it?
- Where is more focus needed?
- How is it combated?
What Is Social Engineering?
Social engineering involves gaining sensitive information or
unauthorized access privileges by building inappropriate trust
relationships with insiders. It is the art of manipulating people into
speaking/acting contrary to their normal manner. The goal of a social
engineer is to fool someone into providing valuable information or
access to that information. They prey on human behavior, such as the
desire to be helpful, the attitude to trust people and the fear of
getting in trouble. The sign of truly successful social engineers is
that they receive the information without any suspicion.
Social engineering is used among crackers and samurai, or attackers,
for cracking techniques that rely on weaknesses in wetware rather than
in software; the aim is to trick people into revealing passwords or
other information that compromises a target system's security.2
Simply put, social engineering is the craft of getting people to
comply with another person's desires. It is not mind control, it will
not allow someone to get people to perform tasks wildly outside of
their normal behavior, and it is far from foolproof. It involves more
than quick thinking and a variety of amusing characteristics. Social
engineering can involve a lot of groundwork and information gathering
before an attempt at gaining information is ever made. Like hacking,
most of the work is in the preparation, rather than the attempt itself.3
Social Engineering's Beginnings
Such methods of deceit have been used throughout history.
Automated teller machine (ATM) fraud over the last decade is an
example. In one memorable instance, criminals installed a phony ATM at
a remote location, fooling bank customers into believing that it was
genuine. After they used the ATM, the victims' passwords and a snapshot
of the cards were used to make fake cards and clean out the bank
Another example is the Love Bug virus. This virus played on the
psychological need of human beings to be loved. Only after the person
opened the e-mail did they discover that they were loved in a way they
would hopefully never be loved again.4
It is not only the individual who is targeted but large corporations
as well. For example, AOL was a target of hackers through customer
service representatives who had access to the company's main member
database. The hackers targeted employees who had the authority to bump
people off their accounts and reset passwords and had access to
personal and billing information. Hackers were able to illegally break
into 200 of AOL's member accounts by targeting key company employees
with an e-mail virus.5
Threat of Social Engineering
Risk associated with social engineering is extremely high. Insiders
tend to divulge valuable information to the social engineers posing as
genuine recipients of information.
Therefore, security must begin in the user's mind and cannot be
embedded in the technology alone. If an employee in possession of vital
resource divulges it unknowingly, the entire security architecture
could be ruined. Notorious hacker Kevin Mitnick said, "The weakest link
in the security chain is the human element," according to a 3 March
2000 article in the Washington Post. He went on to say that in
more than half of his successful network exploits he gained information
about the network, sometimes including access to the network, through
Areas of Vulnerability
The miscreants could be broadly classified in two categories: those
who gather information using traditional methods of communication
(either in person or over telephone) and those who resort to modern
computing devices for the interaction (software, e-mail and web).7
Human-based social engineering includes tricks like impersonation,
posing as a VIP user, offering a cursory third-party reference for
authorization or pretending to be a tech support member. It also
includes watching somebody else's password while it is being keyed in
(shoulder surfing), getting pieces of data from the garbage to discover
a meaningful piece of information (dumpster diving) and similar tricks.
Computer-based hacking attempts may use pop-up windows requesting a
password to reconnect to the net or attachments in an e-mail. This may
further be aggravated by the numerous capabilities of web sites, such
as hyperlinks, cookies, payment gateways and personal agents/wallets.
Bringing to the forefront another possible risk—hacking by those hired
on contract for various services. For example, it would be quite easy
for scavengers and cleaners from the maintenance firm to implant a
device, such as a KeyGhost, to the keyboard cable and capture
everything that is typed on the keyboard.8
Consider the well-known quote of Bruce Schneier, CTO, Counterpane
Internet Security, Inc., "Always remember: Amateurs hack systems.
Professionals hack people."9 Once
experienced hackers decide to commit a social engineering attack,
things quickly escalate to alarming levels. It may be worthwhile to
note that social engineering is not an impromptu attack, but requires a
tremendous amount of preparatory work.
Yet another feature of social engineering-driven hacking is the use
of psychology, or the in-depth study and understanding of the behavior
patterns of the human mind, and the application of this knowledge.
Examples of using psychology to hack include the use of catchy baits,
like sensory appeals and chance of ingratiation; dominating tricks,
like authoritative orders and apparent urgency; and plausible appeals,
like moral duty. Hackers also may employ complex principles such as
diffusion of responsibility, group dynamics and social proof. Jonathan
Rusch of the US Department of Justice described how the advanced
psychological points, such as alternative routes to persuasion and
influence techniques, have been used in social engineering.10
Protecting Against Attack
As described earlier, the roots of social engineering are found
within psychology, and so the solution also should be predominantly
based upon psychology. This approach is termed social reengineering. In
this approach, users are taught the behavioral risks to security and
the tricks played by criminals. This method provides the users with a
knowledge of the practices of social engineering and its application of
psychology, making the users alert to the probable risks of divulging
crucial information to hackers.
A three-phased approach is helpful in combating social engineering:
- Employee education/training
- Policies and procedures
- Penetration tests to gauge adherence to policies
Training should elaborate on nature and risk associated with social
engineering along with the examples to illustrate the threat and
exposure. It also should cover ways and means to resist the attacks to
create the right kind of cautious attitudes.
Needless to say, an organization must have an information security
policy in place that tells the insiders what they are expected to do
and not to do, as well as the reaction to any breaches.
Finally, penetration tests, where experts carry out the social
engineering attacks to find the weaknesses and to correct them, also
may be arranged. Prior to any penetration tests, it would be beneficial
to consider the possibility of adverse effects on morale and employee
sentiment, an important asset to any company. A briefing exercise
before the test and a follow-up debriefing may help avoid any
Preventing Social Engineering Attacks
Although risk exists almost everywhere (including even the
noncomputerized functions), the real and high-risk exposures are in the
areas where employees:
- Have access to plenty of private/confidential information
- Interact with many customers/public
- Are not made aware of social engineering threats
Thus, typical positions vulnerable to social engineering attacks are:
- Secretaries/executive assistants
- Database administrators/network administrators
- Computer operators
- Call center operators
- Help desk attendants
- General users in possession of confidential data
Complexities Do Not End Here
Intricacies and severities are bound to be on the rise in the
future, as social engineering tricks get increasingly cunning and
compounded with other techniques.
1 Kipling, Rudyard,www.kipling.org.uk/kip_fra.htm
2 Orr, Chris, "Social Engineering: A Backdoor to the Vault," www.sans.org/infosecFAQ/social/backdoor.htm
3 Harl, "The Psychology of Social Engineering" from presentation at Access All Areas III, 5 July 1997
4 Palumbo, John, "Social Engineering: What is it, why is so little said about it and what can be done?," www.sans.org/infosecFAQ/social/social.htm
5 Hu, Jim, "AOL Boosts E-mail Security After Attack," CNET News.com, 19 June 2000
6 Otis, Brig, "Physical Security/Social Engineering"
7 Tims, Rick, "Social Engineering: Policies and Education a Must"
8 Higgins, Scott, "Physical Penetrations: The Art of Advanced Social Engineering"
9 Rybczynski, William, "IS Security User Awareness Social Engineering & Malware," 18 November 2000
10 Rusch, Jonathan J., "The 'Social Engineering' of Internet Fraud," www.isoc.org/isoc/conferences/inet/99/ proceedings/3g/3g_2.htm
11 Kabay, M. E., "Social Engineering Simulations," Network World Security Newsletter, 18 December 2000, www.nwfusion.com/newsletters/sec/2000/00292157.html?nf
Pramod Damle, CISA, CQA, CAIIB
is a professor and the head of IT at YASHADA, Pune, India, where he
trains government officials on IT, IS audit and system security.
Additionally, he has been the IT auditor for a number of banks and
financial institutions. With several articles and a book to his credit,
Damle also is involved in the academics of Pune University, Institute
of Company Secretaries of India and Indian Institute of Bankers. He can
be contacted at [email protected].