menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Overview & History
What's New
Certification
Education & Conferences
Standards
Research
Publications
Chapters
Membership
Bookstore
Downloads
COBIT
Risk IT
Career Centre
spacer image
Print this page
spacer image


Information Systems Control Journal, Volume 2, 2002

Social Engineering: A Tip of the Iceberg

By Pramod Damle, CISA, CQA, CAIIB

With the evolution of information technology towards constructive causes, antisocial elements have quickly followed and today one of the biggest problems faced by IT is hacking. Though many talk about firewalls, encryption and digital signatures as means of protection, too little is known, and still less practiced, to protect against the phenomenon of social engineering.

Well-known author Rudyard Kipling wrote of his six most obedient servants—what, when, why, who, where and how.1 Using Kipling's concept to better understand social engineering, ask:

  • What is it?
  • When did it all start?
  • Why is it a threat worth considering?
  • Who could do it?
  • Where is more focus needed?
  • How is it combated?

What Is Social Engineering?

Social engineering involves gaining sensitive information or unauthorized access privileges by building inappropriate trust relationships with insiders. It is the art of manipulating people into speaking/acting contrary to their normal manner. The goal of a social engineer is to fool someone into providing valuable information or access to that information. They prey on human behavior, such as the desire to be helpful, the attitude to trust people and the fear of getting in trouble. The sign of truly successful social engineers is that they receive the information without any suspicion.

Social engineering is used among crackers and samurai, or attackers, for cracking techniques that rely on weaknesses in wetware rather than in software; the aim is to trick people into revealing passwords or other information that compromises a target system's security.2

Simply put, social engineering is the craft of getting people to comply with another person's desires. It is not mind control, it will not allow someone to get people to perform tasks wildly outside of their normal behavior, and it is far from foolproof. It involves more than quick thinking and a variety of amusing characteristics. Social engineering can involve a lot of groundwork and information gathering before an attempt at gaining information is ever made. Like hacking, most of the work is in the preparation, rather than the attempt itself.3

Social Engineering's Beginnings

Such methods of deceit have been used throughout history.

Automated teller machine (ATM) fraud over the last decade is an example. In one memorable instance, criminals installed a phony ATM at a remote location, fooling bank customers into believing that it was genuine. After they used the ATM, the victims' passwords and a snapshot of the cards were used to make fake cards and clean out the bank accounts.

Another example is the Love Bug virus. This virus played on the psychological need of human beings to be loved. Only after the person opened the e-mail did they discover that they were loved in a way they would hopefully never be loved again.4

It is not only the individual who is targeted but large corporations as well. For example, AOL was a target of hackers through customer service representatives who had access to the company's main member database. The hackers targeted employees who had the authority to bump people off their accounts and reset passwords and had access to personal and billing information. Hackers were able to illegally break into 200 of AOL's member accounts by targeting key company employees with an e-mail virus.5

Threat of Social Engineering

Risk associated with social engineering is extremely high. Insiders tend to divulge valuable information to the social engineers posing as genuine recipients of information.

Therefore, security must begin in the user's mind and cannot be embedded in the technology alone. If an employee in possession of vital resource divulges it unknowingly, the entire security architecture could be ruined. Notorious hacker Kevin Mitnick said, "The weakest link in the security chain is the human element," according to a 3 March 2000 article in the Washington Post. He went on to say that in more than half of his successful network exploits he gained information about the network, sometimes including access to the network, through social engineering.6

Areas of Vulnerability

The miscreants could be broadly classified in two categories: those who gather information using traditional methods of communication (either in person or over telephone) and those who resort to modern computing devices for the interaction (software, e-mail and web).7

Human-based social engineering includes tricks like impersonation, posing as a VIP user, offering a cursory third-party reference for authorization or pretending to be a tech support member. It also includes watching somebody else's password while it is being keyed in (shoulder surfing), getting pieces of data from the garbage to discover a meaningful piece of information (dumpster diving) and similar tricks.

Computer-based hacking attempts may use pop-up windows requesting a password to reconnect to the net or attachments in an e-mail. This may further be aggravated by the numerous capabilities of web sites, such as hyperlinks, cookies, payment gateways and personal agents/wallets. Bringing to the forefront another possible risk—hacking by those hired on contract for various services. For example, it would be quite easy for scavengers and cleaners from the maintenance firm to implant a device, such as a KeyGhost, to the keyboard cable and capture everything that is typed on the keyboard.8

Consider the well-known quote of Bruce Schneier, CTO, Counterpane Internet Security, Inc., "Always remember: Amateurs hack systems. Professionals hack people."9 Once experienced hackers decide to commit a social engineering attack, things quickly escalate to alarming levels. It may be worthwhile to note that social engineering is not an impromptu attack, but requires a tremendous amount of preparatory work.

Yet another feature of social engineering-driven hacking is the use of psychology, or the in-depth study and understanding of the behavior patterns of the human mind, and the application of this knowledge. Examples of using psychology to hack include the use of catchy baits, like sensory appeals and chance of ingratiation; dominating tricks, like authoritative orders and apparent urgency; and plausible appeals, like moral duty. Hackers also may employ complex principles such as diffusion of responsibility, group dynamics and social proof. Jonathan Rusch of the US Department of Justice described how the advanced psychological points, such as alternative routes to persuasion and influence techniques, have been used in social engineering.10

Protecting Against Attack

As described earlier, the roots of social engineering are found within psychology, and so the solution also should be predominantly based upon psychology. This approach is termed social reengineering. In this approach, users are taught the behavioral risks to security and the tricks played by criminals. This method provides the users with a knowledge of the practices of social engineering and its application of psychology, making the users alert to the probable risks of divulging crucial information to hackers.

A three-phased approach is helpful in combating social engineering:

  • Employee education/training
  • Policies and procedures
  • Penetration tests to gauge adherence to policies

Training should elaborate on nature and risk associated with social engineering along with the examples to illustrate the threat and exposure. It also should cover ways and means to resist the attacks to create the right kind of cautious attitudes.

Needless to say, an organization must have an information security policy in place that tells the insiders what they are expected to do and not to do, as well as the reaction to any breaches.

Finally, penetration tests, where experts carry out the social engineering attacks to find the weaknesses and to correct them, also may be arranged. Prior to any penetration tests, it would be beneficial to consider the possibility of adverse effects on morale and employee sentiment, an important asset to any company. A briefing exercise before the test and a follow-up debriefing may help avoid any undesirable impacts.11

Preventing Social Engineering Attacks

Although risk exists almost everywhere (including even the noncomputerized functions), the real and high-risk exposures are in the areas where employees:

  • Have access to plenty of private/confidential information
  • Interact with many customers/public
  • Are not made aware of social engineering threats

Thus, typical positions vulnerable to social engineering attacks are:

  • Secretaries/executive assistants
  • Database administrators/network administrators
  • Computer operators
  • Call center operators
  • Help desk attendants
  • General users in possession of confidential data

Complexities Do Not End Here

Intricacies and severities are bound to be on the rise in the future, as social engineering tricks get increasingly cunning and compounded with other techniques.

End Notes

1 Kipling, Rudyard,www.kipling.org.uk/kip_fra.htm
2 Orr, Chris, "Social Engineering: A Backdoor to the Vault," www.sans.org/infosecFAQ/social/backdoor.htm
3 Harl, "The Psychology of Social Engineering" from presentation at Access All Areas III, 5 July 1997
4 Palumbo, John, "Social Engineering: What is it, why is so little said about it and what can be done?," www.sans.org/infosecFAQ/social/social.htm
5 Hu, Jim, "AOL Boosts E-mail Security After Attack," CNET News.com, 19 June 2000
6 Otis, Brig, "Physical Security/Social Engineering"
7 Tims, Rick, "Social Engineering: Policies and Education a Must"
8 Higgins, Scott, "Physical Penetrations: The Art of Advanced Social Engineering"
9 Rybczynski, William, "IS Security User Awareness Social Engineering & Malware," 18 November 2000
10 Rusch, Jonathan J., "The 'Social Engineering' of Internet Fraud," www.isoc.org/isoc/conferences/inet/99/ proceedings/3g/3g_2.htm
11 Kabay, M. E., "Social Engineering Simulations," Network World Security Newsletter, 18 December 2000, www.nwfusion.com/newsletters/sec/2000/00292157.html?nf

Pramod Damle, CISA, CQA, CAIIB
is a professor and the head of IT at YASHADA, Pune, India, where he trains government officials on IT, IS audit and system security. Additionally, he has been the IT auditor for a number of banks and financial institutions. With several articles and a book to his credit, Damle also is involved in the academics of Pune University, Institute of Company Secretaries of India and Indian Institute of Bankers. He can be contacted at [email protected].


nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
2009 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA