An attack vector most intricate to handle!
Preface
This document covers information
aspects on how does Social Engineering work and its countermeasures to prevent
from Hacker Techniques and exploits.
Introduction
What is 'Social Engineering'? Social
Engineering is probably most succinctly described by Harl in 'People Hacking':
“ The art and science of getting
people to comply with your wishes."
“Social engineering is the practice of
obtaining confidential information by manipulation of legitimate users. A
social engineer will commonly use the telephone or Internet to trick a person
into revealing sensitive information or getting them to do something that is
against typical policies. By this method, social engineers exploit the natural
tendency of a person to trust his or her word, rather than exploiting computer
security holes. It is generally agreed upon that “users are weakest
link” in security and this principle is what makes social engineering
possible.”
“In 1994, a French hacker named
Anthony Zboralski called the FBI office in Washington, pretending to be an FBI
representative working at the U.S. embassy in Paris. He persuaded the person at
the other end of the phone to explain how to connect to the FBI's phone
conferencing system. Then he ran up a $250,000 phone bill in seven months.”
Bruce Schneier
“Secret and Lies”
How does the Social Engineering attack cycle work?
1.
Information gathering:
There could be variety of techniques
which is used by the aggressor to gather sensitive information about the
target(s). Once this information is gathered, it can be used to build a
relationship either with the target or someone who is important to the success
of the attack.
Information that might be gathered
includes, but is not limited to only:
·
A
birth date
·
A
phone list
·
An
organization’s organizational chart
2.Developing Relationship
An aggressor will first try to build
up a good bonding with the target. He makes sure that he gains the trust of the
target which he’ll later exploit.
3.Exploitation
The target could then be manipulated
by the ‘trusted’ attacker to reveal their sensitive information like password
to carry out an action (eg. Re-enter your username pass for reversing Facebook
policies) this normally occurs. This action could be the end or the beginning
of the next phase.
4.Execution
Once the target has finished the task
requested by the attacker, the cycle is complete.
General Attack vector Facts and
figures
There are two types of Social Engineering attacks
Technical attacks
Non-technical attacks.
Non-technical attacks.
“Technical attacks are those attacks that deceive the user
into believing that the application in use is truly providing them with
security which is not the fact always.”
The most Technical attacks
Phishing
Phishing is a new term of the century which is used to take over a private
information from a user. Your natural response to this statement is, of course,
"yea but I am not so simply fooled." And of course you aren't.This
is why phishers use a technique called "social engineering".
This is generally used for cybercrimes
but sometimes it is also done through the telephone/mobile phone. The information
which is obtained is then used to commit crimes-such as logging into your
Facebook account and posting vulgar or illicit data on your wall or taking over
full control of your bank account and then transfer money. In phishing, the
aggressor never come face to face. The appearance and logos are almost same
like the original one or sometimes same as the original which requests a user
to “verify” the information and if not followed, it will lead to serious
consequences. These kind of emails appear to have come from a legitimate
business organization.
Spam e-mails
This is a mass e-mail system.
Hundreds and thousands of e-mails are sent to the victim. This is tightly
related with phishing attempt.
The Non- Technical attacks
“Non-technical attacks are those attacks that are purely perpetrated through the art of deception.”-peer to peer
Support staff
The attacker acts as a clean support
crew to help users to fix any problem. During this process they ask for their
credentials and after this procedure their account is compromised by the aggressor.
Hoaxing
It is a trick to make the user
believe that something false is real. Unlike a fraud or con, a hoax is
perpetrated as a practical funny story, to cause humiliation or to provoke
social change by making aware of something.
Authoritative Voice
The attacker can call up to the organization’s
computer help desk and pretend to have trouble accessing the system. He/she claims
to be in a hurry and needs his password reset right away and also demands to
know the password over the phone. If the aggressor adds little credibility to
his story with information that has been picked up from other social engineering
methods, the crew is more likely to believe in the attacker’s fake story and do
as requested.
Countermeasures to prevent Social Engineering
The question might arise in your
mind. How can you fully protect against Social Engineering attack? Is there a
way? The answer is almost ‘No’. For the simple reason that no matter whatever
controls are implemented, there will always be the possibility of the human
exploitation being influenced by a social, political or sophisticated behavior.
Nevertheless, as with any risk, there
are ways in which we can diminish the risks by following some useful tricks. But
one can never guarantee that he/she will never be a victim/target of Social Engineering
attack.
However, you can follow the following
ways to protect against Social Engineering. Do never reveal information like:
Ø Usernames
Ø Passwords
Ø ID numbers
Ø PIN numbers
Ø Server names
Ø System information
Ø Credit card numbers
Ø Schedules
Summary
The skilled application of Social
Engineering can be a danger to the protection of any organization. As a
security professional, it is vital to understand the significance of this
hazard and the way in which it can be manifested. Only then can appropriate countermeasures
be employed and sustain in order to guard an organization on a regular basis.
No comments:
Post a Comment