After having to take some drastic measures to get the correct discontinued formula for the stain i am using in my home renovation project, I was disturbed to realize I had taken part in border-line social engineering to get what I needed. This reminded me of a term paper from my undergraduate collegiate studies.
Running head: Social Engineering
Purdue University Calumet
ITS 350, Section 1
Protection of personal information is “key” to preventing identity theft. With advancements in technology, tools and techniques have been created to protect information and resources. While these tools may prove to be an expensive semi-successful solution, human nature may be the true downfall. The use of social engineering techniques can destroy networks, cripple identities, and result in significant monetary loss. Using social engineering techniques can defeat intrusion detection systems and bypass well-planned network security techniques. Additionally, social engineering techniques may cause individuals to leak private information which in turn can be used to acquire the victim’s “identity.” In this research paper, I intend to portray what downfalls of human nature make social engineering techniques successful. I intend to cover, in-depth, common social engineering techniques citing real-world and probable examples. In addition to social engineering tools, other methods exist to assist in acquiring information. This research paper will cover personal and physical techniques capable of acquiring information. A conclusion will be provided summarizing the information covered and will offer a solution to the scenarios discussed. The topics discussed in this research paper are meant to act as a guide assisting in the security of private information.
Human nature dictates that humans rarely question acts that are considered normal. The concept of social engineering can cause destruction to networks and cost companies millions of dollars (Miller, 2000). Using social engineering techniques can defeat intrusion detection systems and bypass well-planned networking security techniques. Social engineering may take place on a personal, physical or electronic level. Before going into depth about social engineering tools and techniques, it is necessary to define common terminology of this technique and the psychology involved.
An Introduction to Social Engineering and the Human Psyche
Social engineering is defined as a normally non-technical kind of intrusion that relies heavily on human interaction and often involves trickery to gain the trust of individuals in order to obtain non-obvious information (Shinder, 2004). Social engineering techniques are commonly based on four qualities of human nature including the desire to be helpful, the tendency to trust people, the fear of getting into trouble, and the willingness to take “short cuts” (Peltier, 2006). Three key aspects of social psychology summarize the psychological ploy involved in social engineering attacks. These three methods include alternative routes to persuasion, attitudes and beliefs that affect human interactions, and techniques for persuasion and influence (Peltier, 2006).
Personal Social Engineering
Common alternative routes of persuasion encompass two routes: direct and secondary (Peltier, 2006). Direct routes involve specifically asking an individual for information. For instance, “Susan, I need to log into the company Web site to check stock information and I forgot my password. What is your login information?” In the indirect method of persuasion, a social engineer will increase the susceptibility of the victim by influencing an emotional response. Social engineers may spend significant amounts of time learning their victims and developing a situation that plays on the background of a victim (Peltier, 2006). The targeted person must feel compelled to disclose the requested information. Additionally, the attacker must create a strong enough emotional attachment that the victim is willing to ignore policies and procedures of their personal beliefs or organizational policies (Thornburgh, 2004). The victim makes the decision to disclose the information to the other party since they feel the reason has been justified. Many factors are used to cause these strong emotions. Most commonly, authority and empathy are the leading cause of disclosure by this method (Thornburgh, 2004). Authority represents leadership by power. This power often appears in the capability of one person to award or punish another. Emotions evoked by this form of authoritarianism include pride, fear, or greed (Thornburgh, 2004).
In the event social engineering is used on a personal level, friendship and trust may be taken advantage of to obtain information. In the above scenario, Frank uses direct persuasion by asking Susan for her user name and password since he “forgot” his. It is possible this scenario is true; Frank may have in-fact lost his account information. Let’s suppose Frank is not being entirely truthful. Using Susan’s account information, Frank is electronically enabled to acquire Susan’s digital identity. While logged onto the organization’s network as Susan, Frank decides to view prohibited content. System logs reveal that this violation occurred on Susan’s account. Susan is held liable and terminated for violation of company policy. Obviously the only thing Susan did wrong was disclose her account information to Frank. It is important to keep confidential information confidential by not disclosing information to other parties. The personal level of social engineering is not a new topic; it has been around for years and continues to be a vulnerability to personal information.
Physical Social Engineering
Physical tools of social engineering include dumpster diving and office snooping. In the event physical tools are used, discarded information may be acquired from the trash and information may be heard without any active intervention.
While Mary is cleaning out her file cabinet containing her bills from the past year, she discards past credit card bills, utility bills, and bank statements into the trash. The night before garbage day, Mary hauls all of her garbage to the curb, including the past bills. Mary sleeps soundly knowing her bills from the past year have been discarded. While Mary is sleeping, Sam, an identity attacker, is going through Mary’s garbage looking for personal information. Sam discovers the discarded billing information. From the credit card statements he acquires Mary’s credit card numbers. From the bank statements he acquires bank account information including balances, Mary’s social security number and account numbers. Sam uses this information to start electrical service in Mary’s name at his home in Cleveland, Ohio. Sam took part in the act known as dumpster diving and identity theft. Dumpster divers, also known as thrawlers or garbologists, find sensitive information in garbage cans and dumpsters (Peltier, 2006).
Dumpster diving techniques can be analogized into the corporate world. Company ABC discarded information from their research department. A member of Company ZZZ looks through Company ABC’s trash and locates this information. Using this information, Company ZZZ patents a new invention and earns additional revenue. Company ABC’s carelessness resulted in the loss of credit for the invention and the revenue acquired by the invention.
The shoulder surfer look’s over someone’s shoulder to gain information such as passwords and pin numbers (Peltier, 2006). A news report from several years ago showed the significance of protecting personal information from shoulder surfers. In their report, a reporter was given a phone card and told to use it in Grand Central Station in New York. While the reporter was making the call, police counted at least five people “shoulder surfing” her pin number. Within minutes the stolen card numbers were used to make international phone calls (Peltier, 2006). It is important to obscure any information from near-by onlookers.
Electronic Social Engineering
The electronic level of social engineering includes any electronic means of gathering information. Examples of the electronic level of social engineering include phishing, spear phishing, and e-mail hoaxes. These forms of social engineering are dependent on technology in the form of Pop-up windows, mail attachments, and Web sites (Peltier, 2006).
Phishing is defined as the act of imitating a legitimate company in e-mails to entice people to share personal information such as credit card numbers or passwords (McFedries, 2008).
Figure 1 – Example Phishing email (Credibles, 2006).
The above screenshot is an example of a phishing email. This phishing email, an email hoax, attempts to entice the user into visiting the Web site which asks for personal, contact information. In actuality, the Web site is harvesting the user’s information which may then be used to commit the act of identity theft.
Spear phishing is any highly targeted phishing attack (Microsoft, 2006). Spear phishing attacks are unleashed with the intent of gaining access to an organization’s computer system (Microsoft, 2006). Additionally, spear phishing attacks may specifically target individuals who use a particular Web site. Spear phishing may take place on an electronic or physical level. For example, an attacker sends an email to every account of an organization claiming that it is necessary to respond back with user names and passwords so that the database can be updated. The attacker will commonly alter who the email is from in attempt to make the message appear legitimate. The users who respond back with the information gives the attacker their personal information. Using this information, the attacker now has the resources to access the organization’s network.
Defending Against Social Engineering Attacks
Tools and techniques exist to prevent social engineering attacks. Using these tools creates a lesser vulnerability to the organization or person(s) involved in a potential attack. Many of the concepts discussed pertaining to organizational security may also be used in personal security.
According to Douglas Twitchell, there are currently three ways commonly suggested to defend against social engineering attacks: education, training and awareness; policies; and enforcement through auditing (Twitchell, 2006). Educated users through training and awareness may be more reluctant to disclose personal information in turn creating less of a vulnerability to themselves or their organization. Policies should be in effect instructing users on the proper handling of company information and user data. Audits must be conducted to ensure the users of the organization are compliant with policies and procedures. Hard copies of organizational data, records, or personal information must be destroyed before being discarded. Common effective methods for destroying hard copy information include shredders and incinerators. Destroying the data cuts off the dumpster diver’s sole method of data snooping.
Social engineering is not a new technique of acquiring data; it has been around for years. Social engineering may take place on a physical, social, and electronic level. Common social engineering attack techniques include dumpster diving, the physical act of acquiring data from personal or organizational garbage; shoulder surfing, the act of acquiring data by looking at the information as it is being used by the owner; phishing, the act of sending a fictitious email or hosting a fictitious Web site constructed to mimic a legitimate site with the sole purpose of acquiring personal information; and spear phishing, a more specific, broad-area phishing attack. Tools and techniques exist which, if used and enforced, will prevent most of these social engineering attack techniques. The main concept to consider when actively protecting confidential information is the art of “using common sense.” If something seems too good to be true, it probably is. Do not release any information to anyone unless you are sure they are legitimate. If there is any doubt of the legitimacy of a situation, do not disclose any information. Once your information is disclosed, you or your organization may have been put at risk for identity theft.
McFedries, P. (2008). Phishing. Retrieved April 24, 2008 from the Word Spy Website: http://www.wordspy.com/words/phishing.asp
Microsoft (2006). Spear phishing: Highly targeted scams. Retrieved April 24, 2008 from the Microsoft Website: http://www.microsoft.com/protect/yourself/phishing/spear.mspx
Miller, T. (2000). Social Engineering: Techniques that can bypass intrusion detection systems. Retrieved April 24, 2008 from the StillHq Website: http://www.stillhq.com/pdfdb/000186/data.pdf
Peltier, T. (2006). Social Engineering: Concepts and Solutions. Information Systems Security, 15(Thornburgh, 2004), 13-21. Retrieved April 10, 2008, from Corporate ResourceNet database.
Shinder, D. (2004). How to defend your network again social engineers. Retrieved April 21, 2008 from the Window’s Security Website: http://www.windowsecurity.com/articles/Social_Engineering.htm
The Credibles (2006). Phishing: The art behind the crime. Retrieved April 24, 2008 from the Oracle ThinkQuest Education Foundation Website: http://library.thinkquest.org/06aug/00446/Phishing.html
Thornburgh, T. (2004). Social Engineering: The Dark Art. Information security curriculum development, 133-135. Retrieved April 10, 2008, from Association for Computing Machinery database.
Twitchell, D. (2006). Social engineering in information assurance curricula, 191-193. Retrieved April 10, 2008 from the Association for Computer Machinery database.