Wednesday, April 8, 2009 At 10:39AM
Social engineers use old tricks and new to bypass firewalls and other conventional IT security defences by taking advantage of human weakness or kindness to attack secure buildings, machine rooms, or trading floors from inside. This gives them access to information and data that they simply couldn’t get by hacking a web site. They don’t have to pick locks or break windows as it’s usually easier not to. They use research, a plausible “story”, and a winning smile. A high-profile example of this type of attack was prosecuted in the UK in March 2009.
In September 2004, security procedures at The Sumitomo Mitsui Banking Corporation failed it when one of its security guards let friends in to play cards. The hackers installed software that recorded pictures of information on computer screens, details of keystrokes and of users’ security details. They were caught when they tried to collect on the information they had harvested.
In 2007, a conman gained access to the safety deposit boxes at an ABN Amro bank in Antwerp’s diamond quarter, in what is thought to have been the biggest robbery ever committed by one person. The thief used no violence, just his charm, to gain entry and steal gems worth €21 million.
“He bought chocolates for the personnel, he was a nice guy, he charmed them, got the original of keys to make copies and got information on where the diamonds were,” said Philip Claes, spokesman for the Diamond High Council in Antwerp.
Many people who work in offices will know that passwords, key codes, and SecureID tokens can often be simply picked up off the desks around them. If a social engineer can gain access to an office, any of this information is potentially up for grabs. The data that can be accessed using these items is very likely to be critical to the company, otherwise why defend it?
So how do you defend your company against an attacker who uses his knowledge of your staff to simply walk into the building?
The patch for human weakness is simple: education. An informed workforce is safer than one left in the dark. Managers should try to create a corporate culture in which security is everybody’s business, not just that of the IT department or the security guard. An organisation’s technological security may identify some attacks, but if the staff and organisational culture are on your side as well, then your systems will be far more secure.
For example, employees should understand that if legitimate IT staff need access to a machine, they should not need the employee’s help, or username and password, to do so. But if the company’s employees treat technology as a feared and mysterious thing, it leaves a hole through which a social engineer can attack. The social engineer may be given access to critical systems, simply by posing as one of the IT staff. During social engineering engagements we have had instances where employees have logged in for the social engineering team, believing them to be IT staff, and left them in charge of critical systems.
Since we started testing how companies’ systems hold up against social engineering attacks, we have been surprised by how easy it is to operate in a crowded room. We have even worked in restricted access areas and never been challenged. Looking like you belong and are busy can make people leave you alone. Why does this work?
Most organisations’ security policies require that staff ask people who they do not recognise for company ID. But especially in Britain, asking for ID is seen as confrontational behaviour and those who do it may meet more outrage than praise for their understanding of the need to challenge strangers. You need more that just a policy to resolve this problem; you need to teach people that social engineering actually happens, and that they can make a difference.
In the UK we are lucky enough to have a TV show called the Real Hustle. This show purports to teach people about the way con men work and protect them from getting hustled. If it can work for keeping peoples money in their wallets, couldn’t staff education in a similar vain keep corporate data safe?
Author: Alex Bayly
©Aon plc 2023