P address, mail servers, Phone numbers, address of the company, employee names and designations, etc. Further running the Maltego metadata transform provided more information in the form of more files with dates, creator information, etc. Particularly one file named InvoiceApril.xls grabbed the attention of Hadnagy. The file contents indicated that it was an invoice for a marketing venture organized by the local bank. Hadnagy immediately called the bank, posing as a Mr. Tom from the accounts department of the printing firm, and asked for the details of this particular marketing event run by the bank. It was found that it was the annual Children's Cancer Fund Drive organized by the bank.
Hadnagy gathered more information about the CEO like his native place NY, his favored dining places (Domingoes), his love for the Mets game, his top three favorite dishes, etc. With all this background information Hadnagy planned to use 'Cancer research funding' as the attack vector and called up the CEO over the phone and informed him of a small fund raiser event in support of cancer research for children and that it included a raffle prize which was 2 tickets to the Mets game and dinner at the Domingoes. (both the CEO's favorites) In other words, the auditor was simply pulling the emotional strings of the CEO and using his gathered information trying to make it a personalized conversation. Hadnagy had already prepared a malicious PDF file with the scripts that would enable him to have full access to the CEO's computer. The CEO did in fact succumb to this simple trick and gave in his email id and opened the malicious PDF which gave Hadnagy complete access to his computer and the servers. [Hadnagy, Chapter 8]
The above mentioned case studies clearly suggest how a skilled social engineer can use the phone or the internet to gather important information and use it to impersonate and gain access to highly confidential information pertaining to the target. It is important to protect oneself against these skillful social engineering attacks and before we discuss some simple protective strategies let us have an overview of the available legal protection.
Due to business requirements a lot of confidential client information is stored in company servers. Under these circumstances there is an ever present danger of a snooper hacking into these secure systems or the possibility of sale of user information to third parties. There are now legal provisions that are aimed to prevent these misuses of private information. The HIPPA (Health Insurance Portability and Accountability Act) ensures privacy for transfer of health information online. Healthcare providers across the country are required to implement administrative and technical policies that ensure adherence to national standards. [University of Miami] The Sarbanes-Oxley Act (SOX) is a corporate governance law that requires public companies to integrate security into the strategic plan of the enterprise. Section 404 of the SOX clearly highlights these 'risk centric compliance issues' that have to be addressed by corporations or face criminal enforcements and punitive damages. [Mark Kaelin, 2005] The Gramm Leach Bliley Act (GLBA), enacted in 1999 by the former president Mr. Clinton requires that banks and other financial institutions maintain privacy of customer's financial details. There are three main provisions in this act namely a) Financial Privacy, b) Safeguards rule and C) Guard against Pretexting. In particular the GLBA requires financial companies to clearly layout their employee training plans (how they train employees in safeguarding customer information) and also requires them to conduct random spot checks. [Tina Douglas, 2010] The Telephone records and privacy protection act of 2006 offers legal protection to ensure privacy and confidentiality of phone records of consumers. Thus there are various legal provisions that place serious responsibility on corporate bodies to defend the customers from being exposed to social engineering tricks.
Protection against Social Engineering (Role of people in security)
It might be hard to believe but the fact is that only a small percentage of information security is actually met by technical measures while the vast majority depends on the IT personnel. As much as 70% of information theft is ascribed to the personnel inside the company. So the human aspect of information security should be the point of focus, but unfortunately as many studies and surveys suggest, it is the most neglected aspect of IT security. A comprehensive study by the Turkish department of information systems security in Turkey, TUBITAK UEKAE, confirmed these gapping holes in security provisions by Turkish public agencies. For this audit, conducted over a three-year period, around 56 IT personnel from 6 organizations were contacted over phone and of these 38 (around 68%) gave out their passwords. [Tolga Mataraccioglu, Dec 2010]
The best method to counteract this negligence is to create a 'continued awareness program' within the organization. This could be achieved by means of posting IT security related briefings and updates on the bulletin boards, circulating Security related emails, brochures, following IT security oriented websites, etc. Furthermore all the organizational personnel should be well informed about the various security aspects involving the use of laptops, password protection, file access and sharing, Virus protection, email security, phishing and other social engineering scams, etc. [Tolga Mataraccioglu, Dec 2010]
Organizations should have a separate information security division. Policies pertaining to incidence reporting, social engineering and disaster recovery should be implemented. In particular, social engineering training should be given to all staff members and their knowledge tested using questionnaires and short exams. [Glenda, 2008] Periodic auditing should be conducted to check the level of alertness of the staff and any breach in the security implementations should be immediately addressed. Random inspections could be undertaken to ensure that confidential information (documents, cd's, etc.) is not scattered across the premises. Security software such as antivirus programs should be kept up-to-date and staff members should be made aware of the malicious content that could be bundled with free software programs. Also, hardware security enforcements in terms of firewalled router configurations should be regularly checked. To prevent highly confidential servers from being hacked, access should be doubly authenticated by using conventional password verification as well as using device authentication technology wherein a onetime password is sent to a mobile device . [Masayuki, 2010] Furthermore, since social engineers often use very simple documents that are dumped in the garbage, it is important to completely destroy any unwanted documents using paper clippers before they are dumped in the waste box. [Tolga Mataraccioglu, Dec 2010]
There is a gaping hole in information security provisions. While more money and time is invested in beefing up technical security solutions there is an alarmingly huge neglect in the focus on human vectors for social engineering attacks. Non-technical social engineering methods are gaining in popularity as hackers are increasingly focusing on the soft spot of human weakness in their efforts at breaching IT security provisions. Using a variety of simple methods such as 'pretexting, dumpster diving, phishing, etc. social engineers are able to penetrate the security cordons and achieve their malicious intent. The two case studies that were discussed clearly indicate how easily a social engineer can gain access to confidential organizational information. With legal provisions such as the HIPPA, SOX, GLBA, etc. organizations are under a lot of pressure to ensure the privacy and information security of their customers. As we discussed before, this could not be accomplished by just investing in technical security solutions. An integrated approach that includes 'continued awareness program' including staff training and auditing are key to successfully confront social engineering attacks.
1) Christopher Hadnagy (2011), 'Social Engineering: The Art of Human Hacking', Wiley Publishing Inc.
2) Greg Sandoval, (Feb 2007), 'FTC to Court: Put an end to pretexting operations', Retrieved Mar 5th 2011 from, http://news.cnet.com/FTC-to-court-Put-an-end-to-pretexting-operations/2100-7348_3-6159871.html?tag=lia;rcol
3) Mindi McDowell, (Oct 2009), 'National Cyber Alert System: Avoiding Social Engineering and Phishing attacks', retrieved Mar 5th 2011 from, http://www.us-cert.gov/cas/tips/ST04-014.html
4) Sonja Ryst, (July, 2006), ' The Phone is the latest Phishign Rod', retrieved Mar 5th 2011 from, http://www.businessweek.com/technology/content/jul2006/tc20060710_811021.htm
5) Michael Workman (Dec 2007), 'Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security', Journal of American Society for information Technology, Vol 59, Issue 4, pg 662 -674
6) University of Miami, 'About HIPPA', retrieved Mar 6th 2011, from, http://www.med.miami.edu/hipaa/public/x122.xml
7) Mark Kaelin, (2005), 'Integrating Security with the Overall enterprise Strategic Plan', retrieved March 6th 2011, from http://www.techrepublic.com/article/integrating-security-with-the-overall-enterprise-strategic-plan/5645387
8) Tina L. Dounglas, (July 28, 2010), 'Gramm Leach Bliley Act and the Banking Industry', retrieved March 6th 2011 from, http://ezinearticles.com/?Gramm-Leach-Bliley-Act-and-the-Banking-Industry&id=4754144
9) Tolga Mataraccioglu & Sevgi Ozkan, (Dec 2010), 'User Awareness Measurement Through Social Engineering', International Journal of Managing Value and Supply Chains (IJMVSC) Vol. 1, No. 2. Accessed March 6th, 2011, available Online at, http://airccse.org/journal/mvsc/papers/1210ijmvsc02.pdf
10) Rotvold, Glenda, (Dec 2008), 'How to Create a Security Culture in your Organization', Accessed Mar 6th 2011, available at, http://www.nsi.org/pdf/awarness-articles/Create%20a%20Security%20Culture.pdf
11) Ted Samson, (Jan 2011), 'Amazon EC2 enables Brute Force Attacks on the Cheap', retrieved Mar 6th 2011, from, http://www.infoworld.com/t/data-security/amazon-ec2-enables-brute-force-attacks-the-cheap-447