It is just about summer — the weather is gorgeous and everyone is in a good mood.
A pretty — not beautiful — girl comes into the lobby of a local company and glances around. She walks up to the receptionist and explains she has a meeting with the Information Technology director and is running late. She says she is very embarrassed and would the receptionist tell her the conference room number and she’ll just sneak into the meeting. Feeling sorry for the young lady, the receptionist tells her the main conference room is on the third floor and lets her into that part of the building.
Once in the elevator, the woman gets off on the fourth floor — not the third. She wanders the halls. A gentleman stops her because she doesn’t’ have a badge. But she smiles sweetly, asks him about his day and pretty soon they are chatting about this and that. He forgets why he stopped her and goes back to his office.
She continues down the hall. This time she sees someone going into the computer lab and he allows her to follow him through the door. She has one of those smiles that lights up her entire face, and it doesn’t go unnoticed. She explains that she is a student at the local university and she’s going to be a summer intern in the IT department… part of her internship is to see how the computer lab works.
She spends the next hour looking around, chatting with the network administrators and lighting up a usually boring environment.
The girl leaves the building, waving good-bye to the receptionist on her way out and thanking her again.
After all, she should thank her and all the others she spoke to during her visit.
Article originally published on June 20, 2005
The woman leaves with Post-it notes that had been stuck onto monitors with passwords and user identifications (usually ‘admin’). She has a wealth of knowledge on how the network is set-up, what kinds of protection mechanisms are in place and even how to get around the protection — thanks to a young techie who was more than pleased to show her how ‘smart’ he was.
She now owns their network, their industry secrets and their systems.
This is a classic case of social engineering.
According to sbc.webopedia, social engineering is defined as: ”In the realm of computers, the act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information. Social engineering is successful because its victims innately want to trust other people and are naturally helpful. The victims of social engineering are tricked into releasing information that they do not realize will be used to attack a computer network.”
Whatitis.com states: ”In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. A social engineer runs what used to be called a ‘con game’.”
Either definition makes it clear that social engineering involves human interaction. That is the major factor that makes protection against social engineering difficult. All the firewalls, and identification and authentication mechanisms are ineffective against a seasoned social engineer.
So, how do you protect your network from these types of people?
The best protection against social engineering tactic is a well-trained employee, who is aware of this kind of scam. The employee is the target of social engineering. Employees need to be made aware that even though they need to be helpful on the job, they need to be cautious and inquisitive.
Security training that reinforces the requirement to protect user identifications, passwords, and other such information is a valid protection against social engineering. Employees also need to be aware of their surroundings to ensure that people without proper identification are confronted and escorted to security personnel. They also need to be aware of unauthorized people trying to follow them into secured areas.
This awareness training isn’t just for computer users and network administrators. It’s for every employee — the receptionist, secretaries, file clerks, etc. Training should be a yearly event.
Anything that looks suspicious should be reported. Be suspicious of that person you have never seen before, or someone asking questions that raise a little red flag in the back of your head. You never know when it’s a person on a mission to obtain information that can, and will, be used against you.
The next time a friendly individual approaches you with a request for assistance in getting information that you know should be protected, be prepared. Check it out before you give out any information. Beware the social engineer!
Recent Comments