Corporate Security Champions
SOCIAL ENGINEERING
Protecting your people, protecting you...
For the public, the potential implications of lax data
Do we have your attention? security are even more troubling. It can lead to
identity theft and other types of fraud. On the same
A blizzard of privacy breaches is blowing through day the driver data loss emerged, regulators fined
Britain, undermining confidence in government Aviva, the UK’s biggest insurer, £1.26m over a
and chilling private sector executives who fear, breach that allowed fraudsters to alter customer
quite rightly, that their company might be the addresses and bank account details as part of a
next to suffer. £3.3m scam.
The transport ministry admitted it had lost This reflects both the explosion in the amount of
personal information relating to more than 3m personal information stored by institutions and
learner drivers, a month after the HMRC agency changes to the ways business is done. Technical
revealed it had mislaid 25m people’s personal advances allow data to be held in ever more
data in the post. Also, it emerged that nine convenient forms that also happen to be easier to
National Health Service trusts had mislaid lose or steal. Lost or stolen devices such as laptops
information on hundreds of thousands of patients. account for half of all data losses (see the MoD),
while other security menaces include hacking and
The UK information commissioner says he has mistakes by third parties such as contractors and
also received numerous anonymous confessions consultants.
of problems, many of them from companies that
have suffered privacy breaches and are anxious
not to do so again.
In fact, this is a high-level global problem: as
information is collected more easily, put to more
sophisticated uses and shared more widely,
breaches of the rules have become both more
common and more likely to be serious.
HMRC lost two CDs that included people’s
addresses, bank account details and national A more subtle contributor to data
insurance numbers. The CDs’ disappearance – privacy breaches is the conflict
which triggered the resignation of the Revenue between two social trends: the rising
head – has created a potential goldmine for institutional appetite for
fraudsters. But this should also prove a ‘tipping information, and falling job security.
point’ for the way companies and government The people processing the information are sometimes
deal with data loss. among the most casual members of the labour force. A
small minority will make mistakes through
Indeed, there have been even larger data disasters inexperience or take advantage or their positions to
in the private sector. They include the 2003 theft cream off information to use for fraud.
of 92m email records from AOL, the internet
providers, and the illegal access last year of tens Being information aware
of millions of credit and debit card numbers
through the systems of TJX, the US discount The importance of security awareness amongst your
retailer. workforce is self-evident. This is because we are not
mindful of information security threats, especially in
Security breaches the Western World. We are not trained to be
suspicious of each other. And in the business world,
Data security breaches are becoming a costly when being trained to deal with customers, we are
problem for companies, both financially and in always told to be as helpful as possible to everyone we
terms of reputation. The Privacy Rights come across, to supply information readily, without
Clearinghouse, a US not-for-profit group, has really considering what it might be used for. People
identified more than 215m records of US are often not aware of the value of the information
residents that have been exposed since January they possess and are careless about protecting it.
2005 because of security failures.
As our culture becomes more dependent on
Breaches cost US companies an average of $197 information, social engineering will remain the
(£99) per record compromised, up 43 per cent greatest threat to any security system. Prevention
since 2005. Data breach costs represent a includes educating people about the value of
significant risk to organisations of all sizes and information, training them to protect it, and increasing
industries. people’s awareness of how social engineers operate.
What is Social Engineering?
Nine out of every ten large corporations and
government agencies have been attacked by
computer intruders, and only about one company
in three reported or publicly acknowledged any
attacks. That reticence to reveal their
victimisation makes sense. To avoid loss of
customer confidence and to prevent further
attacks by intruders who learn that a company
may be vulnerable, most businesses do not Example: The ‘Network
publicly report computer security incidents. Outage’
It appears that there are no statistics on social We’re all grateful when we’re plagued by a
engineering attacks, and if there were, the problem and somebody with the knowledge,
numbers would be highly unreliable: in most skill, and willingness comes along offering to
cases a company never knows when a social lend us a hand. The social engineer understands
engineer has ‘stolen’ information, so many that, and knows how to take advantage of it.
attacks go unnoticed and unreported.
They also know how to cause a problem for
Effective countermeasures can be put into place you. . . then make you grateful when they
against most types of social engineering attacks. resolve the problem . . . and finally play on
But let’s face reality here – unless everyone in the your gratitude to extract some information or a
enterprise understands that security is important small favour from you that will leave your
and makes it his or her business to know and company very much worse off for the
adhere to a company’s security policies, social encounter. And you may never even know
engineering attacks will always present a grave you’ve lost something of value. Here is a
risk to the business. typical way that social engineers step forward
to “help.”
Tom Morris from the accounts department
receives a call from the company’s IT
department.
“Hello Tom, this is Colin Martin from the Help
Desk. We’re trying to troubleshoot a computer
networking problem. Do you know if anyone in
your group has been having trouble staying on
line?”
“Uh, not that I know of.”
“And you’re not having any problems
yourself.”
“No, everything seems fine.”
“Okay, that’s good. Listen, we’re calling people
who might be affected because it’s important
In fact, as improvements are made in the you let us know right away if you lose your
technological weapons against security breaches, network connection.”
the social engineering approach to using people “That doesn’t sound good. You think it might
to access proprietary company information or happen?”
penetrate the corporate network will almost “We hope not, but you’ll call if it does, right?”
certainly become significantly more frequent and “You’d better believe it!”
attractive to information thieves. An industrial “It sounds as though having your network
spy will naturally attempt to accomplish his or connection go down would be a problem for
her objective using the easiest method and the you.”
one involving the least risk of detection. As a “You bet it would.”
matter of fact, a company that has protected its “So while we’re working on this, let me give
computer systems and network by deploying you my mobile phone number. Then you can
state-of-the-art security technologies may reach me directly if you need to.”
thereafter be at more risk from attackers who use “That’d be great. Go ahead.”
social engineering strategies, methods, and “It’s 07919 228766.”
tactics to accomplish their objectives. “Got it. Thanks. What was your name?”
“It’s Colin. Listen, one other thing – I need to “How pressed are you?”
check which port your computer is connected to. “I could do some other things for right now.
Take a look on your computer and see if there’s Any chance you could take care of it in half an
a sticker somewhere that says something like hour?”
‘Port Number’.” “HALF AN HOUR! You don’t want much.
“Hang on. No, don’t see anything like that.” Well, look, I’ll drop what I’m doing and see if I
“Okay, then in the back of the computer, can can tackle it for you.”
you recognise the network cable.” “I really appreciate that. Thanks Colin.”
“Yes.”
“Trace it back to where it’s plugged in. See if The Fourth Call: Gotcha!
there’s a label on the socket it’s plugged into.”
“Hold on a second. Yes, wait a minute I have to Forty-five minutes later…
bend down here so I can get close enough to “Tom? It’s Colin. Go ahead and try your
read it. Okay – it says Port 6 dash 47.” network connection.”
After a couple of moments:
“Good, that’s what we had you down as, just
“Oh, good, it’s working. That’s just great.”
making sure.”
“Good, glad I could take care of it for you.”
The Second Call: The IT Man “Yeah, thanks a lot.”
“Listen, if you want to make sure your
Two days later, a call came through to the same connection doesn’t go down again, there’s some
company’s IT Department. software you ought to be running. It’ll just take
“Hi, this is Robert; “Now’s not the best
I’m in Tom Morris’ time.”
office in Accounts. “I understand ... it
We’re trying to could save us both big
troubleshoot a cabling headaches the next
problem. I need you time this network
to disable Port 6-47. It problem happens
shouldn’t take long.” though.”
“Well ... if it’s only a
The IT worker said it few minutes.”
would be done in just “Here’s what you
a few minutes, and to do…”
let them know when
he was ready to have Colin then took Tom
it enabled. through the steps of
The Third Call: Getting Help from the downloading a small application from a website.
Enemy After the programme had downloaded, Colin
told Tom to double-click on it. He tried, but
About an hour later, the person who called reported:
himself Colin Martin was shopping when his
mobile phone rang. He checked the caller ID, “It’s not working. It’s not doing anything.”
saw the call was from the shipbuilding “Oh, what a pain. Something must be wrong
company, and hurried to a quiet spot before with the programme. Let’s just get rid of it, we
answering. can try again another time.” And he talked Tom
through the steps of deleting the programme so
“Help Desk, Colin.” it couldn’t be recovered.
“Oh, hi, Colin. You’ve got an echo, where are
you?” Total elapsed time, twelve minutes.
“I’m, uh, in a cabling closet. Who’s this?”
“It’s Tom Morris. Am I glad I got hold of you. The Attacker’s Story
Maybe you remember you called me the other
day? My network connection just went down
There are a lot of ways to crack into a
like you said it might, and I’m a little panicky
here.” company’s most secret files. Robert spent a few
“Yeah, we’ve got a lot of people down right days mulling over the choices and doing a little
now. We should have it taken care of by the end checking around before he decided on a plan.
of the day. That okay?” He settled on one that called for an approach he
“Sorry, but I’ll get way behind if I’m down that especially liked, where the target is set up so
long. What’s the best you can do for me?” that they ask the attacker for help.
was really a Trojan Horse software application
that did for Tom’s computer what the original
deception did for the Trojans: it brought the
enemy inside the camp. Tom reported that
nothing happened when he double-clicked on
the software icon; the fact was that, by design,
he couldn’t see anything happening, even
though the small application was installing a
secret programme that would allow the
infiltrator covert access to Tom’s computer.
With the software running, Robert was
provided with complete control over Tom’s
computer, an arrangement known as a remote
command shell. When Robert accessed Tom’s
computer, he could look for the accounting files
that might be of interest and copy them. Then,
For starters, Robert picked up a £29.99 prepaid
at his leisure, he’d examine them for the
mobile phone at a supermarket. He placed a call
information that would give his clients what
to the man he had chosen as his target, passed
they were looking for. And that wasn’t all: he
himself off as being from the company IT
could go back at any time to search through the
department, and set things up so the man would
email messages and private memos of the
call Robert’s mobile phone any time he found a
company’s executives, running a text search for
problem with his network connection.
words that might reveal any interesting tidbits
He left a pause of two days so as not to be too of information. Late on the night that he conned
obvious, and then made a call to the IT his target into installing the Trojan Horse
department at the company. He claimed he was software, Robert smashed the mobile phone up
trouble-shooting a problem for Tom, the target, and threw it into a public bin.
and asked to have Tom’s network connection
In a con like this one, the social engineer tries
disabled. Robert knew this was the trickiest part
to pick a target who is likely to have limited
of the whole escapade, but he knew he could pull
knowledge of computers. The more he knows,
it off because of some basic research about how the more likely that he’ll get suspicious, or just
the company worked: each company has different plain figure out that he’s being manipulated.
systems, so each scam plays on each of the Social engineers are usually on the lookout for
company’s unique weaknesses. In this company, what are sometimes called the ‘computer-
the IT department was housed in a separate challenged’ worker, who is less knowledgeable
building miles away from headquarters, so staff about technology and procedures, is more likely
were not familiar with each other. Therefore it to comply. They are all the more likely to fall
would not be an unusual request for a Head of for a ruse like “Just download this little
Department to be dealing with a simple IT glitch. programme,” because they have no idea of the
When done, Tom would be totally isolated from potential damage a software programme can
the company’s intranet, unable to retrieve files inflict. What’s more, there’s a much smaller
from the server, exchange files with his work chance they’ll understand the value of the
colleagues, download his email, or even send a information on the computer network that they
page of data to the printer. In today’s world, are placing at risk.
that’s like living in a cave.
As Robert expected, it wasn’t long before his
mobile phone rang. Of course he made himself
sound eager to help this poor “fellow employee”
in distress. Then he called the IT department and
had the man’s network connection turned back
on. Finally, he called the man and manipulated
him once again, this time making him feel guilty
for saying ‘no’ after Robert had done him a
favour. Tom agreed to the request that he
download a piece of software to his computer. Of
course, what he agreed to wasn’t exactly what it
seemed. The software that Tom was told would
keep his network connection from going down
“Okay. What can I help you with?”
“Listen, we’re developing a security seminar for
new employees and we need to round up some
people to try it out on. I want to get the name and
phone number of all the new people we’ve
employed in the past month. Can you help me
with that?”
“I won’t be able to get to it until this afternoon.
Is that okay? What’s your extension?”
“Sure, okay, it’s 52 ... oh, uh, but I’ll be in
meetings most of today. I’ll call you when I’m
back in my office, probably after four.”
When Alex called about 4:30, Andrea had the list
ready, and read him the names and extensions.
A Message for Rosemary
Rosemary Morgan was delighted with her new
job. She was finding the people much friendlier
than she expected, a surprise because of the
never-ending pressure most of the staff was
always under. The call she received one
Thursday morning reconfirmed that friendliness.
“Is that Rosemary Morgan?”
“Yes.”
“Hi, Rosemary. This is Bill Jordan, with the
“A little help for Information Security group.”
“Yes?”
the new girl….” “Has anyone from our department discussed best
security practices with you?”
“I don’t think so.”
“Well, let’s see. For starters, we don’t allow
anybody to install software brought in from
outside the company. That’s because we don’t
want any liability for unlicensed use of software.
And to avoid any problems with software that
might have a worm or a virus.”
“Okay.”
“Are you aware of our email policies?”
“No.”
“What’s your current email address?”
“Rosemary@ttrzine.net.”
“Do you sign in under the username Rosemary?’
“No, it’s R-underscore-Morgan.”
“Right. We like to make all our new employees
aware that it can be dangerous to open any email
attachment you aren’t expecting. Lots of viruses
and worms get sent around and they come in
New employees are a ripe target for attackers. They emails that seem to be from people you know. So
don’t know many people yet, they don’t know the if you get an email with an attachment you
procedures or the dos and don’ts of the company. weren’t expecting you should always check to be
And, in the name of making a good first impression, sure the person listed as sender really did send
they’re eager to show how cooperative and quick to you the message. You understand?”
respond they can be. “Yes.”
“Good. And our policy is that you change your
Helpful Andrea password every ninety days. When did you last
change your password?”
“Human Resources, Andrea Calhoun.” “I’ve only been here three weeks; I’m still using
“Andrea, hi, this is Alex, with Corporate Security.” the one I first set.”
“Yes?” “Okay, that’s fine. You can wait the rest of the
“How’re you doing today?” ninety days. But we need to be sure people are
ninety days. But we need to be sure people are computer systems, they must be trained to
using passwords that aren’t too easy to guess. follow good security practices, especially
Are you using a password that consists of both policies about never disclosing their passwords.
letters and numbers?”
“No.” Example: Mary’s story
“We need to fix that. What password are you
using now?” To most people, accounting work is number
“It’s my daughter’s name – Annette” crunching and bean counting, generally viewed
“That’s really not a secure password. You as being about as enjoyable as having a root
should never choose a password that’s based on canal. Fortunately, not everyone sees the work
family information. Well, let’s see…you could that way. Mary Harris, for example, found her
do the same thing I do. It’s okay to use what work as a senior accountant absorbing, part of
you’re using now as the first part of the the reason she was one of the most dedicated
password, but then each time you change it, add accounting employees at her firm.
a number for the current month.”
“So if did that now, for March, would I use On this particular Monday, Mary arrived early
three, or oh-three.” to get a head start on what she expected to be a
long day, and was surprised to find her phone
“That’s up to you. Which would you be more
comfortable with?” ringing. She picked it up and gave her name.
“I suppose Annette-three.’ “Hi, this is Peter Sheppard. I’m with Gentech
“Fine. Do you want me to walk you through Support, the company that does tech support
how to make the for your firm. We
change?’ logged a couple of
“No, I know how.” complaints over the
“Good. And one more weekend from people
thing we need to talk having problems with
about. You have anti- the computers there. I
virus software on your thought I could
computer and it’s troubleshoot before
important to keep it everybody comes into
up to date. You work this morning, to
should never disable get as many people
the automatic update going as possible. Are
even if your computer you having any
slows down every problems with your
once in a while.” computer connection?
“Okay.”
She told him she didn’t know yet. She turned
“Very good. And do you have our phone
her computer on and while it was booting, he
number over here, so you can call us if you have
any computer problems?” explained what he wanted to do.
She didn’t. He gave her the number, she wrote it “I’d like to run a couple of tests with you,” he
down carefully, and went back to work, once said. “I’m able to see on my screen the
again, pleased at how well taken care of she felt. keystrokes you type, and I want to make sure
they’re going across the network correctly. So
Analysing the Con every time you type a stroke, I want you to tell
me what it is, and I’ll see if the same letter or
The most common information that a social number is appearing here. Okay?”
engineer wants from an employee, regardless of
his or her ultimate goal, is the target’s With nightmare visions of her computer not
authentication credentials. With an account working and a frustrating day of not being able
name and password in hand from a single to get any work done, she was more than happy
employee in the right area of the company, the to have this man help her. After a few moments,
attacker has what they need to get inside and she told him, “I have the login screen, and I’m
locate whatever information they are after. going to type in my ID. I’m typing it now –
Having this information is like finding the keys M…A…R…Y…D.”
to the kingdom; with them in hand, they can
move freely around the corporate landscape and “Great so far,” he said. “I’m seeing that here.
find the treasure they seek. So before new Now, go ahead and type your password but
employees are allowed access to any company don’t tell me what it is. You should never tell
the marketing company’s offices and got the
receptionist, said that he was with the company
that handled their pension plans and that he
needed to talk to somebody in Accounting. Had
she noticed if any of the Accounting people had
come in yet? She said, “I think I saw Mary
come in a few minutes ago, I’ll try her for you.”
All Social Engineering techniques are based on
flaws in human logic known as ‘cognitive
biases’. These bias flaws are used in various
combinations to create attack techniques.
anybody your password, not even tech support.
Pretexting is the act of creating and using an
I’ll just see asterisks here – your password is
invented scenario (the pretext) to persuade a
protected so I can’t see it.” None of this was true,
target to release information or perform an
but it made sense to Mary. And then he said, “Let
action and is usually done over the telephone.
me know once your computer has started up.” It’s more than a simple lie as it most often
When she said it was running, he had her open involves some prior research or set up and the
two of her applications, and she reported that they use of pieces of known information to establish
launched “just fine.” Mary was relieved to see legitimacy in the mind of the target. The
that everything seemed to be working normally. pretexter must simply prepare answers to
Peter said, “I’m glad I could make sure you’ll be questions that might be asked by the target. In
able to use your computer okay. And listen,” he some cases all that is needed is a voice of the
went on, “we just installed an update that allows right gender, an earnest tone and an ability to
people to change their passwords. Would you be think on one's feet.
willing to take a couple of minutes with me so I
When Mary picked up the phone, he told her
can see if we got it working right?” his little story about computer problems, which
She was grateful for the help he had given her was designed so she’d be glad to cooperate. As
and readily agreed. Peter talked her through the
steps of launching the application that allows a
user to change passwords, a standard element of
the Windows operating system. “Go ahead and
enter your password,” he told her. “But remember
not to say it out loud.”
When she had done that, Peter said, “Just for this
quick test, when it asks for your new password,
enter ‘testl23.’ Then type it again in the
Verification box, and click Enter.”
He walked her through the process of
disconnecting from the server. He had her wait a
couple of minutes, then connect again, this time
trying to log on with her new password. It
worked like a charm, and Peter talked her through soon as he had talked her through changing her
changing back to her original password or password, he then quickly logged onto the
choosing a new one – again cautioning her about
system with the same temporary password he
not saying the password out loud.
had asked her to use, ‘testl23’.
“Well, Mary,” Peter told her. “We didn’t find any
Here’s where the mastery comes in – he
trouble, and that’s great. Listen, if any problems
installed a small programme that allowed him
do come up, just call us over here at Arbuckle.
to access the company’s computer system
I’m usually on special projects but anybody here
who answers can help you.” She thanked him and whenever he wanted, using a secret password
they said goodbye. of his own. After he hung up with Mary, his
first step was to erase the audit trail so no one
Peter Sheppard would even know he had been on her system. It
was easy. After elevating his system privileges,
A little after 7:30 Monday morning, Peter called he was able to download a free programme
the marketing company’s offices and got the called clearlogs.
company’s files. This boosted her confidence that
he must be legitimate because he was protecting
her and the company.
Example: The promotion
seeker
Late in the morning of a pleasant autumn day,
Peter Milton walked into the lobby of the regional
offices of a pharmaceutical company. He waited at
the reception desk while the young lady signed in a
visitor, answered a phone, and dealt with the Royal
Mail man, all more or less at the same time.
“So how did you learn to do so many things at
once?” Pete said when she had time to help him.
She smiled, pleased he had noticed. He was from
Marketing at Head Office, he told her, and said that
Mike Talbot from sales was meeting him. “We
have a client to visit together this afternoon,” he
explained. “I’ll just wait here in reception.”
“Marketing.” She said the word almost wistfully,
and Pete smiled at her, waiting to hear what was
coming. “If I could go to university, that’s what I’d
Time for the real job. He ran a search for any take,” she said. “I’d love to work in Marketing.”
documents with the word “contract” in the
filename, and downloaded the files. Then he He smiled again. “Jenny,” he said, reading her
searched some more and came on the mother lode name off the sign on the counter, “We have a lady
– the directory containing all the consultant in Head Office who was a secretary. She got
payment reports. So he put together all the contract herself moved over to Marketing. That was three
files and a list of payments. He could pore through years ago, and now she’s an assistant marketing
the contracts and see how much they were paying manager, making twice what she was.”
other consultants.
Jenny looked starry-eyed. He went on, “Can you
Analysing the Con use a computer?”
“Sure,” she said.
Peter’s phone call to the marketing company “How would you like me to put your name in for a
represented the most basic form of social secretary’s job in Marketing?”
engineering – a simple attempt that needed little She beamed. “For that I’d even move.”
preparation, worked on the first attempt, and took “You’re going to love it there,” he said. “I can’t
only a few minutes to bring off. Even better, Mary, promise an opening right away, but I’ll see what I
the victim, had no reason to think that any sort of can do.”
trick or ruse had been played on her, no reason to
file a report or raise a ruckus.
The scheme worked through Peter’s use of three
social engineering tactics. First he got Mary’s
initial cooperation by generating fear – making her
think that her computer might not be usable. Then
he took the time to have her open two of her
applications so she could be sure they were
working okay, strengthening the rapport between
the two of them, a sense of being allies. Finally, he
got her further cooperation for the essential part of
his task by playing on her gratitude for the help he
had provided in making sure her computer was
okay. By telling her she shouldn’t ever reveal her
password, should not reveal it even to him, Peter
did a thorough but subtle job of convincing her that
he was concerned about the security of her
his laptop, he launched one programme and used it
to identify all of the authorised users on the target
server. With another, he then ran a list of
commonly used passwords, such as “blank,” and
“password” itself. “Password” worked. No surprise
there. People seem to just lose all creativity when it
comes to things like choosing their passwords.
Only six minutes gone, and the game was half over.
He was in. Another three minutes to very carefully
She thought that this nice man in the add his new company, address, phone number, and
suit and tie and with the neatly contact name to the list of customers. And then for
trimmed, well-combed hair might the crucial entry, the one that would make all the
make a big difference in her difference, the entry that said all items were to be
working life. Pete sat down across reception, sold to him at 1 percent over Norton
opened his laptop, and started getting some work Pharmaceutical’s cost. In slightly under ten
done. After ten or fifteen minutes, he stepped minutes, he was done. He stopped long enough to
back up to the counter. “Listen,” he said, “it looks tell Jenny thanks, he was through checking his
like Mike must’ve been held up. Is there a emails. And he had reached Mike Talbot, change of
conference room where I could sit and check my plans, he was on the way to a meeting at a client’s
emails while I’m waiting?” Jenny called the man office. And he wouldn’t forget about
who coordinated the conference room scheduling recommending her for that job in Marketing, either.
and arranged for Pete to use one that wasn’t
booked. He located the room, settled in, and Analysing the Con
connected his laptop to the Ethernet port. Do you
The intruder who called himself Peter Milton used
get the picture yet? Right – the intruder had
two psychological subversion techniques – one
connected to the network behind the corporate
planned, the other improvised on the spur of the
firewall. moment. He dressed like a management worker
earning good money. Suit and tie, hair carefully
Anthony’s Story styled – these seem like small details, but they
That autumn day Anthony Lake convincingly make an impression. The attacker’s second
psychological weapon came into play when he
passed himself off as an employee named Peter
noticed the unusual effort that the receptionist was
Milton, and he had conned his way inside the making. Handling several things at once she didn’t
Norton Pharmaceuticals offices and had already get testy but managed to make everyone feel they
plugged his laptop into their network. So far, so had her full attention. He took this as the mark of
good, but that was only the first step. What he someone interested in getting ahead.
still had to do wouldn’t be easy, especially since
Anthony had set himself a fifteen-minute time Intruders are also fond of another psychological
limit – any longer and he figured that the risk of weapon used in this story: building trust with a two
discovery would be too high. In an earlier phone -stage attack. He first used that chatty conversation
call pretexting as a support person from their about the job in Marketing, and he also used name-
computer supplier, he had put on a song-and- dropping – giving the name of another employee –
dance act. “Your company has purchased a two- a real person, incidentally, just as the name he
year support plan and we’re putting you in the himself used was a real employee.
database so we can know when a software He could have followed up the opening
programme you’re using has come out with a conversation right away with a request to get into a
patch or a new updated version. So I need to have conference room. But instead he sat down for a
you tell me what applications you’re using.” The while and pretended to work, supposedly waiting
response gave him a list of programmes, and an for his associate, another way of allaying any
accountant friend identified the one called MAS possible suspicions because an intruder wouldn’t
90 as the target – the programme that would hold hang around. Just for the record: by the laws of the
their list of vendors and the discount and payment land at the time of writing, Anthony had not
terms for each. committed a crime when he entered reception, and
he had not committed a crime when he used the
With that key knowledge, he next used a software name of a real employee. He had not committed a
programme to identify all the working hosts on crime when he talked his way into the conference
room. He had not committed a crime when he
the network, and it didn’t take him long to locate plugged into the company’s network and searched
the correct server used by the Accounting for the target computer. Not until he actually broke
department. From the arsenal of hacker tools on into the computer system did he break the law.
And there’s more... manipulated, they are in a far better position to
recognise that an attack is underway.
There are literally thousands more examples of
social engineering and how it can be used to To develop a successful training programme, you
infiltrate your company. These techniques are have to understand why people are vulnerable to
simply to glean separate bits of information from attacks in the first place. By identifying these
tendencies in your training – for example, by
different parts of a company, then identifying a drawing attention to them in role-playing
‘target’ through which to carry out an attack. discussions – you can help your employees to
understand why we can all be manipulated by
Much of the seemingly innocuous information in a social engineers.
company’s possession is prized by a social
engineering attacker because it can play a vital role People have a tendency to comply when a request
in their effort to dress themselves in a cloak of is made by a person in authority. A person can be
believability. People trust you if you know the convinced to comply with a request if he or she
inside lingo of their job and their company. It’s like believes the requestor is a person in authority or a
showing you belong to their inner circle, like a person who is authorised to make such a request.
secret handshake. People have the tendency to comply when the
The truth is that there is no technology in the world person making a request has been able to establish
that can prevent a social engineering attack. themselves as likable, or as having similar
interests, beliefs, and attitudes as the victim.
What can stop a Social Engineer? We may automatically comply with a request
when we have been given or promised something
A social engineer has been given the assignment of of value. The gift may be a material item, or
obtaining the plans to your hot new product due for advice, or help. When someone has done
release in two months. something for you, you feel an inclination to
What’s going to stop him? reciprocate. This strong tendency to reciprocate
Your firewall? No. exists even in situations where the person receiving
Strong authentication devices? No. the gift hasn’t asked for it. One of the most
Intrusion detection systems? No. effective ways to influence people to do us a
“favour” (comply with a request) is by giving some
Encryption? No. gift or assistance that forms an underlying
Limited access to phone numbers for dial-up obligation.
modems? No.
Code names for servers that make it difficult for an People have the tendency to comply after having
outsider to determine which server might contain made a public commitment or endorsement for a
the product plans? No. cause. Once we have promised we will do
The truth is that there is no technology in the world something, we don’t want to appear untrustworthy
that can prevent a social engineering attack. or undesirable and will tend to follow through in
order to be consistent with our statement or
Companies that conduct security penetration tests promise.
report that their attempts to break into client
company computer systems by social engineering People have the tendency to comply when doing
methods are nearly 100 percent successful. so appears to be in line with what others are doing.
Security technologies can make these types of The action of others is accepted as validation that
attacks more difficult by removing people from the the behavior in question is the correct and
decision-making process. However the only truly appropriate action.
effective way to mitigate the threat of social People have the tendency to comply when it is
engineering is through the use of security believed that the object sought is in short supply
awareness combined with security training that set and others are competing for it, or that it is
ground rules for employee behaviour, with available only for a short period of time.
appropriate education and training for employees.
The central goal of any security awareness
There is only one way to keep your product plans programme is by motivating every employee to
safe and that is by having a trained, aware, and want to chip in and do his or her part. A great
conscientious workforce. The first step is to make motivator is to explain how their participation will
everyone in the enterprise aware that unscrupulous benefit not just the organisation, but the individual
people exist who will use deception to employees as well. Since the company retains
psychologically manipulate them. Employees must certain private information about every worker,
be educated about what information needs to be when employees protect information or
protected, and how to protect it. Once people have information systems, they are protecting their own
a better understanding of how they can be information, too.
Our Social Engineering Course What enterprise information assets need to be
protected?
Our course is designed to minimise a company’s What specific threats exist against these
risk with respect to social engineering attacks. assets?
These attacks involve using some kind of pretext or What damage would be caused to the
ruse to deceive a trusted employee into providing enterprise if these potential threats were to
information or performing an action that gives the materialise?
perpetrator access to sensitive business information
or to enterprise computer systems and networks. It’s essential that senior management buy into and
strongly support the necessity of developing
The results of this course will provide guidelines security policies and an information security
for employee behaviour for safeguarding programme. If a
information, which will be a fundamental building security programme is
block in developing effective controls to counter truly to succeed,
potential security threats. management must do
more than merely
Effective security controls are implemented by p r o v i d e a n
training employees with well-documented endorsement, it must
procedures. However, it is important to note that demonstrate a
security procedures, even if religiously followed by commitment by
all employees, are not guaranteed to prevent every personal example.
social engineering attack. Rather, the reasonable
goal is always to mitigate the risk to an acceptable Employees need to be aware that management
level. strongly subscribes to the belief that information
security is vital to the company’s operation, that
protection of company business information is
essential for the company to remain in business,
and that every employee’s job may depend on the
success of the programme.
Stratum Learning
The people at Stratum Learning bring together
many years of experience of developing
organisations and communities by developing the
people within them. The programme was
developed by DSI Ltd, a private enterprise started
by staff working at Cardiff University. Its
operations are founded on the considerable
experience and expertise of a strong multi-
disciplinary team. A team firmly committed to
improving the quality of life for people of all ages
in all circumstances.
This commitment has led us to work with
governments, public and private sector
What the course will broadly cover organisations, NGOs, universities, schools,
colleges and communities in general. This work
This comprehensive information security
has spanned Europe, Africa and the Middle East.
programme will include assessing our
psychological traits: remember, we are not mindful Please feel free to contact us in the most
of information security threats, especially in the convenient way for you:
Western World. We are not trained to be
suspicious of each other. And in the business
world, when being trained to deal with customers Telephone: 0845 388 7372
we are always told to be as helpful as possible to Website: www.stratumlearning.co.uk
everyone we come across, to supply information Email: info@stratumlearning.co.uk
readily, without really considering what it might be Mail: 3 Centre Court, Treforest Industrial
used for. Estate, Pontypridd, CF37 5YR
We will also look at the individual staff risk
assessments aimed at determining: .