Hackers are forced to do the same thing that attackers have done through the ages: target the weakest link. This is where social engineering comes in. Social engineering is a dangerous attack mechanism as it does not directly target technology. Social engineering is defined in the world of IT as the art of human persuasion. A Gartner report found that more than 70% of unauthorized access to information systems is committed by employees and that 95% of these intrusions resulted in significant financial losses.
You may be thinking that these numbers indicate that many of these companies just have bad employees, but that's not always the case. A significant number of these individuals were victims of social engineering attacks. A social engineer can target employees in many different ways. A good overview of these methods can be found in Robert Cialdini's book, The Science and Practice of Persuasion. The book lists six primary methods social engineers use, which include the following:
- Scarcity: Manipulates employees by building a sense of urgency.
- Scams the worker based on the premise of power. As an example: "Hi, is this the help desk? I work for the senior VP and he needs his password reset in a hurry!"
- Liking: Preys on the fact that we tend to do more for people we like even if that means bending the rules.
- Consistency: People like balance and order. As an example, when people ask how we are, we tend to respond, "Good!"
- Social validation: Based on the idea that if one person does it, others will, too. As an example: Have you ever seen a bartender's tip jar that's full of dollars? It may make you think that if everyone else is tipping, so should you!
- Reciprocation: If someone gives you a token or small gift, you feel pressured to give something in return.
What can be done to prevent the manipulation of your employees? First, set up policies and procedures. Policies should address items such as the rules for setting up accounts, how access is approved and the approved process for changing passwords. Policies should also deal with physical concerns like paper shredding, locks, access control and how visitors are escorted and monitored.
Second, institute training and education. Policies are of little use if employees are uninformed or untrained in their use. Companies can gain greater compliance if employees understand the purpose of security policies and the negative consequences to the company and themselves that can result from ignoring such policies. Employees must also be trained as to how to report security breaches.
Finally, test and monitor compliance. Audits and periodic testing will help make the policy structure more effective. Walk through departments and look for exposed passwords or sensitive information occasionally. Testing may also include trying to call employees or the help desk to see if you can coerce them into giving you a password. When employees follow policies, offer a bonus to reward good security practices. Just by following these three simple steps, you can greatly increase your ability to deflect social engineering attacks.
About the author
Michael Gregg has more than 15 years of experience in IT. Michael is the President of Superior Solutions, Inc., a Houston-based training and consulting firm. He is an expert on networking, security and Internet technologies. He holds two associates degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.
This was first published in March 2006