Social Engineering and Information Security
We are in an age of information explosion and one of the most critical problems facing us is the security and proper management of information. Advanced hardware and software solutions are being constantly developed and refined to patch up any technical loopholes that might allow a hacker attack and prevent consequent breach of information security. While this technical warfare continues, hackers are now pursuing other vectors of attack. Social engineering refers to the increasing employment of techniques, both technical and non-technical, that focus on exploiting the cognitive bias in humans as the weakest link in computer security. What is shocking is the fact that in spite of the great vulnerability to human exploitation, there prevails a seemingly careless attitude in this regard in the corporate world. While more and more money is spent on beefing up hardware security and in acquiring expensive software solutions, little is done to address the social engineering exploits. While government laws and regulations such as the HIPPA, SOX (Sarbanes-Oxley) and the Gramm Leach Bliley act (GLBA) are already in place to protect privacy and information security it is important that more awareness is created about the social engineering threats. This paper is a brief overview of the various technical and non-technical social engineering techniques and the simple but effective measures that could be implemented to protect end users from social engineers.
Social Engineering Techniques
Pretexting
Pretexting is defined as "the act of creating an invented scenario to persuade a targeted victim to release information or perform some action." [Hadnagy & Wilson, chapt4]. Social engineers use extensive research to successfully impersonate in order to make the target believe in them and disclose vital information. The background research and practice enables the social engineer to convince the target easily making it appear as a legitimate case. The phone is the most important tool used for pretexting. Pretexting enables the social engineer to obtain vital personal information from the users. The most famous incident of corporate pretexting was the 2006 HP scandal. In this case, Patricia Dunn, the chairwoman of HP at that time employed security officials who used pretexting to obtain phone records of HP board of directors and other employees to find out an inside leak and was successful in doing that. In a court statement, the FTC reported that "the defendants have obtained confidential customer phone records, including lists of calls made and the dates, times, and duration of the calls, and sold them to third parties without the knowledge or consent of the customers."[Greg Sandoval, Feb 2007]. The 2006 Telephone records and privacy protection act clearly made it illegal for any person or corporate entity to use fraudulent methods of obtaining call records from the Phone Company. Any violations in this regard are duly punishable by imprisonment up to 10 years.
Phishing
Phishing attacks are a common form of technical social engineering attack that use either a website or an email as the medium for tricking the unaware customer into giving out his/her vital information such as bank account, credit card related information etc. Email phishing scams often involve warnings about breach of account security and ask the customer to reenter their account details and change their passwords. Typically, a phishing email would contain a link to a malicious website that resembles the original website of a reputable bank or any other business. Unaware users would reenter or update their personal details which could then be used by the Social engineer to obtain access to their accounts. [McDowell, 2009]
Phone Phishing
Phone phishing is the new trend used by social engineers. As more and more users are becoming aware of the dangers of unsolicited emails the hackers have begun to use phishing over phone instead of the emails. Particularly, the availability of low cost VOIP services has attracted them to use this popular media for their fraudulent schemes. Phishing over VOIP is now popularly termed as Vishing. Users are sent voice mails that sound legitimate as from the bank informing them that their account has been frozen. They are then asked to call back to a particular number to reactivate their account. Unwary customers end up calling the numbers and divulge their account details making it a successful Vishing scheme for the hacker. [Sonja Ryst, (2006)]
Persuasion
Social engineers rely on their successful impersonation and persuasion skills to con the users. They utilize the human qualities of 'Trust', 'Helpful nature',...
Spamming involves receiving deceptive mail like one has won the lottery then engineers ask for information to receive payment so as to gain financially or for social gains. For fake spyware, they claim to have utilities that are anti-spyware but are actually the spyware that can hack into your system. The engineers in this case pretend to be genuine and are out to offer solutions. Protecting individuals from social engineering There
Social Engineering Attacks Counter Intelligence Social Engineering Counter Intelligence Describe what social engineering and counterintelligence are and their potential implications to our national security in regard to the leaked Afghan War Diary and the Iraq War Logs. Social engineering is the theft of classified information. Then, using it to change everyone's opinions and perceptions about what is happening. Counter intelligence is preventing hostile enemies or organizations from obtaining access to sensitive material. These
Social Technology and Security Cincom Systems, a privately-held enterprise software company who is very active on Facebook, LinkedIn, Twitter and has an extensive blog network relies on social media sites to share customer success stories and the latest updates on events the company is participating in. Cincom has six different product divisions, each offering a different type of enterprise software, ranging from Customer Relationship Management (CRM), and Enterprise Resource Planning (ERP)
goals of this study are to reveal some of the common and prevailing cyber security threats. Here we plan to explore the risk that is most difficult to defend: social engineering. We seek answers to the human elements and characteristics that contribute to the frauds and how they themselves unwittingly give out information that eventually leads to difficult situations. There are many ways in which the attackers 'phish' their
Social Engineering as it Applies to Information Systems Security The research takes into account several aspects that better create an overview of the term and the impact it has on security systems. In this sense, the first part of the analysis reviews the concept of social engineering and the aspects it entails. Secondly, it provides a series of cases that were influenced by social engineering and the effects each had on
ERP and Information Security Introduction to ERP Even though the plans of information security include the prevention of outsiders to gain access of internal network still the risk from the outsiders still exists. The outsiders can also represent themselves as authorized users in order to cause damage to the transactions of the business systems. Therefore, strict prevention measures should be taken to avoid such situations. The threats of both the hackers have been
Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.
Get Started Now