It is a common misconception that security is solely a technological problem. Companies and individuals may allocate a significant portion of their spending to design the best security policies, protecting themselves with the latest security products and hire personnel from the top security firms. But such entities are still vulnerable to attacks.
Technology creates a false sense of security among people leading them to ignore the weakest link in security practices i.e. the human factor. Anybody who thinks that equipping themselves with the latest security products and technology makes them immune to attacks buys into this same illusion of security. Security should be viewed as a process and not a product and should be tackled not as a technological problem but a people and management problem.
Why is that the case? It’s because the biggest threat to a business is a social engineer. It’s usually an unscrupulous, glib, friendly and obliging person that distracts you with his left hand while he steals your secrets from the other. A classic example of the same is the story of Stanley Mark Rifkin. Rifkin was able to wire-transfer ten million two hundred thousand US Dollars from Security Pacific’s authorized-only personnel wire transfer room. He used it by gaining access to the room on the pretense of taking notes on operating procedures, and then wrote down the code that was used by clerks to authorise transfers. He was inducted into the Guinness Book of World Records for the largest computer fraud back then. Rifkin pulled off the biggest heist without a gun, but with persuasion and deception, which is today known as social engineering.
At the fundamental core of a social engineering attack lies the tactic of gaining access to information that a person considers as innocuous. Let’s go through the following example.
Call 1
The attacker calls up State Bank.
Attacker: Hello, I am a writer who is researching for a novel. Can you tell me if banks have something called a Merchant ID with card companies? I want to get the lingo right for my book.
Initially, the clerk hesitates but confirms that Merchant ID is the correct term. Here, the clerk parts with valuable information that will help the attacker.
Call 2
Attacker: Hello, I am calling from MasterCard. We are doing a survey to improve our services with partner banks. Would you be willing to answer a few questions?
As the employee agrees, the attacker goes on to ask a few questions and skilfully coaxes out the Merchant ID of the bank from the employee.
Call 3
The attacker calls up MasterCard now as a State Bank employee provides the Aadhar Card details and birth date to the Master Card employee and learns of all sensitive information related to them.
In the first call, the lingo for merchant ID is pretty well-known within the bank, so they might not have judged it as parting with valuable information. However, the second employee could have shown some restraint and judgement before answering questions of the survey. Here, the merchant ID can be considered as a password that was used to gain access to information that can be further used at the discretion of the attacker. The moral of this story is that any information should not be revealed until the identity of the requesting party is established and they need to know. Often, all a social engineer needs to do to gain information is ask for it.
Research is key for social engineering, and often social engineers can call up local law enforcement agencies to learn about ways they can use laws to circumvent your security policies. It is also key that security policies be extended to every employee regardless of whether they have access to electronic devices or storage cabinets that house data. In the chain of transfer, there is a big possibility that information can be provided to an attacker. For example, records that have been marked for destruction can be transferred to an attacker if they set up a ruse where the records are exchanged for a service, and therefore the records get in the hands of the attacker.
The key to any social engineering attack is building trust. An attacker researches and plans out their moves by anticipating the questions that could be asked by the victim and preparing satisfactory answers for them. Once trust is built, the path to executing an attack becomes easier. They can extract information that can be used to crack passwords, gain access to bank accounts or identity theft. Even though our first instinct may be to suspect a person, a good social engineer eventually persuades you to give them the benefit of doubt. They may come as a good Samaritan to help you out and then play on your gratitude to extract some information. They may ask you for a favour in return of their favor and it is paramount that you do not agree until you establish the exact intentions of the person. Such situations may make you inadvertent participants in the attack. Consider a technician who asks you to install some software after he fixes your computer, and you do it because you trust him to know what he is doing. However, you might be installing malware or spyware, that enables him to gain access to your computer and any computer that you might connect to.
Prevention of social engineering attacks begins at education. It is vital that employees and individuals learn about the different kinds of social engineering attacks, and take every proposition with a pinch of salt. It is paramount to verify the identity of the person to whom information is divulged, and security policies should be followed at all times to prevent accidental leakage of data. Care must be taken that no suspicious software or emails are opened on computers as it may put at risk everyone on the network. Technological barriers may act as a deterrent or barrier to attacks, but true protection lies in an individual who follows security policies and understands how others might maliciously influence his behaviour. Ultimately, it’s not a turned off computer that’s the safest, but a well-informed user that protects himself and others.
Authors:
Sagnik Sen Sarma
Atharva Badve
Mohnish Parmar
Hrishikesh Jadhav
References:
"The Art of Deception", by Kevin Mitnick
Comments
Post a Comment