Social Engineering Attacks
EXECUTIVE SUMMARY
Social engineering is a problem that relates to manipulation of computer users out of their username and passwords. In other terms, it includes the human element of engineering attack. The social engineering aspects of cyber crime points out on human weaknesses to encourage the acts of illegal and unauthentic attacks. The report deals with the issues of social engineering attacks in regard to human perspective, the various means through which the information is being hacked and the various preventive measures which can be opted and carried out to curb the ill effects of the menace. The analysis and the research done on the issue, further stresses on creating a mass awareness among the people about the different cyber threats and their corresponding remedial measures. The importance of confidentiality of crucial information such as passwords, id’s etc has been justified in the report.
INTRODUCTION
The rise of 21st century marked the transition phase of the most global businesses towards a paperless office environment, where the focus shifted the manual to the computerized form of work culture. But at the same time, change brought a number of threats and menace in terms of one of the biggest issues of the current businesses, the social engineering used among the hackers for cracking techniques that rely more on human weaknesses rather than technology itself. The aim or motive of such attacks was getting access to passwords or other relevant information by tricking people for carrying out illegal or criminal activities. FBI and other security experts hold a firm view that majoirity of threats orginate from the internal working environment or employees who have been granted additional privileges or authorities to company’s information. People who have an urge for power and control over other individuals exhibit the social engineering skills .computer hacking is the modern form of social engineeering and the most hi tech of all (Villamor E, 2008). The fundamental problem with online social networking services especially is that there are no criteria or authentication for evidence or proof of an individuals identity, which keeps at stake both our privacy and information.
SOCIAL ENGINEERING SINKS SECURITY
Social engineering attacks are driven by financial needs where hackers try to obtain confidential information about the users to access accounts. Social engineering is the root cause to ideas behind phishing and pretexting where hackers gain confidence of people who are careless or blindly trust others helping them to take undue advantage. Hackers know the weak point which can be trashed, none other than the human element itself. No matter how advanced the technology may get, the human element opens up all the loop holes to make the social engineering attacks more easier. Destruction of personal information is too less a crime, now a well formulated and planned social engineering attack could destroy companies on the whole.
To make it more prominent, a case study was circulated on the net, where a credit union employeed a ethical hacking company to test the compnay security practices. The security consultants intentinally dropped few thumb drives, in utter curiousness people plugged in the devices to inject the trojan viruses affceting the entire system. In this situation one could clearly differentiate the weaknesses and unprofessional attitude of the people towards the security and safety aspects and technologies(Linda M,2006).
SOCIAL SECURITY ATTACKS AGAINST PEOPLE
Social engineering is the human side of cracking into a corporate network. To launch an attack, human interaction is preferred because they are the easy targets. Social Engineering, is generally referred to as people hacking, to gain information about usernames, passwords, personal identification codes (PINS), credit card numbers and expiration dates etc. It’s an attack against the people as hackers are more inclined towards extracting information for personal advantage rather than system failures. Web spoofing is an eminent problem involving e-mail frauds and web sites to grab the private information of the users. To safeguard people, social engineering tactics could be introduced to increase internal awareness and reduce future threats. Education and supervision are the only modes to mitigate the internal security risks. The best protection against social engineering attack is creating awareness by users through education.
People reveal information to social engineers on account of trust, faith and social relations unrealizing the fact that they have been victimized, even after the hacker uses the information given them for illegal and harmful reasons.
INTERNAL ASSESSMENT PROCEDURE
A small case study would reflect the importance of incorporating an internal assessment procedure for safeguarding oneself from the social engineering attacks. A woman calls a company’s help desk to get her password because she’s forgotten it and needs it urgently to fix up her deadlines on a big advertising project. The help desk worker feels sorry for her and quickly resets the password — unwittingly giving a hacker clear entrance into the corporate network. Meanwhile, a man is in back of the building loading the company’s paper recycling bins into the back of a truck. Inside the bins are lists of employee titles and phone numbers, marketing plans and the latest company financials. This example reveals the fact of human weakness overpowering the technological loopholes. To overcome such issues, all companies need to set up an internal assessment procedure, whereby people could be properly directed, trained and educated to handle the security and information safety issues.
To accomplish the task a complete internal assessment procedure could be undertaken whereby the future projects are identified and a social engineer is appointed for overall supervision of the project and handling of all security issues and aspects related to the project including the employee and the systems as well. The project engineer must be represented as a significant project resource that can perform all social engineering tactics to safeguard the information and providing solutions to remediate the problems. The report complied by the engineer at the end of the process must be forwarded to the management for further consideration.( Bevis J, viewed on 30th August, 2008)
MODES OF COMMON ONLINE ATTACKS
The most common online attacks featured in the current issues creep up from the e-mails, pop up applications, instant messages that flash on the screen and subvert computer resources. The most common flaws noticed in the usage of the system which helps in information hacking are firstly the presence of active links and excessive information about the company profile, details of the employees etc which facilitates the hacking process. Phone scamming is very common now days where caller’s information could be hacked through phones. Dumpster diving is the easiest mode to retrieve information stored in trash ((Meyer, Eric, 2005). Phishing is a form of social engineering attack that uses email and web sites for extracting personal information. Attackers may send email representing a renowned company requesting for information to gain access to the accounts. For instance, several cases have happened in the past where the hacker was successful in obtaining information by conveniently misguiding the other person. Once, using a “war dialer” together with a call to the company’s computer help desk, the hackers extracted the phone numbers of the company modems and were able to gain access to the systems.
PREVENTION OF SOCIAL ENGINEERING ATTACKS
Installation of strong anti virus programs in the system is not enough to combat the threat of attacks. A complete and through security solution is required to provide total digital immunity for protection and security of the systems which includes a pro-active approach to prevent any loss of information from the anticipated perils ((Mansukhani M,2007). Use of features such as e-scan, content security, firewall software’s, advanced anti virus programs with regular updates, e-conceal and many more to name have been undertaken as solutions to prevent the social engineering attacks. Use of spoof guards against the identity theft could be used to examine web pages and generate alarms in suspect to any attack. Assessment of threats is must for any organization, they must know and where the information could travel in and out of the organization and must ensure that people are adequately trained and aware about all the potential threats possible and try to cooperate in reducing and eliminating the negative impact of anticipated as well unanticipated risks.
Apart from this companies should take care to put limited information on the web sites and avoid creating active links to email addresses. Being cautious and alert when answering IT related questions on phone could help in avoiding phone scamming. Shredding services should be used to prevent dumpster diving. Proper logging off the individual workstation lessens up the chances of hacking though not completely eradicating them. One can prepare a strong defense system against the social engineering attacks by including instructions and alerts in the security policy of the company.
Many of the people consider social engineering attacks as an attack to their proficiency or intelligence , what needs to be done at this stage is creating awareness about security and sensitivity to information.
INTEGRATION OF SOCIAL ENGINEERING AND INFORMATION SYSTEM
Information security is much more than patching computers, it involves a combined and a unanimous effort from all aspects such as the physical security, users training and the network policies. Information security training is a prime task for any organization to impart to its employees for ensuring better security plans and incorporating as many number of security layers from top to bottom levels of system operations (Meyer, Eric,2005). The usefulness of the information and the difficulty level in acquiring the information depends upon the strength of the security layering of the company. Thus, the social engineering must be integrated with the information assessment procedures of the company.
Meticulous planning along with carefully drafted objectives is a critical tool in defining an organizations security plan. Spreading the word of caution, conducting frequent tests for detection of threats and their meaningful and timely analysis can measure the effectiveness of the people centric control rather than the application of conventional and outdated measures of security.
CONCLUSION
Social Engineering is just a method to exploit the casual and untailored attitude of people which could only aggravate the security issues and grow dodgier as people “forget” to make security their priority. Updating security policies and imparting training to people can certainly minimize the impact of social engineering attacks. Personnel should understand the magnitude of risks and the information at stake. It is important that it is stressed to all users the importance of keeping information confidential. The fact still lies that social engineering has penetrated deep into our systems and it works to its highest peak (Morill D,2006), acknowledging the ability of the humans to be fooled easily, such attacks are difficult to be completely eradicated or wiped, but a mass awareness to the cause can help in restriction of spread of the networking epidemic.
Order Now