Computer Crime Research Center


Thwarting Hacker Techniques: Combating social engineers

Date: February 22, 2005
By: Vernon Haberstetzer

So, you've got two firewalls, an intrusion prevention system [IPS] and antivirus software deployed, and you're feeling pretty good. Servers are patched, packets are being dropped, you're alerted when network traffic isn't behaving well and viruses are killed on the spot. Yep, life is good! So what's the problem?

Hackers can be quite clever, and often devious, when it comes to harvesting information from unsuspecting employees. Your helpdesk, IT staff and general user population care about helping, or sometimes just pacifying, people who need assistance. No matter how much your staff is paid, they can't be configured to drop calls like your firewall drops packets. In fact, most people want to be helpful if an innocent person needs assistance.

Social engineering can be a very fruitful technique for hackers, and it takes less time than trying to identify or bypass a firewall or IPS. Unfortunately, or fortunately, depending on whom you ask, the security administrator can't screen everyone's calls or ask for ID from every person stepping foot into your company. It's up to the rest of your staff, those non-configurable human beings, to filter out malicious requests that come in through the doorways and over the phone lines. Are they up to the task? The best way to prepare them is to educate them on social engineering tactics they may encounter on and off the job.

Simply put, the art of social engineering involves clever ways of getting questions answered and then access to restricted areas or information. It can come in the form of a hacker posing as a helpdesk technician asking a user for his password, a network administrator, a distressed user, an electrician needing access to a communications closet, a fire-extinguisher technician needing access to the computer room, a janitor or any number of other believable personas. How hard would it be for some of these types of people to access a PC, or even your computer room? How many times have you asked for ID from electricians you've crossed paths with? If you found an "electrician" in a wiring closet, would you bother to question him? If you're like most people, you would assume everything is as it seems and carry on with your own daily tasks.

In addition to educating your staff, it's best to create company policies prohibiting the divulging of sensitive information over the phone or e-mail, tailgating through locked doorways and a policy requiring visitors to wear badges. I also highly recommend reading Kevin Mitnick's book on social engineering, called "The Art of Deception." By looking at the human factor of security, you will help prevent unauthorized access to your company's crown jewels.

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo