return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

Social-engineering attacks bypass more than your virus checker


The following is good tradecraft and good countermeasures. Nothing new per se, but something that needs constant training and vigilance. (3M, for example, long ago got on the band wagon and has been hard to penetrate in this manner.) Just as with virus attacks which depend upon Homo Boobus being lured to open the attachment, this penetration attack bypasses the network by working the people manning it.

Understand that it is human nature to want to help others (and you often train for this very behavior) but that this instinct can sidestep your security practices. As a security consultant wisely observed, there is "No common sense without common knowledge." Until your employees, contractors, and even suppliers, are aware of the dangers in leaking seemingly trivial corporate information, outsiders will be able to wangle through to areas you thought them barred.

FYI, the 'janitor' link takes you to the Winter 94-95 issue of 2600-The Hacker Quarterly. The article is "Janitor Privileges." We are not dealing with new things here.

Insure that your security policy includes social-engineering attack prevention. And if you put in place a corporate alert system using a simple e-mail address (#10 below), please be sure to have someone actively monitoring it for response. You would not believe how many of those lines never answer or draw a response:

Why firewalls aren't always enough
By Robert Vamosi: Senior Associate Editor, Reviews
Friday, March 12, 2004

Like con men and grifters, criminal hackers (a.k.a. crackers) are talented people. The infamous Kevin Mitnick, for example, conducted most of his corporate intrusions by using the telephone, relying on the gullibility and friendly helpfulness of real people to gain access to corporate networks.

Such "social-engineering attacks"--often precursors to computer-network attacks--are still real threats, which is why they were a hot topic at this year's RSA Conference in San Francisco. That's why I thought it would be good to further explain what social-engineering attacks are and offer some pointers on how to protect yourself from them.


ASIDE FROM using the telephone, Winkler cited other ways crackers score information. Among them: good old dumpster diving, shoulder surfing (literally reading typed passwords over someone's shoulder, say, on the train), outright theft (stealing a backup tape, a notebook, a PDA, or a prototype model), and finally, getting hired into a low-level job at the company. It's common, said Winkler, for criminal hackers to apply for jobs as janitors or mailroom assistants within a targeted company.


(1) Activate caller ID at work. Calls within my company, for example, display the name of the person calling.

(2) Set your company's outbound caller ID to display only the front desk's phone number, not individual phone extensions.

(3) Implement a company call-back policy. If someone calls asking for information about the company, say you'll call them back, then dial the number from within your corporate directory or go through their company's switchboard operator.

(4) Be mindful of information posted in out-of-the-office messages. For example, don't leave the full name of your supervisor. A skilled cracker could now call another department and say that your supervisor is on his back because you're out on vacation and the cracker really, really needs access to this one particular account. In this case, a little knowledge can go a long way.

(5) Never allow anyone you don't know to piggyback physical access into a room on your security ID card.

(6) Confront strangers. Ask if you can take them to someone's office or help escort them outside.

(7) Get to know your IT support staff. That way, if someone else calls saying they're from IT and needs your network password, which you should never give out anyway, you can say no and hang up with confidence.

(8) Never write down your network password on a Post-it Note or tape it to the bottom of your keyboard; crackers, if inside the building, know where to look.

(9) Periodically perform a Google search on your company and scrutinize whether sensitive company information is available outside your corporate firewall.

(10) Institute a companywide security alert system. Have anyone who receives a suspicious phone call report it to a simple e-mail address, something like securityalert@company.

Gordon Housworth

Cybersecurity Public  InfoT Public  
In order to post a message, you must be logged in
message date / author

There are no comments available.

In order to post a message, you must be logged in