UNDERSTANDING AND TACKLING SOCIAL ENGINEERING

A company cannot rely on a thought, “Our systems are protected with top of the line security products and our employees are aware of security. We are completely safe”.

The development of several systems and protection gadgets might resolve the security problems but the crucial component to security is the individual and not the machine itself. Installing of the latest applications will not guarantee a comprehensive protection of the system.

WHY? Here is the real life instance that shows us WHY.

Four of the high-level executives received emails, which seemed to have come from an employee inside the U.S.-based Fortune 500 manufacturing firm. The email looked 100% genuine. The message on the email had communication about a corporate plan the CEO was advocating. One of the executives clicked on the link from the email and that was all that was needed. That single ignorant click released malware into the system and infected the executive’s computer. This provided the attackers a path into the company’s network, which allowed them to sniff for passwords and they were able to gain access to multiple systems. Incidents similar to this happen to companies every other day.

Today, the volume of information possessed is directly related to the power that an individual can have over the other. Thus it is crucial to not only to obtain but also protect it from possible attacks. Social engineering is a method by which a person or group of persons are manipulated to provide access to particular information or used to induce certain behavior. Social engineering is based on using psychological ruses or tactics on the system user thus gaining significant data like the usernames, passwords, access codes, security codes, credit card numbers and additional information for direct profits or hidden ones. People that reveal data are aware of that but they usually consider that the information provided is not vital but the goal of social engineers is to connect the dots or join the pieces together from the information gathered from numerous sources. Social engineering takes benefit of the inherent nature of humans to manipulate others and acquire sensitive information.

How can awareness be created in the company to prevent an incident mentioned above?

One can do this by asking a lot of questions like, “How vulnerable are the employees in your company to the usual social engineering threats such as phishing, smishing, office snooping? If your employees see a random USB drive, how likely are they to pick it up and plug it in the computer? Do your employees know about techniques and scams used by social engineers”?

Along with asking pertinent questions there are various methods that can be use to create awareness.

Knowledge Assessment- Create a customized, scenario based questionnaire about social engineering and other security issues, to check the knowledge of your employees on those issues. With the help of the knowledge assessment, company can understand better about the employee’s knowledge on security and can create a customized training to educate to employees based on the results (which area of security the company needs to focus on for training).

Education and training- Organization’s should train and educate their employees about security that can help them understand about the issue better, making them more unwilling to revel companies or personal information. Example: how to properly discard documents?, question the credentials of the people they are dealing with, how to deal with unknown emails and the links embedded on it etc.

Policies- Company should prepare a very comprehensive policy regarding the company’s security and thorough instructions that can help employee understand on how to appropriately handle company’s information and user data.

Apart from these methods, company should train employees using various methods as well as track their involvement in it. If the employee’s understand the problem, the company policy towards it and the provided training, then they will be able to handle the issue appropriately. It is a very good possibility that even after using the finest and high-priced security technologies, an organization remains entirely vulnerable. A good social engineer can collect information about that organization by simply getting trust and being friendly with the user. Therefore it is up to us to understand the problem and not let ourselves become vulnerable.

References

Agrawal, M. G. (2012, June n.d). A Survey on Social Engineering and The Art of Deception. Retrieved December 16, 2015, from International Journal of Innovations in Engineering and Technology (IJIET): http://ijiet.com/wp-content/uploads/2012/08/5.pdf

Cybertec. (n.d, n.d n.d). Photo Credit: Social Engineering Attack. Retrieved December 16, 2015, from Cybertec Security: https://www.cybertec-security.com/what-we-do/social-engineering-attack/

Savage, M. (2015, n.d n.d). Gaining awareness to prevent social engineering techniques, attacks. Retrieved December 16, 2015, from Tech Target Search Security: http://searchsecurity.techtarget.com/magazineContent/Gaining-awareness-to-prevent-social-engineering-techniques-attacks

PASSWORD PROFILERS

Many of us have heard of psychological or behavioral profiling but to many of you, this may be the first hearing about password profiling. So, who are password profilers and what do they do?

    Password profilers analyze and classify their targets and their password. If the password profilers can gather information on their target, it becomes easier for them to build the profile and based on that profile they will be able to create a list of possible passwords to try in brute force attacks. Brute force attacks are password and cryptography attack. It does not try to decrypt any information but keeps trying lists of various words, letters and passwords.

    Although we hear about different security breaches and various other security related news, we fail to stay careful about our own security. Most of it is because people think that an incident like that will never happen to them. One of the first steps towards keeping ones information protected is to maintain a strong password. People still use passwords like 1234, their DOB or any information that is related to them personally. This makes their passwords weak. It creates a passage for the password profilers to get in. According to a research conducted by a Hacker named Tonu; out of 734,000 people, more than 234,000 people use just six characters in their passwords, more than 17,000 of those people used the password ‘123456’ and nearly 4600 people choose to use ‘password’ as their password. And people wonder why their passwords got cracked and their information got stolen.

    Password profilers can use several methods to gain passwords from their target: impersonation, in person, shoulder surfing and websites. While using the method of impersonation, the attacker can pretend to be the system manager or technician of a large corporation and contact the company’s employees faking there is a problem with their company’s account. The password profilers will ask the employees to log in to the account to fix the problems and after several attempts when the employee cannot follow the instructions, the attacker acts as frustrated and ask the employees for the password to the account so they can fix it for them. In the person method, the profilers get into the office buildings under false identity (service worker, consultant etc.). To make it look authentic, they may even wear company’s uniform and gain access to the buildings with gates. After they are in, they may be able to get default usernames and passwords left in plain view (common passwords posted somewhere, process of resetting password posted in notice board). But this type of attack is more effective in mid-sized businesses since bigger companies normally have stricter rules, which helps in preventing attack such as this. People may not notice or expect this procedure.

    In big companies with numerous employees, people do not have time to pay attention to what people are doing around. People with bad intentions can simply focus on their target and look over their shoulder to get information. No body covers their monitors while they are working because nobody would think that they are being looked at and even if they feel they are being watched; in passive aggressive atmosphere like that, the target chooses evading all possible arguments, and thus supposes that the attacker's purpose is harmless. In the website techniques, password profiler provides the target with some reason in requiring username and password combination and there are several ways to do this. One of the ways is to lead the target to the familiar web page (email provider, financial institution etc.) that requires a username and password. But a fake URL is put in the address bar to show the genuineness of the website and when the target enters the information, the password profiler is able to get access to their information.

    Passwords helps to make sure that password profiler or others do not get access to the computer or other valuable information unless they have been granted to do so. In order to make it simpler to memorize the passwords, the users frequently use similar or related passwords on every system and if they were given a choice, most users would pick passwords that are simple and easy to remember or are easy to guess. But short and easy passwords are comparatively easier passwords for the password profiles to determine. Since they have become progressively sophisticated in cracking passwords, one of the easiest defenses we have on the Internet is by creating the strongest password possible in order to defend ones data, computer and online accounts. While creating strong passwords it is imperative that one uses both upper and lower case letters, incorporate punctuation and numbers and create a password that is minimum eight characters long.

    Our system and our information are vulnerable but it is up to us to whether leave it the way it is or make it strong.

References

Hadnagy, C. (n.d, n.d n.d). Social Engineering and Nonverbal Behavior Set. Retrieved August 05, 2015, from Common User Password Profiler: https://books.google.com/books?id=oMoiAwAAQBAJ&pg=PT318&lpg=PT318&dq=password+profilers+as+social+engineering+tool&source=bl&ots=94kMrCYliC&sig=Sywc03Xm5UJeMxk-lyDzD3JlfEw&hl=en&sa=X&ved=0CC0Q6AEwA2oVChMIo_mKyZqSxwIVARY-Ch2guAXR#v=onepage&q=password%20profilers%20as%20social%20engineering%20tool&f=false

Hadnagy, C. (2011). Social Engineering: The Art of Human Hacking. Indianapolis, Indiana: Wiley Publishing, Inc.

Sanela, E. S. (2015, n.d n.d). Engleski Jezik –  Informacijski Sistemi. Retrieved August 05, 2015, from Academia.edu: http://www.academia.edu/5318961/Sanela_S._Social_Engineering

Smith, T. (2011, July 27). Photo Credit: Password Profiler 3: Automate Log-Ons and Fill Forms Faster. Retrieved December 09, 2015, from PCMag Digital Group: http://www.pcmag.com/article2/0,2817,2389089,00.asp

Week 1: Introduction

Hello to all the Information Security Enthusiast,

Blogging is going to be a very new experience for me because I am fairly new at this, so I urge all of you to be a little more tolerant with me.

Throughout the upcoming days, I have chosen to write on something that would not only be readable and beneficial to people in the information security professional but also to people that are very new to information technology. I am very new to this field myself because I do not have any background on Information Technology. Deciding to pursue my graduate degree in Cybersecurity has been one of the best and wise decisions I have made. With each class I have taken throughout the graduate degree, I have had the opportunity to learn something new. I am looking forward to blogging about what I have learnt, the latest Information security related news and articles that I come across during the blogging period. I can already feel that writing blog is going to be a very worthy experience.