So, you've got two firewalls, an intrusion prevention system (IPS) and antivirus software deployed, and you're...
feeling pretty good about your enterprise's overall network security. Servers are patched, packets are being dropped, you're alerted when network traffic isn't behaving well and viruses are killed on the spot. Yep, life is good! So what's the problem?
Hackers can be quite clever, and often devious, when it comes to harvesting information from unsuspecting employees. Your helpdesk, IT staff and general user population care about helping, or sometimes just pacifying, people who need assistance. No matter how much your staff is paid, they can't be configured to drop calls like your firewall drops packets. In fact, most people want to be helpful if a seemingly innocent person needs assistance.
Social engineering can be a fruitful tactic for hackers, and it takes less time than trying to identify or bypass a firewall or an IPS. Unfortunately, or fortunately, depending on whom you ask, the security administrator can't screen everyone's calls or ask for ID from every person who steps foot into your company. It's up to the rest of your staff, those non-configurable human beings, to filter out malicious requests that come in through the doorways and over the phone lines. Are they up to the task? The best way to prepare them is to educate them on the social engineering hacker attack tactics they may encounter, both on and off the job.
Simply put, the art of social engineering involves employing clever ways of getting questions answered and then using those answers to gain access to restricted areas or information. It can come in the form of a hacker posing as a helpdesk technician, asking a user for his or her password, or other forms such as a network administrator, a distressed user, an electrician needing access to a communications closet, a fire-extinguisher technician needing access to the computer room, a janitor or any number of other believable personas. How hard would it be for some of these types of people to access a PC, or even your computer room? How many times have you asked for ID from electricians you've crossed paths with? If you found an "electrician" in a wiring closet, would you bother to question him? If you're like most people, you would assume everything is as it seems and carry on with your own daily tasks. That predictable pattern of behavior is exactly what an attacker is counting on.
In addition to educating your staff, these sorts of attacks are best prevented by creating a social engineering prevention policy that prohibits the divulging of sensitive information over the phone or email, tailgating through locked doorways and a policy requiring visitors to wear badges. I also highly recommend reading Kevin Mitnick's book on social engineering, called The Art of Deception. By looking at the human factor of security, you will help prevent unauthorized access to your company's crown jewels.
About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.
HACKER ATTACK TECHNIQUES AND TACTICS
Introduction: Hacker attack tactics
How to stop hacker theft
Hacker system fingerprinting, probing
Using network intrusion detection tools
Authentication system security weaknesses
Improve your access request process
Social engineering hacker attack tactics
Secure remote access points
Securing your Web sever
Wireless security basics
How to tell if you've been hacked