Tip

Understanding social engineering hacker attack tactics and threats

Vernon Haberstetzer, Contributing Writer
So, you've got two firewalls, an intrusion prevention system (IPS) and antivirus software deployed, and you're feeling pretty good about your enterprise's overall network security. Servers are patched, packets are being dropped, you're alerted when network traffic isn't behaving well and viruses are killed on the spot. Yep, life is good! So what's the problem?

Hackers can be quite clever, and often devious, when it comes to harvesting information from unsuspecting employees. Your helpdesk, IT staff and general user population care about helping, or sometimes just pacifying, people who need assistance. No matter how much your staff is paid, they can't be configured to drop calls like your firewall drops packets. In fact, most people want to be helpful if a seemingly innocent person needs assistance.

Social engineering can be a fruitful tactic for hackers, and it takes less time than trying to identify or bypass a firewall or an IPS. Unfortunately, or fortunately, depending on whom you ask, the security administrator can't screen everyone's calls or ask for ID from every person who steps foot into your company. It's up to the rest of your staff, those non-configurable human beings, to filter out malicious requests that come in through the doorways and over the phone lines. Are they up to the task? The best way to prepare them is to educate them on the social engineering hacker attack tactics they may encounter, both on and off the job.

Simply put, the art of social

    Requires Free Membership to View

engineering involves employing clever ways of getting questions answered and then using those answers to gain access to restricted areas or information. It can come in the form of a hacker posing as a helpdesk technician, asking a user for his or her password, or other forms such as a network administrator, a distressed user, an electrician needing access to a communications closet, a fire-extinguisher technician needing access to the computer room, a janitor or any number of other believable personas. How hard would it be for some of these types of people to access a PC, or even your computer room? How many times have you asked for ID from electricians you've crossed paths with? If you found an "electrician" in a wiring closet, would you bother to question him? If you're like most people, you would assume everything is as it seems and carry on with your own daily tasks. That predictable pattern of behavior is exactly what an attacker is counting on.

In addition to educating your staff, these sorts of attacks are best prevented by creating a social engineering prevention policy that prohibits the divulging of sensitive information over the phone or email, tailgating through locked doorways and a policy requiring visitors to wear badges. I also highly recommend reading Kevin Mitnick's book on social engineering, called The Art of Deception. By looking at the human factor of security, you will help prevent unauthorized access to your company's crown jewels.

About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.


HACKER ATTACK TECHNIQUES AND TACTICS

  Introduction: Hacker attack tactics
  How to stop hacker theft
  Hacker system fingerprinting, probing
  Using network intrusion detection tools
  Authentication system security weaknesses
  Improve your access request process
  Social engineering hacker attack tactics
  Secure remote access points
  Securing your Web sever
  Wireless security basics
  How to tell if you've been hacked

This was first published in February 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.