The Danger of Social Engineering to Businesses

Over the years I’ve talked to a lot of people, most of which are seeking advice or guidance on some kind of computing related subject, which is fine, I’m happy to help anyone looking to improve their ability. However, usually when sitting in a general chat room and people are aware of my computing ability I’ll often get a question along the lines of “Can you hack web based email accounts?”, the request usually comes from a 12-15 year old teenage boys. My usual response is to direct them to google. Now in reality, hacking someones webmail account isn’t really that hard if you know enough about the person.

For example, if you wanted to gain access to an account owned by a close family member you would probably already know enough information about them to answer the security questions that allow you to reset their password, hell you may even be able to guess their existing password.

Lets just look into how easy it is hacking someones hotmail account that you don’t know. All the information needed could be given out in 1 chat conversation if you were good at it. First thing you need to find out is their hotmail address, this is usually given up freely, just by asking for it. Next, to reset the password, we need to know where this person lives, slightly tricky but again, reasonably easy to get, just by asking for it. If you need information such as a zip code you would have to ask things like this with a justification, for example you’d say something along the lines of, “Oh you live in New York? That’s cool, my brother lives there now, I wonder if you are near him? What zip code are you in?”, this technique is known as social engineering, rather than hacking a hotmail account, your hacking the person for information that will give you access to the hotmail account.

After talking to this person for a while, maybe an hour or more, you will start to gather information about them, most likely you’ll eventually get the information that allows you to answer their secret question, its usually something like favorite pet, mothers maiden name, first school etc. If you put in enough time then it can be easy to gather all this information.

This article on “hacking” hotmail accounts stresses the need to keep personal information to yourself and avoid being socially engineered. Even with only your name, anyone with enough reason can find out a wealth of information about you. Anyone with enough information about you can easily get malicious and start impersonating you, stealing virtual property, website account details and possibly even your identity.

How to protect yourself and your clients from Social Engineering

To protect a network against social engineering attacks it requires you or your clients business to create a set of security policies that lay out the procedures for responding to events like this and make sure they understand why. Your employees (or your clients) need to be taught how attacks like this can happen with people asking seemingly innocent questions to build up the bigger picture and gain access to an account.

All people effected by these security policies must agree to these policies and understand that if they want a password reset for their email accounts they will need to prove their identity.
The security policy must be specific and should address issues such as:

• Requiring users to use password protected screensavers or log their computers off when they are away from them.
• Having procedures in place for when someone does ask for password details or a password reset.
• Policies regarding the destruction of data such as paperwork with sensitive information such as passwords. Someone malicious could go though the businesses trash and obtain the sensitive information that way.

Businesses spend thousands of dollars buying products to protect them from technical attacks (eg firewalls, hardened servers) but rarely think about the human factor. Establishing a clear security policy and making employees aware of social engineering is a great step towards preventing social engineering attacks on your business or your clients.