About us

Green thinking

Careers at ramsac

Contact us

How to find us

Awards

The ramsac Partner Programme

Links to our partners

Media Coverage

News Releases

Outsourced Services

Help Desk

Server Guard

Network Visit Plan

IT Audits

Network Engineers

Strategic Planning

IT Director

Project Management

IT Human Resources

IT Due Diligence

IT Continuity Planning

Training

Hardware and Software

Microsoft Partner

Education & Charities

Citrix Partner

Networking

Case Studies

Customer Feedback

ramsac
Home contact us about us outsourced services Network Infrastructure press partners Customers and Projects
 

 

Contact our Press Office
for journalist enquiries:

Paul Wooding
ramsac Press Office
T +44 (0) 1962 888 100

  

SOCIAL ENGINEERING: NO PASSWORD IS SAFE

 

 

How does a hacker obtain a user's password? This question came up at an IT security seminar I recently hosted. I said the easiest way to obtain a user's password is just to ask them.

 

But who would tell a stranger their password? Any unsuspecting victim of social engineering. Which to you and me, means using con artist techniques to trick you into giving information or doing something you otherwise wouldn't, with the intention to commit fraud, obtain sensitive or valuable information or cause network disruption.

 

Social engineering exploits the weakest part of the security system - human error and trust. Whilst a firewall, antivirus software or intrusion detection software are crucial elements of IT security, they could be helpless against a social engineering attack.

A survey published by the DTI's Information Security Breaches Section highlights the continuing rise in the number of UK businesses suffering a security breach. Three quarters of all companies had at least one security incident last year. This increase, from just under half, is driven by malicious incidents.

The cost to UK industry is considerable. The average cost of a business's most serious security incident was £10,000 and the average was one security breach per month. SMEs are most at risk. They are interesting enough to be a target to hackers but easier prey because they lack the security controls of a large business.

One type of social engineering is simply an email which looks interesting or entertaining. People innocently open such emails, which is how the I LOVE YOU virus spread so fast. Your antivirus software is only as good as its last update. Almost all businesses have antivirus software yet half had virus infections last year.

 

Phishing emails are typically sent to customers to look as if they came from your company. A high street bank was recently the victim of a phishing attack. Their online banking customers received emails asking them to reactivate their account. It included a link to a website which looked exactly like the bank's sign-on page but was really a phoney website to steal user ids and passwords. The incidence of such attacks has skyrocketed this year.

 

To achieve more, hackers need to access an organisation's system. Social engineers spend time gathering information such as rubbish bin-diving for information such as organisation charts, company phone books and calendars. These may not be considered sensitive enough to shred, yet a calendar could show when someone is away, presenting an opportunity to access their computer. It is often alarmingly easy for bogus visitors to enter an office as a contractor or just an "employee" who has "lost" his id badge. Once inside, there are endless possibilities to snoop, steal documents from desks and access PCs.

 

Social engineers also target individuals within the organisation, usually by phone. One common method is to call users, claiming to be from the help desk, and request their password to supposedly fix a non-existent problem. The user feels compelled to help and doesn't think to question the authenticity of the caller. Typically, the perpetrator puts the user at ease by sounding friendly and helpful and asking for a few pieces of simple information before working up to user id and password. A determined hacker may even cultivate an employee as a friend and glean information gradually.

 

The best protection against social engineering is training. This means creating a culture of security awareness. Staff need to be able to recognise the hallmarks of an attack. If an attacker fails with one person they will try another, so suspect incidents must be reported throughout the organisation. A set of security policies makes it easier for employees to refuse requests because it is against company rules.

 

It is important to monitor compliance to these policies. Try social engineering to acquire a username and password from an unsuspecting employee and observe whether he complies. One company which commissioned an outside agency to test security was horrified at how much information they obtained, even from supposedly high security areas. To pass security they pretended to be delivering a birthday cake.

 

The IT industry is working on solutions that bypass user error. Some organisations already issue their users with a smart card that stores a unique user key and cryptography-based identification. A physical device is much more difficult for a hacker to obtain.

 

Already available are biometric ID cards, and while the take-up is slow, it will not be long before we are all logging on by pressing a fingerprint reader. Certainly the more methods and layers of security we have, and the more security aware we become, the sooner social engineers will be out of business.

Ramsac Limited - Ashcombe Court - Woolsack Way - Godalming - Surrey GU71LQ - Tel 0870 756 9001 - Fax 0870 756 3001

accreditations