Social Engineering hacks top threat list

February 19, 2007 at 10:20 am | Posted in Technical | Leave a comment

It’s an IT staffer’s nightmare, and it’s knocking on the door. The top PC security threats in the past few days have been ‘social engineering’ exploits; which means they rely upon the end-user’s cooperation to open the door for an attack. The people who design these attacks have studied basic psychology, and they know how to prey upon end-users’ curiosity, credulity, or polite manners to gain access to your organization’s network resources, data, or money.

This week’s news reveals an exploit in IE 7, which will permit a hacker to gain access to the host PC once the end-user has supplied the path for a specific file location.  In an e-mail statement on Friday a Microsoft spokesman said: “In order to be successful, an attacker in advance would have to convince the user to enter the location of a file into an attacker’s Web page through social engineering.” Microsoft is still investigating the issue and will take “appropriate action,” the representative said.

Why are these social attacks such a nightmare for IT staff? Mostly, this is where computer science intersects with human relations, and most technical folks aren’t trained to handle that. We can’t use software to control Mary the receptionist or John the CEO when they use the Internet. If John has been duped by a site that will allow him to prepare a nice-looking chart of interest rates for corporate loans, he may be convinced to upload a copy of his company’s logo to customize the chart. Just like that, he has unwittingly opened his PC to the exploit, and if the hacked web site is running efficiently, his computer could be a zombie selling illegal copies of next week’s movies within an hour or two. John might start to wonder what is happening if his computer slows down, or when the hard drive seems to be spinning constantly, but even if he realizes he has been duped, he may be ashamed, and therefore reluctant to admit his mistake to the IT staff. The IT department might notice this hack if the traffic patterns on the network change; but some of the newer, more sophisticated exploits are designed to use a trickle of bandwidth.

Meanwhile, at home, John’s Anime-loving teenager is very excited to download a nice screensaver with some vintage Trigun images. Unfortunately, hackers have no qualms about using copyrighted images to dupe kids, so along with images of Vash the Stampede, she downloads a pack of backdoors and the home network immediately becomes compromised. This wouldn’t be such a problem, except that John and his wife’s laptop computers both connect to the home network, behind the house’s firewall. John and his wife may or may not have the necessary skills to detect the problem and prevent its spread to their company laptops.

Both Microsoft and Mozilla, the maker of Firefox, are looking for solutions the security holes social engineering hackers are exploiting this week, but in the meantime, it’s important that users are informed of the risks, and practice the new brand of safe computing.  Most importantly, your company’s security policies must be codified, and must also be updated quickly as new risks present themselves. Someone must take the lead in adding new items to the security policy frequently,  and ensuring everyone is notified, because the hostile nature of our computing environment renders stagnant policies useless very quickly.

Here are some ideas for problems your cybersecurity policy should address:

What should staff do when confronted with an unexpected pop-up window? 

What security practices should staff use when using their  mobile devices outside the office?

Ensure staff know they will never be asked to give their password to another employee or system administrator.

Rules governing IM clients and file-sharing software.

Guidelines for running Windows Update, Java updates, and responding to various other update mechanisms built in to their systems.

Detailed descriptions of what users should do if they feel suspicious of a web site, phone call, or other type of contact.

Physical security measures preventing outsiders from walking into areas where computers are in use.

A plan for staff to enact the second they think their system or password may have been compromised. (IE: Unplug network cable, call Joe in IT.)

A policy for checking the credentials of anyone contracted to perform work for the company, whether they are a janitorial service or a network technician.

These are just a few ideas; but the overall point is that it’s important to communicate with staff. A robust and updated security policy will increase their level of awareness, and therefore decrease the likelihood they will fall prey to a social engineering scheme.

Beyond policy, it is time for IT staff to get out of the server room and build strong relationships with their systems’ users. The hackers are many steps ahead of the good guys on the human-relations side of computer science, and IT staff need to step up their efforts to match.  The time for technical staff to look down their noses at users from a position of technical superiority is long past.  The new IT department needs to understand users, relate to them, and communicate with them openly. They also need to develop an excellent ‘bedside manner’ so that end-users are comfortable discussing potential social engineering threats without embarrassment. The biggest mistake an IT staffer can make at this point is to make a user feel stupid. While in the past I’d have considered that sort of thing rude, I now think it is both rude and risky, since it increases the likelihood a social engineering scam will go undetected.


TrackBack URI

Blog at
Entries and comments feeds.

%d bloggers like this: