Social Engineering: The Human Side Of Hacking

A woman calls a company help desk and says she’s forgotten her password. In a panic, she adds that if she misses the deadline on a big advertising project her boss might even fire her. The help desk worker feels sorry for her and quickly resets the password — unwittingly giving a hacker clear entrance into the corporate network.

Meanwhile, a man is in back of the building loading the company’s paper recycling bins into the back of a truck. Inside the bins are lists of employee titles and phone numbers, marketing plans and the latest company financials. All free for the taking.

Hackers, and possibly even corporate competitors, are breeching companies’ network security every day. The latest survey by the Computer Security Institute and the FBI shows that 90% of the 503 companies contacted reported break-ins within the last year.

What may come as a surprise, according to industry analysts and security experts, is that not every hacker is sitting alone with his computer hacking his way into a corporate VPN or running a program to crack executives’ passwords.

Sometimes all they have to do is call up and ask.

“There’s always the technical way to break into a network but sometimes it’s easier to go through the people in the company. You just fool them into giving up their own security,” says Keith A. Rhodes, chief technologist at the U.S. General Accounting Office, which has a Congressional mandate to test the network security at 24 different government agencies and departments. “Companies train their people to be helpful, but they rarely train them to be part of the security process. We use the social connection between people, their desire to be helpful. We call it social engineering.

“It works every time,” Rhodes says, adding that he performs 10 penetration tests a year on agencies such as the IRS and the Department of Agriculture. “Very few companies are worried about this. Every one of them should be.”

Playing Off Trust

Social engineering is the human side of breaking into a corporate network. Companies with authentication processes, firewalls, VPNs and network monitoring software are still wide open to an attack if an employee unwittingly gives away key information in an email, by answering questions over the phone with someone they don’t know or even by talking about a project with coworkers at a local pub after hours.

“Incidents of social engineering are quite high, we believe,” says Paul Robertson, director of risk assessment at Herndon, Va.-based TruSecure Corp. “A significant portion of the time, people don’t even know it’s happened to them. And with the people who are good at it, their [victims] don’t even know they’ve been scammed.”

Robertson says for companies with great security technology in place, it’s almost always possible to penetrate them using social engineering simply because it preys on the human impulse to be kind and helpful, and because IT executives aren’t training employees to wary of it.

“People have been conditioned to expect certain things,” says Robertson. “If you dress in brown and stack a whole bunch of boxes in a cart, people will hold the door open for you because they think you’re the delivery guy…Sometimes you grab a pack of cigarettes and stand in the smoking area listening to their conversations. Then you just follow them right into the building.”

Guard The Perimeter

Eddie Rabinovitch, vice president of global networks and infrastructure operations at Stamford, Ct.-based Cervalis LLC, says he is definitely aware and on alert for various types of security attacks — technical or not. Cervalis is a managed hosting and IT outsourcing company.

“We continuously have training about security in general and social engineering in particular,” says Rabinovitch. “People are out there looking for information. They’re always looking for new ways to get at that information. In many cases, you can deal with it with tools, but it always comes down to procedures and your people.”

Rabinovitch says he deals with social engineering by focusing a lot of training on his people on the perimeter — security guards, receptionists and help desk workers. For instance, he says security guards are trained to check on visitors if they go out in the smoking area to make sure they’re not handing their admittance badge over to someone else. And he adds that if someone shows up in a utility worker’s uniform, his visit is confirmed before he is allowed into the building to do any work.

Rhodes, who has focused on computer security, privacy and e-commerce in his 11 years at the GAO, says a lot of companies unwittingly put sensitive information up for grabs. Some companies list employees by title and give their phone number and email address on the corporate Web site. That allows a hacker to call an office worker and say Sally Jones in the Denver accounting office wants you to change my user ID. Or Rhodes says a company may put ads in the paper for high-tech workers who trained on Oracle databases or Unix servers. Those little bits of information help hackers know what kind of system they’re tackling.

Brian Dunphy, director of analysis operations at Alexandria-Va.-based RipTech Inc., a security analyst and consulting firm, says when they do risk assessments for their corporate customers it’s a given that if they use social engineering, they’ll be able to break in.

“It’s never been much of an effort to exploit social engineering and get in,” says Dunphy. “Companies may request that we use social engineering. We really only do it for the non-believers.”

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020