Inside this issue...

There Are No Secrets: Social Engineering and Privacy

Unmasking Social-Engineering Attacks

Protect Against Social Engineering Attacks

For additional information contact your Gartner Sales Executive or cathy.telesco@gartner.com

There Are No Secrets: Social Engineering and Privacy Social engineering attacks on enterprise security systems use a combination of interpersonal skills, research and technical know-how to exploit human nature to breach corporate and personal privacy.

The telephone call seemed innocent enough; someone from tech support left a message asking for your password so they could synchronize it with a new server being installed over the weekend. The call came from an internal phone extension in tech support, and the caller knew your user name and employee identification number. Little did you know that when you responded, you gave your password to a criminal who is intent on cracking your company's security system - without ever battling the corporate firewall, intrusion detection systems or other forms of electronic protection. You were duped by a skilled con artist using social engineering to exploit human nature in his pursuit of a technical target.

Malicious attackers know that the easiest way into any system is exploit the people that use and administer it. You didn't realize the con artist had forwarded an extra phone line in tech support to an external line. You never saw him sneak in with the cleaning staff at night to configure the line and leave a few voicemail messages. You never suspected he got your user name based on your e-mail address, or your employee number from a phone list he picked out of the garbage weeks earlier. You definitely never suspected that returning his call would eventually lead to a compromise of your enterprise's entire customer database.

Social engineering, as defined in the IT security sector, involves the manipulation of people rather than technology to successfully breach an enterprise's security. Social engineering remains the single greatest security risk, despite our advances in technology, and many of the most-damaging security penetrations are the result of social engineering, not electronic "hacking" or "cracking."

Many overhyped hacking attacks are based on social engineering, such as the case of Kevin Mitnick or the New York busboy who stole the identities of famous people, and the "ILOVEU" virus. We examine social engineering techniques and how enterprises can limit the effectiveness of attacks.

The Art of Human Persuasion
Social engineering depends on an understanding of human behavior, and on the ability to persuade others to release information or perform actions on the attacker's behalf. Persuasion itself is an art and a science; studies show that humans have certain behavioral tendencies that are exploitable via careful manipulation. Some individuals possess a natural ability to manipulate, while others develop the skill through practice using positive (and negative) reinforcement. Social engineering attackers play on these tendencies and motivators to elicit certain responses in the target. For example:

• Fear of job loss or personal embarrassment may cause an individual to release proprietary information if he or she thinks it will prevent the unwanted result.
• Desire for prestige can be stimulated to induce bragging, often resulting in information release.
• Overworked and tired employees tend to make mistakes, and it's often possible to predict when people are more likely to be susceptible to manipulation (e.g., end of month, end of quarter or lunch hour).

A study published in Scientific America (February 2001) cites six basic tendencies of human behavior that help generate a positive response (see Figure 1).

Figure 1
Six Human Behaviors for Positive Response

Behavior	Definition	Example
Reciprocation	Someone is given a "token" and feels compelled to take action.	You buy the wheel of cheese when given a free sample.
Consistency	Certain behavior patterns are consistent from person to person.	If you ask a question and wait, people will be compelled to fill the pause.
Social Validation	Someone is compelled to do what everyone else is doing.	Stop in the middle of a busy street and look up; people will eventually stop and do the same.
Liking	People tend to say yes to those they like, and also to attractive people.	Attractive models are used in advertising.
Authority	People tend to listen and heed the advise of those in a position of authority.	"Four out of five doctors recommend...."
Scarcity	If someone is in low supply, it becomes more "precious" and, therefore, more appealing.	Furbees or Sony Playstation 2.
Source: Gartner Research

For a deeper perspective on manipulation, read any marketing or advertising textbook. It's important to understand these tendencies so that we recognize when someone is trying to prey on them maliciously.

Targets, Targets, Everywhere
Anything that stores or accesses information is vulnerable to a social engineering attack, and no person at any level of the enterprise is safe. While an old invoice or phone list may not seem dangerous in and of itself, the attacker can use this information to develop a relationship by showing "inside" knowledge as a way of gaining short-term trust. Electronic systems are subject to direct attack or probing. Learning a system name or IP number may allow an attacker to present himself or herself as a network technician, and a large amount of information on your enterprise or personnel is probably available on the Internet in public or private databases. Social engineering attackers can often gain at least limited access to enterprise systems, even if it's just by looking over someone's shoulder during an on-site visit.

Every little scrap of information is valuable to an attacker. It's important to remember that social engineering attacks are cyclical, with attackers slowly gaining information with each cycle until they reach their target. Information can be public or private, sensitive or nonsensitive, secure or nonsecure. Unfortunately, there are large amounts of information that are public, sensitive and nonsecure, such as financial data, personal data (e.g., Social Security number, mother's maiden name and driver's license number), platform details for systems and networks, and leaked secret documents.

The Social Engineering Attack Cycle
While social engineering attacks are as varied as any criminal act, a common pattern has emerged that is often recognizable and preventable (see Figure 2).

Figure 2
The Social Engineering Attack Cycle

Source: Gartner Research

1. Information Gathering: Attackers use a variety of techniques to gather information about their targets. This can be as simple as a phone list, or as detailed as Social Security numbers, dates of birth, mothers' maiden names, system architectures or organizational structures/procedures. The gathered information will be used as a basis to build a relationship, however temporary, with someone connected to the eventual target.
2. Development of Relationship: It's human nature to be somewhat trusting. Attackers exploit this tendency to develop a rapport with their targets. In some cases, this takes place in a single phone call; in others, it can span weeks or longer. By developing a relationship, attackers place themselves in a position of trust, which can then be exploited.
3. Exploitation of Relationship: The attacker exploits the target into revealing information (e.g., passwords, credit card numbers or vacation schedules) or performing an action (e.g., creating an account or reversing telephone charges) that would not normally occur. This information or action can be the end objective or can be used to stage the next attack/phase of attack.
4. Execution to Achieve Objective: The attacker executes the cycle to achieve the end objective. Often an attack can include a number of these cycles, combined with traditional cracking methods and some physical information gathering, to achieve the end objective.

A series of small, apparently unrelated successes can form the base of a more-serious attack. As in our opening example, a phone list or organization chart can reveal information most employees assume only their peers know. That information can then be used to delve deeper into the enterprise, until finally attackers convince their targets to release the information they need to compromise the enterprise's security.

Adaptive Attacks
Social engineering attacks are as numerous and varied as the people performing them. Think of any good scam, con or fraud, and there is a social engineering equivalent. Although we can't list every possibility, there are some overarching methods commonly employed:

• Playing the authority: With some knowledge, attackers can impersonate authority figures and pressure or trick human targets.
• Playing someone in need: Humans have a tendency to help others in need, such as users having difficulty accessing their accounts. With a little research, attackers can learn enough information about a real user (e.g., employee number or manager) to fool the help desk into revealing a password.
• Identity theft: This is a rising problem for individuals and enterprises. Much of the information we use to identify ourselves to the world is easily available. It's not uncommon these days for criminals to obtain enough information about you to "steal" your identity, creating new bank or credit card accounts and accessing existing accounts.
• Maintenance and support: One of the easiest ways to gain access to an enterprise is to work there. While a new professional-level employee is noticeable, few enterprises pay attention to the cleaning staff, temporary workers, phone repairmen or maintenance employees who have full access to the premises.
• Malicious software: Many of the most-prolific viruses are actually social engineering attacks, such as "Melissa" or ILOVEU. These viruses only work if users execute them on their system. Users are fooled into doing so by the compelling content of the e-mail, the subject line or because the assumed origin of the message is known and trusted.
• Reverse social engineering: This method involves attackers creating a reason for targets to contact them and reveal information, as shown in our opening example. Another common example is the many fraudulent e-mails on the Internet requesting credit card information for nonexistent charities.
• Research: In the information age, there's very little about ourselves or who we work for that a good researcher can't find out. Everything from personal driving and credit history to corporate financial reports, and even network topography, are at risk.

For guidelines to follow to protect your enterprise, and yourself, against social engineering attacks, see "Protect Against Social Engineering Attacks" (TG-14-7359).

Core Topic Security and Privacy: Individual and Corporate Privacy Key Issue How will enterprises evolve organizationally, architecturally and procedurally to respond to growing concerns over corporate and personal privacy? Source: Gartner Research

Bottom Line: Malicious individuals have always known that the best way around any security system is to manipulate a human target into giving them what they want – what we call social engineering. It remains the single greatest security threat to enterprises. Security-aware employees, strong authentication, and effective checks and balances are the most-effective methods to defend against internal and external social engineering attacks.

Gartner's Information Security Strategies Research Note TU-14-5662, 22 October 2001.