Organisations are failing to protect themselves against
"social engineering" attacks that can bypass the most sophisticated
IT security systems, delegates at the WebSec Conference 2006 heard
last week.
Although there is evidence to suggest that organised hacking
groups are supplementing technology-driven approaches with attempts
to trick IT staff into divulging information that compromises the
security of firms' networks, few organisations are taking steps to
prevent this happening.
"Organised crime looks for the best return on investment. If
using a social engineering attack costs less money or is more
likely to produce the results they are looking for, they are going
to use it. They are not worried about whether an attack is
technical or not," said Peter Wood, director of First Base
Technologies, which assesses firms' security.
Skilled hackers can use social engineering attacks to trick
employees, or IT helpdesks, into disclosing sensitive information,
including passwords and user names that can provide them with
access to corporate networks, said Wood.
"Ring up the IT helpdesk, and say you are working at home from a
laptop. Most helpdesks do not have a view of everybody in the
organisation or check who you are. We have gained access to company
networks using the names of senior IT staff many times," he
said.
Another ruse is for hackers to phone up a member of staff and
pretend to be from the IT department working on a project to
upgrade the company servers.
In 50% of cases, employees are happy to hand over their user
names and passwords to ensure they can access the system when the
new servers come online, said Wood.
Security audits regularly show that most businesses have lax
physical security, potentially allowing hackers to walk into
buildings and gain access to networks behind the firewall.
Wood has been able to access company systems by posing as an
office cleaner, walking into a building unchallenged through a back
entrance, or by arriving as a legitimate visitor, and waiting in
the building until staff leave for the evening.
In one case, Wood discovered a government organisation had
invested heavily in security by segregating staff offices behind
iron security gates. But employees held meetings with visitors in a
suite of meeting rooms outside the security cordon.
"If you go to the meeting room, walk past reception, plug in
your laptop, you can see their internal network. There are no
firewall or access controls. There are a number of vulnerabilities
you can exploit. It took us 20 minutes to get domain control of
their entire network," he said.
Hackers' tricks of the trade
- Shoulder surfing - looking over the shoulder of employees as
they type in user names and passwords.
- Memorising access codes - by watching staff type access codes
into a keypad, it is possible to memorise their hand movements and
reproduce the code.
- Checking the rubbish - employees often cannot be bothered to
walk to the shredder to dispose of sensitive documents.
- Mailouts - gather data about companies by sending a survey to
the home addresses of employees, offering a prize for completing
the survey.
- Posing as staff who are away on holiday, identified from their
voicemail or automated e-mail messages.
Source: Peter Wood, First Base Technologies