Organisations are failing to protect themselves against "social engineering" attacks that can bypass the most sophisticated IT security systems, delegates at the WebSec Conference 2006 heard last week.
Although there is evidence to suggest that organised hacking groups are supplementing technology-driven approaches with attempts to trick IT staff into divulging information that compromises the security of firms' networks, few organisations are taking steps to prevent this happening.
"Organised crime looks for the best return on investment. If using a social engineering attack costs less money or is more likely to produce the results they are looking for, they are going to use it. They are not worried about whether an attack is technical or not," said Peter Wood, director of First Base Technologies, which assesses firms' security.
Skilled hackers can use social engineering attacks to trick employees, or IT helpdesks, into disclosing sensitive information, including passwords and user names that can provide them with access to corporate networks, said Wood.
"Ring up the IT helpdesk, and say you are working at home from a laptop. Most helpdesks do not have a view of everybody in the organisation or check who you are. We have gained access to company networks using the names of senior IT staff many times," he said.
Another ruse is for hackers to phone up a member of staff and pretend to be from the IT department working on a project to upgrade the company servers.
In 50% of cases, employees are happy to hand over their user names and passwords to ensure they can access the system when the new servers come online, said Wood.
Security audits regularly show that most businesses have lax physical security, potentially allowing hackers to walk into buildings and gain access to networks behind the firewall.
Wood has been able to access company systems by posing as an office cleaner, walking into a building unchallenged through a back entrance, or by arriving as a legitimate visitor, and waiting in the building until staff leave for the evening.
In one case, Wood discovered a government organisation had invested heavily in security by segregating staff offices behind iron security gates. But employees held meetings with visitors in a suite of meeting rooms outside the security cordon.
"If you go to the meeting room, walk past reception, plug in your laptop, you can see their internal network. There are no firewall or access controls. There are a number of vulnerabilities you can exploit. It took us 20 minutes to get domain control of their entire network," he said.
Hackers' tricks of the trade
- Shoulder surfing - looking over the shoulder of employees as they type in user names and passwords.
- Memorising access codes - by watching staff type access codes into a keypad, it is possible to memorise their hand movements and reproduce the code.
- Checking the rubbish - employees often cannot be bothered to walk to the shredder to dispose of sensitive documents.
- Mailouts - gather data about companies by sending a survey to the home addresses of employees, offering a prize for completing the survey.
- Posing as staff who are away on holiday, identified from their voicemail or automated e-mail messages.
Source: Peter Wood, First Base Technologies