Think Information. Think Security.
From Wikipedia:
Social engineering is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.[1] 

While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

"Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.

Social Engineering exploits the cognitive biases of humans. Some of the most popular techniques are:
  • Pretexting
  • Diversion Theft
  • IVR or Phone Phishing
  • Phishing
  • Baiting
  • Quid Pro Quo
The Hacking of the IMF is about Social Engineering.

Although still unconfirmed as of this writing, an IMF staffer told the New York Times that the attack on its systems is not linked to the earlier RSA breach. Unconfirmed reports suggest that the IMF was the target of a spear phishing attack designed to plant malware inside its systems.

If so - and it's a big if - then the IMF has come under the type of attack previously faced by both a French economics ministry and its Canadian counterpart over recent months. Both the Canadian and French hack coincided with international government leader conferences.

The IMF itself is saying little about the attack other than to confirm that it is under investigation. The motives, much less the identity of attackers, remain unclear.

David Beesley, managing director of security consultancy Network Defence, said that targeted (spear phishing) attacks of the type that might have been launched can be very tricky but not impossible to thwart.

"Spear phishing is difficult to defend against because it primarily targets users not PCs, and the information that attackers can gather from social networking sites makes the phishing emails look very convincing," Beesley said. "As we’ve seen, it makes these attacks effective against any size of organisation." (Source: IMF 'suspended' World Bank links following hack attack)

The Lockheed Martin breached is about Social Engineering. 

The case of the current successful attack carried over the network of the US defense contractor tells a slightly different story about the RSA SecurID systems and its impenetrability, in particular, and about network security, in general. Although one could argue that successfully targeting a major player in the military industry and compromising the infrastructure of an organization whose purpose is actually to provide protection are the highlights in this case, I strongly believe that the focus should be elsewhere. If we dissociate the circumstances from the name of the actors involved in this troublesome situation, I believe that the focus should be on the following three aspects pertaining to computer security:

First and foremost, the RSA data heist was based on one of the simplest (yet, as we can see, most efficient) methods of unauthorized information harvesting, i.e. a combination between a targeted spamcampaign and a phishing raid exploiting an Adobe Flash zero-day vulnerability. This proves – once again – that old-school cybercrime methods are still valid and productive, as long as there is a weak link to be exploited in the security chain.

Which leads us to the second important aspect in this case, i.e. the human factor. No matter how advanced a defensive system is, all you need to breach it is a refined social engineering mechanism and some gullible users. This is more than enough to circumvent spam filters or bypass a security suite, not to mention bringing an entire organization down to its knees.

Last but not least, I guess that this case clearly shows that IT&C security is never a local or individual issue. With the advent of Web 3.0, designing and implementing network and resource defense based on an insular strategy and without taking into consideration the scale of interconnectivity or, to be more specific, interdependence of safety devices and tools at work is as perilous as securing your home front door with a single lock (the key to which you decide to hide under your very own mat, in the end). (Source: What should we learn from the Lockheed Martin Attack)

Rewind: The $11K experience of Walter Mart is about Social Engineering.

This incident happened sometime in the last quarter of last year (that's 2010).
A man called a 24-hour Wal-Mart in Ohio and explained to an associate that he was with Wal-Mart’s IT department and needed the associate to activate several gift cards, read to him the card numbers and then provide the authorization codes from the back of the cards. 

The associate willingly did so – and not until $11,000 in online fraud later, did the store realize they had been tricked. 

This is a great lesson learned to share with your employees (and third-parties).  Do your employees understand your organization’s policies on providing/protecting information in different situations? 

The Wal-Mart caller did not give the associate any reason to believe he was really from the IT department…do your employees understand authentication procedures and passwords?

The Wal-Mart caller did not explain why the IT department was making the request…would your employees be suspicious?  Would they know how and where to report the suspicious caller to the appropriate personnel?

Do your employees understand how to protect sensitive information or would they willingly provide information over the phone in the spirit of good customer service?

Do your employees participate in ongoing situational awareness training?  Are you updating your employees as new social engineering techniques, risks, and threats change?

Have your employees acknowledged their individual roles and responsibilities in case of a lawsuit or termination?

Even if your IT department has the most sophisticated and expensive technology solutions in the world, all of it can be bypassed if your employees fall for simple social engineering scams. 

Are you educating your employees on best practices for protecting information? (Source: Social Engineering: Need $11K? Ask a Wal-Mart Employee)

We can site tons of examples of high-profile hacking by the use of Social Engineering. The importance being pointed here is, it doesn't matter if we have the most shining and most expensive security solution to protect our organization. At the end of the day, we are still vulnerable because of humans. Humans are the weakest link in Information Security.

As Kevin Mitnick said: " You can have the best Internet security software on the planet. The most expensive forensic team, and a host of gadgets to protect you from break ins, but all these will completely fail, as long as human error still exists. The human being, or the 'wetware' is the weakest link in the chain of security. A human being is easily fooled, deceived and can give away such valuable information.

Information Security is a Human Enterprise. It is therefore a must that we educate our users on how to protect the information at the end of their finger tips. Information Security is never a destination. It is a continuing process and will always will be.
If you think you are secure today, then think again tomorrow. You may already have an unexpected visitor.

Leave a Reply.