Social Engineering: The Human Side Of Hacking

By Sharon Gaudin

(Back to article)

A woman calls a company help desk and says she's forgotten her password. In a panic, she adds that if she misses the deadline on a big advertising project her boss might even fire her. The help desk worker feels sorry for her and quickly resets the password -- unwittingly giving a hacker clear entrance into the corporate network.

Meanwhile, a man is in back of the building loading the company's paper recycling bins into the back of a truck. Inside the bins are lists of employee titles and phone numbers, marketing plans and the latest company financials. All free for the taking.

Hackers, and possibly even corporate competitors, are breeching companies' network security every day. The latest survey by the Computer Security Institute and the FBI shows that 90% of the 503 companies contacted reported break-ins within the last year.

What may come as a surprise, according to industry analysts and security experts, is that not every hacker is sitting alone with his computer hacking his way into a corporate VPN or running a program to crack executives' passwords.

Sometimes all they have to do is call up and ask.

Security Sidebars
How To Thwart The 'Social Engineers': Security experts from both government and the private sector offer suggestions to protect your company from hackers using social engineering techniques.

The Feds' Top Hacker Speaks: Keith Rhodes, chief technologist with the U.S. General Accounting Office, discusses what companies should be doing to protect themselves, what risks are looming ahead and what exciting security technology is coming down the road.

"There's always the technical way to break into a network but sometimes it's easier to go through the people in the company. You just fool them into giving up their own security," says Keith A. Rhodes, chief technologist at the U.S. General Accounting Office, which has a Congressional mandate to test the network security at 24 different government agencies and departments. "Companies train their people to be helpful, but they rarely train them to be part of the security process. We use the social connection between people, their desire to be helpful. We call it social engineering.

"It works every time," Rhodes says, adding that he performs 10 penetration tests a year on agencies such as the IRS and the Department of Agriculture. "Very few companies are worried about this. Every one of them should be."

Playing Off Trust

Social engineering is the human side of breaking into a corporate network. Companies with authentication processes, firewalls, VPNs and network monitoring software are still wide open to an attack if an employee unwittingly gives away key information in an email, by answering questions over the phone with someone they don't know or even by talking about a project with coworkers at a local pub after hours.

"Incidents of social engineering are quite high, we believe," says Paul Robertson, director of risk assessment at Herndon, Va.-based TruSecure Corp. "A significant portion of the time, people don't even know it's happened to them. And with the people who are good at it, their [victims] don't even know they've been scammed."

Robertson says for companies with great security technology in place, it's almost always possible to penetrate them using social engineering simply because it preys on the human impulse to be kind and helpful, and because IT executives aren't training employees to wary of it.

"People have been conditioned to expect certain things," says Robertson. "If you dress in brown and stack a whole bunch of boxes in a cart, people will hold the door open for you because they think you're the delivery guy...Sometimes you grab a pack of cigarettes and stand in the smoking area listening to their conversations. Then you just follow them right into the building."

Guard The Perimeter

Eddie Rabinovitch, vice president of global networks and infrastructure operations at Stamford, Ct.-based Cervalis LLC, says he is definitely aware and on alert for various types of security attacks -- technical or not. Cervalis is a managed hosting and IT outsourcing company.

"We continuously have training about security in general and social engineering in particular," says Rabinovitch. "People are out there looking for information. They're always looking for new ways to get at that information. In many cases, you can deal with it with tools, but it always comes down to procedures and your people."

Rabinovitch says he deals with social engineering by focusing a lot of training on his people on the perimeter -- security guards, receptionists and help desk workers. For instance, he says security guards are trained to check on visitors if they go out in the smoking area to make sure they're not handing their admittance badge over to someone else. And he adds that if someone shows up in a utility worker's uniform, his visit is confirmed before he is allowed into the building to do any work.

Rhodes, who has focused on computer security, privacy and e-commerce in his 11 years at the GAO, says a lot of companies unwittingly put sensitive information up for grabs. Some companies list employees by title and give their phone number and email address on the corporate Web site. That allows a hacker to call an office worker and say Sally Jones in the Denver accounting office wants you to change my user ID. Or Rhodes says a company may put ads in the paper for high-tech workers who trained on Oracle databases or Unix servers. Those little bits of information help hackers know what kind of system they're tackling.

Brian Dunphy, director of analysis operations at Alexandria-Va.-based RipTech Inc., a security analyst and consulting firm, says when they do risk assessments for their corporate customers it's a given that if they use social engineering, they'll be able to break in.

"It's never been much of an effort to exploit social engineering and get in," says Dunphy. "Companies may request that we use social engineering. We really only do it for the non-believers."