Professional Documents
Culture Documents
Tim Thornburgh
Kennesaw State University Department of Computer Science and Information Systems 1000 Chastain Road, MS 1101 Kennesaw, GA 30144 +1 770-423-6005
tat6214@students.kennesaw.edu
ABSTRACT
The key to maintaining the confidentiality, integrity, and availability of an organizations information and information systems is controlling who accesses what information. This is accomplished by being able to identify the requestor, verifying the requestor is not an impostor, and ensuring that the requestor has the proper level of clearance to access a given resource. There have always been those that attempt to by-pass this security mechanism through brute force or guile. In the past, those who use guile have been called confidence men and con artists. Today, these people are called social engineers, but the tactics remain the same even if the objectives have changed.
Identification asks the question, do I know you? Authentication asks the question, are you who you say you are? And authorization asks, are you supposed to be here? If this process is subjugated or by-passed, the confidentiality of the information or information system is compromised and the integrity and availability of the system is subject to compromise as well. Those who attempt to by-pass IAA use misrepresentation of themselves and their situations as well as the emotions of their victims to accomplish their goal and are the topic of this paper.
General Terms
Management, Security, Human Factors.
Keywords
Information Security, Information Assurance, Social Engineering.
INTRODUCTION
The security of this intellectual property and the systems that contain it from unwanted access relies on a three step process identification, authentication, and authorization (IAA).
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. InfoSecCD Conference04, October 8, 2004, Kennesaw, GA, USA. Copyright 2005 ACM 1-59593-048-5/04/0010$5.00.
133
Strong emotions such as fear, empathy, or greed along with the belief that the attacker is authentic often compel the victim to make a judgement call that results in fulfilling the attackers request. Utilizing the information means that the attacker can either implement the technical attack or penetration or use the new information as research for the next SE attack. User names, network architecture, and applications that run on specific servers are a few of the more technical details that social engineers seek. More mundane information about the systems wetware (that is, the people who use the system) can also be useful to the social engineer: the names of children, spouses, and pets are often the ill-selected passwords of less security savvy computer users. Knowing when a person is away on vacation can also prove valuable.
134
can repeatedly use an individual to penetrate a system over and again for different goals. For this reason, social engineers take care not to burn their sources. That is, they remain anonymous and cover their trails as best they can to prevent detection. While the effects above pertain more to SE attacks, it bears stating that the penetration attacks resulting from the knowledge gained in a SE attack can make a serious impact. Manske offers [9]: Successful social engineering attacks give the attacker the means to bypass millions of dollars invested in technical and nontechnical [sic] protection mechanisms and consulting, completely nullifying security investment, Firewalls, secure routers, PKI, emailand security guards are all down the drain.
CONCLUSION
Social engineering, by any name, has existed in many forms throughout history and will continue to exist because it relies on human nature. Because of this, organizations and individuals alike must arm themselves with the knowledge of what information can be used, how information divulged could precipitate further attacks or actual compromise of their systems, how the attacker develops the attack, and in what forms the attack may appear. In reaction to that knowledge, policy, procedures, training, and response plans must be formulated to address both the general threat and the specific delivery methods of attack. And finally, because the threat will not abate, organizations must maintain constant vigilance through the implementation of effective awareness programs that keep security from SE at the forefront of its employees minds.
REFERENCES
[1] Mitnick, K. & Simon, W. (2002) The art of deception: Controlling the human element of security. Indianapolis, Indiana: Wiley Publishing, Inc. [2] Mitnick, K. & Simon, W. (2002) The art of deception: Controlling the human element of security. Indianapolis, Indiana: Wiley Publishing, Inc. [3] Erianger, L. (2004) The weakest link. PC Magazine, 23, 58-59. Retrieved June 13, 2004 from EBSCOhost database. [4] Granger, S. (2001, December 18) Social engineering fundamentals, part I: Hacker tactics. Retrieved June15, 2004 from http://www.securityfocus.com/infocus/1527 [5] Manske, K. (November 2000) An introduction to social engineering. Information Systems Security 9, 53-59. Retrieved June 7, 2004 from GALILEO: Computer Source database. [6] Rusch, J. (1999, June 24) The social engineering of Internet fraud. Paper presented at the 1999 Internet Societys INET99 conference. Retrieved June 6, 2004 from http://www.isoc.org/isoc/ conferences/inet/99/ proceedings/3g/3g_2.htm Rusch, J. (1999, June 24) The social engineering of Internet fraud. Paper presented at the 1999 Internet Societys INET99 conference. Retrieved June 6, 2004 from http://www.isoc.org/isoc/ conferences/inet/99/ proceedings/3g/3g_2.htm
[7]
The development of effective awareness campaigns help to jog the memory of the employees. During World War II, the United States government undertook an awareness campaign to aid in operations security. Loose Lips Sink Ships was the slogan on one of the awareness posters. While very simple, it accurately conveys the importance of not openly discussing information of a sensitive nature because of the potential disastrous results. Whitman and Mattord identify four factors for a poster campaign: vary the content of each poster and keep them current, do not make the posters overly elaborate while keeping them eye-catching, the message should be concise and easy to understand, and information on who to contact if a violation is observed [11]. Posters alone are not enough, however, bulletins or newsletters, web sites, and awareness days should also be developed to keep the members of an organization constantly informed and focused on security. Employees are at a distinct disadvantage because their exposure to SE is infrequent and without constant vigilance they may facilitate a successful attack. The social engineers, on the other hand, practice their trade daily.
[8] Mitnick, K. & Simon, W. (2002) The art of deception: Controlling the human element of security. Indianapolis, Indiana: Wiley Publishing, Inc. p. 332. [9] Manske, K. (November 2000) An introduction to social engineering. Information Systems Security 9, 53-59. Retrieved June 7, 2004 from GALILEO: Computer Source database. [10] Mitnick, K. & Simon, W. (2002) The art of deception: Controlling the human element of security. Indianapolis, Indiana: Wiley Publishing, Inc. p. 333. [11] Whitman, M. & Mattord, H. (2004). Management of information security. Boston: Thomson Course Technology.
135