HUMAN BASED SOCIAL ENGINEERING
HUMAN based
1
HUMAN BASED SOCIAL ENGINEERING
I.
Introduction dan Concept
Nowadays, information is one of important asset and can be access easily. Fast development of IT make unauthorized people easy to access important information, that’s
called information thief. There are two ways how unauthorized people access information, by technical method(hacking) and social approach. Social based approach in information thief will be discuss here. Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password. There are two types of social engineering: 1. Human based social engineering, refers to person-to-person interactions to retrieve the desired information. 2. Computer based social engineering, refers to having computer software that attempts to retrieve the desired information. On this paper, we will explain the details of human based social engineering.
II.
Goals
The goals want to be achieved from human based social engineering are: a.
Gaining access without technical hacking
b.
Always to gain the trust of one or more of people in some organization
c.
Make people confident to give their important information
III.
Content
III.1 Human Character Target
Fear - if the employees asked for data or information from their superiors, police, or other law enforcement, usually they will instantly give without feeling hesitate;
Trust - if an individual is asked of data or information from good friends, colleagues, relatives, or secretary, usually they will immediately give it without being suspicious;
2
HUMAN BASED SOCIAL ENGINEERING
Helpful - if someone asked for data or information from people who are stricken, in a deep sadness, a victim of a disaster, or are in mourning, usually they will directly provide the data or information desired without asking first.
III.2. Example of Human Based Social Engineering s Target ’
Receptionist and / or Help Desk a company. It is the entrance to the company’s data / complete information about the personnel who work in the intended environment;
Technical support from the information technology division - particularly those serving the leadership and management of the company, because they usually hold the key to access important data and confidential information, valuable, and strategic;
System administrators and computer users . They have the authority to manage passwords and account management of all users in the company of information technology;
Partners or vendors targeted companies. They are the ones who provide a wide range of features and capabilities along with the technology that is used by all management and employees of the company;
New employees who still do not quite understand about the procedure in corporate information security standards.
III.3. Phase of Human Based Social Engineering The phases of a Human based Social Engineering Attack are: (Pete Cortez, 2011):
Research on the target company – dumpster diving, websites, employees, company tour.
Select the victim – try to identify a frustrated disgruntled employee(s) in a company.
Develop relationship with the employee
Exploit the relationship – collect sensitive account information, financial information, discover their technologies and probably vulnerable to an attack.
III.4. Type of Human Based Social Engineering a. Impersonation This technique is to seek information from the help desk. A social engineering will often know the names of employee and asking that to the help desk. Because the duty to assist, then a help desk will easily provide the information to the social engineering man.
3
HUMAN BASED SOCIAL ENGINEERING
b. Important user A social engineer will masquerade as if to be an important person in the company. Ofcourse as a helpdesk will be obedient to superiors when he asked to provide information. A social engineer also may threaten to report the employee to their supervisor. Example : A man phone the helpdesk, "Hello, I’m Adi, President Director. Yesterday I changed my login password but forgot that password. Could you please reset my password? "
c. Third party authorization The social engineer may have obtained the name of someone in the organization who has the authority to grant access to information.
d. Tech Support A social engineer pretends to be someone from the infrastructure-support groups. He said to employee that system is having a problem and then he can asking them to log in to solve this problem
e. In person The social engineer may enter the building and pretend to be an employee, guest or service personnel.
f. Dumpser diving A social engineer go throught the trash and search documents. Dumpster divers will forage dumpsters for items such as clothing, furniture, food, and similar items in good working condition. He can get information such as phone number, email, bio, address, and other.
4
HUMAN BASED SOCIAL ENGINEERING
g. Shoulder surfing Looking over a shoulder to see what they are typing. It is commonly used to obtain passwords, PINs, security codes, and similar data. Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they:
fill out a form
enter their PIN at an automated teller machine or a POS terminal
use a telephone card at a public payphone
enter a password at a cybercafe, public and university libraries, or airport kiosks
enter a code for a rented locker in a public place such as a swimming pool or airport
public transport is a particular area of concern
Technically, a hacker observe the behavior of the victim uses a two-lens telescope or the means of adding another vision. Installing cameras and placed in the ceiling or ceilings, as the wall to observe data entry equipment. To prevent someone from doing technical Shoulder Surfing, here are what should we can do:
Limiting one's perspective, when we write or use the keypad to enter confidential information using our body or hands.
Latest automated teller machines, now has a sophisticated look to protect the possibility of someone doing Shoulder Surfing. By far viewpoint, and the only way to see the screen is the right to stand directly in front of the ATM machine. Security 5
HUMAN BASED SOCIAL ENGINEERING
cameras are not permitted to be placed directly on top of an ATM machine that lets observed data entry by the customer.
When conducting transactions using POS machine (Point of Sales) commonly available in shops, supermarkets, should preclude the agency or our hands while entering your PIN or by not putting in place the flat of the machine that is easy to be seen by someone time typing the PIN at POS machines TSB.
Do not enter your PIN or transaction and online payment transfer applications, such as internet banking using a public computer facilities, such as in the cafe of public libraries and universities, airport kiosks. If forced to use make sure the computer being used is free of such applications keyloger and the like, make sure the existing site visit to conduct these transactions correctly.
h. Tailgating An attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card, simply walks in behind a person who has legitimate access. Following common courtesy, the legitimate person will usually hold the door open for the attacker. The legitimate person may fail to ask for identification for any of several reasons, or may accept an assertion that the attacker has forgotten or lost the appropriate identity token. The attacker may also fake the action of presenting an identity token.
Tailgating strategies are easy to retrofit and complement most existing security systems. Use one or a combination of these 10 systems: (Jenny Morton, 2011)
6
HUMAN BASED SOCIAL ENGINEERING
1. Smart cards house multiple credentials on one card. 2. Security guards can visually confirm a badge matches the holder. 3. Turnstiles serve as a physical barrier and are good for high-volume traffic. 4. Laser sensors can detect multiple people. 5. Biometrics deter employees from sharing credentials. 6. Long-range readers can be used in parking lots and garages. 7. PIN numbers can be added to card readers. 8. Camera analytics enable remote facial recognition. 9. Visitor badges ensure temporary guests are documented. 10. Man traps or air locks require a double set of identification.
i. Piggybacking The authorized person provide access to people who do not have authorization. Basically, an attacker can slip behind a legitimate employee (who is cleared for access) and gaining access to a secure area that would usually be locked or need some type of biometric for entrance. Success in this form of piggybacking heavily weighs on the quality of the access control mechanism (door lock, key card device, etc.) and the awareness of the legitimate user in resisting or allowing intrusion by others.
III.5. Prevention of Human based Social Engineering Attack There are some ways to prevent human based social engineering attack, such as:
Create strong security policy Organization or company provides guidance and policy handbook to secure information that is easily understood and applied by employees, to reduce the incidents of unwanted. Besides that, company also should create information security in the standard operating procedures of everyday - such as "clear table and monitor policy" - to ensure that all employees carry out into practice
Prevent Physical Attack Theoretically, a good physical security seems like an easy thing, but actually to prevent leak of company’s data, needed additional attention. Anyone who enters the building must be checked identity cards, without exception. Some specific documents need to be locked in a drawer or safe storage place (and the keys are not left lying around in places easily accessible). Other documents in the shredding 7
HUMAN BASED SOCIAL ENGINEERING
needs that cannot be read by those who may do dumpster diving. Similarly, magnetic media must be removed so that the data contents can ’t be recovered. If necessary, rubbish bins must be locked and monitored. Back into the building, of course, no doubt that all the devices are connected in a network (including the remote system) needs to be protected with a password. The password for the screen saver is also highly recommended. Encryption programs can also be used to encrypt files on the hard drive for better security.
Employee Training The company gives training and socialization to employees and related units about the importance of managing information security through a variety of ways and tips. The employees should be trained in "how to identify the information that should be considered as confidential, and have a full understanding of their responsibility to protect confidential data ”. Some organizations use methods such as video, newspapers, brochures, booklets, signs, posters, coffee mugs, pencils, pens, screensavers, logon screen, notepad, desktop icons, t-shirts and stickers as media to give information and warning to keep confidential information. The following table details some of the common technique of infiltration along with strategies to prevent it:
Vulnerable Hacker
Area
Technique
Prevention Strategy
-
Train employees / help desk to not give
Telephone
Imitating someone and
(help desk )
persuasion
the
password or
other
confidential information over the phone -
All employees are given a special PIN to help confirm the help desk officer
Pintu masuk gedung
Strong security procedures, employee Unauthorized access training, and the presence of officers
kantor
Office
Peek, walk in the room looking
- Do not type in a password when there is
for an open office, stealing
another person (or if unavoidable, type
8
HUMAN BASED SOCIAL ENGINEERING important documents
quickly) - Mark important documents and lock them in a safe place
Space / table to leave a
Insertion of fake memo
Lock and watch the room
Trying to gain access, steal
Ruang-ruang mesin harus dikunci dan diawasi
equipment, or install a wire to
setiap saat, serta rincian daftar peralatan
steal important data
harus terus diperbaharui
Stealing telephone access out
Controlling the phone, track the phones
companies
suspicious, refuse transfer landlines
message
Machine room
Company’s telephone and intercom
Storing waste in a safe and unobserved, Dustbin
enumerate the documents contain important
ruffled dustbin
data, erase magnetic media. General Imitating people and persuade
Educate employee with training
Phycology
IV.
CONCLUSION
A social engineer with enough time, patience and tenacity will eventually exploit some weakness in the security of an enterprise. Social engineering is a serious problem. A company not only needs good policy for shelter against him, but also security awareness programs to disseminate these policies. This program should not just promoting policies but to educate employees to be alert to the risk of social engineering methods following the attack which happened had succeeded. Because one of the weak points of the security chain is the human being. Education becomes a very important factor.
9
HUMAN BASED SOCIAL ENGINEERING
V.
Reference
M Guenther, “Social Engineering: Security Awareness Series” , http://www.iwar.org.uk/comsec/resources/security-awareness/social-engineeringgeneric.pdf
2001.
http://www.csoonline.com/article/2124681/security-awareness/social-engineering-thebasics.html http://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security) http://www.buildings.com/article-details/articleid/13274/title/10-strategies-to-preventtailgating.aspx http://en.wikipedia.org/wiki/Garbage_picking https://www.technologyfirst.org/magazine-articles/123-april-2013/839-pete-corteztechnical-instructor-new-horizons-computer-learning-centers.html
10
