Tuesday, October 27, 2009

SANS - Social Engineering Computer Attacks

SANS has a timely diary entry on their Internet Storm Center page entitled Social Engineering in Real-World Computer Attacks in which they posit the following:

Why bother breaking down the door if you can simply ask to be let in? Social engineering works, both during penetration testing and as part of real-world attacks. This note explores how attackers are using social engineering to compromise computer defenses.

For all the millions spent on hardening systems and networks, there's always someone volunteering to open the door to allow attackers inside. Defense-in-depth as a strategy only works if the control mechanisms are left in place and not circumvented.

Would you install an alarm system in your house and write the passcode on the outside wall? Or would you give the code to someone who called or emailed you, claiming to be from the alarm company demanding that you validate your code for them or they would cut off your access?

Most people would answer "no" to those two questions, but history has shown that there's a real problem with people responding to phishing and vishing schemes and giving out their credentials willy-nilly. Look at some of the examples pointed out by SANS:
  • Bogus parking violation notices on cars directing people to visit a web site to resolve that turns out to be a malicious site
  • Voicemails left for customers to "call back" and verify their banking information
  • People plugging in USB drives or CDs left in public places or sent via the mail or post
Firms that have your credentials should never be asking you to validate your credentials. Your bank doesn't need your account number, PIN, mother's maiden name, or answer to your secret question, because your bank already has that information.

Remember how your mom told you not to pick things up off of the ground and eat them because she didn't know where it came from? Yes? Then why would you pick up a USB drive or CD and stick it in your computer?

Never, ever give out information or data based on a phone call, message, or email you've received. Always contact firms and companies, such as banks, credit card companies, retailers, etc., using the contact information in your statements or using the "Contact Us" information that's posted on their official web site, which does not include following links that come via email or text messages.

There's an popular adage that you can't cure stupid. When it comes to computer attacks, the level of sophistication is increasing exponentially, so it's no longer a question of being smart. Attackers are targeting human nature, and that's a difficult challenge to overcome.

Image via Wikimedia Commons


No comments:

Post a Comment

Please tell me what you think.