2011

Social Engineering:
A Great challenge for organizations
The result can be applied to any generic company or user based upon their described categories to prevent the infiltration of the computer security by criminal hackers who use various methods of social engineering to gain access to secrets.

Prepared and Submitted By Shankar Adhikari University of Southern Queensland, Sydney Campus 10/19/2011

Table of Contents Page no. Executive Summary ............................................................................................ 3 Introduction ........................................................................................................ 3 Impact of Social Engineering Attacks in IS Organization ......................................4 Methods of Attack .............................................................................................. 5 A. Non-Technical ways of attack .......................................................................6 B. Technical ways of attack ...............................................................................6 Importance of Social Engineering in Risk Management ....................................... 7 Mitigation Plan: Method of Controlling Risk from Social Engineer ....................... 7 A. Incident Response .........................................................................................8 B. Disaster Recovery .........................................................................................8 C. Business Continuity .......................................................................................9 Controlling and Defending Social Engineering Attack .........................................9 Conclusion ..........................................................................................................9 Reference ......................................................................................................... 10
Figure 1: Example of a social engineering attack (Mogull, R, 2002) Figure 2: Spam e-mail: Attacker tricks the target to install malware By posing as a fake email Figure 3: Mitigation Plan Cycle

Executive Summary
Information System Security planning is vast and complex technique and difficult to operate. This is because of the change in Information system and their mode of development. Everyday new system and techniques are emerged and the same time it brings lots of security risk within it. This report has been developed to analysis of one of the most common information security issue of recent time, Social Engineering and its impact on the organization. This research describes what social engineering is and how it works. However, there are many ways in which information have been stolen from organization. This research paper is based on the criminal mind, the use of social engineering that interfacing with companies. This report also finds out methods of Social Engineering attacks, the recent trends and its impacts over organizations. The method that used in the social engineering attacks on organization ranges from highly technical to the non-technical ways. Social Engineering is more becoming non-technical issue because it is easier to trick people rather than hack their database and software. This report gives some general trends of dealing with social engineering. Mitigation plan (Incident Response Plan, Disaster Recovery Plan and Business Continuity Plan) is described in this report in handling Social Engineering issue. The major findings of this report are: Social engineering is attackers trick and skills of natural human tendency of trust. There are many ways to gather information by social engineer such as; Corporate website, Dumpster Diving, Google search, job sites. Depending up-on the nature of attack, this can be divided into technical and non technical attack. However, in many cases social engineering is considered as non-technical issues. Online (E-mails, phishing, malicious web page, Social Networking, online shopping),Telephone and mobile phones, Physical Access, Waste management, Personal approach, Reverse social engineering are some common mode of attacking. A well developed mitigation plan can address social engineering issues. Mitigation plans help to identify response and recover different socially engineering attack in phases of disaster. By reducing the potential effects of social engineering disaster, the response become more effective. Being a non-technical kind of risk, social engineering relies mainly on human interaction and involves tricking people to break the security procedures. This is why awareness, education and training are the only way to avoid this problem.

Introduction

Todays organizations face multiple challenges, the information security is one of them. With the increase numbers of risk associated with them, the organizations have to address this issue and prepare for possible impact by preparing well planned security strategies. To implement effective planning, the organization should first have risk management developed. Managing risk is one of the key responsibility for IS organization and its general management team (Whiteman ME & Mattord HJ, 2007, P 298). Well developed risk management plan has risk controlling strategies, which includes mitigation plan. This plan has Policy and Procedures, Information Security risk Assessment, Certification and Accreditation, Incident response, Disaster Recovery and Business Continuity. Threats need to be identified before assessing the risk management plan. It is valuable to compile list of risk that might possibly present in the organization. There are many ways to steal information such as fraud, scam, vulnerability, phishing and social engineering are the some common source of these threats. The information risk facing now is expected to increase over the next few years is going to be use of social engineering. The social Engineering is the most recent and very common risk associated with information system related organization. Social Engineering is an art of human hacking, which is both quite complex and surprisingly simple. The literal meaning of Social engineering is the art of handling and dealing people into performing actions or stealing confidential information from them. This has been a critical issue for any organization and it need be addressed. According to Gartner Research, one of the major security risks facing large organization over the next years will be the increasingly sophisticated use of social engineering to bypass IT security defenses (Kotadia, M 2004).Being a non-technical kind of risk, social engineering relies mainly on human interaction and involves tricking people to break the security procedures. This is why awareness, education and training are the only way to avoid this problem. Apart from that we can report these issues to the related government department for required action.

Impact of Social Engineering Attacks in IS Organization

Social engineering is attackers trick and skills of natural human tendency of trust. Their target is to grab as much as information that will allow them to get access to a confidencial information and system within organization or into personal data. As we know that, in many cases security is all about trust, user and people who works in the organization are the weakest link in the security chain, the human desire to accept someone at their offices makes them victim of vulnerable attack (Foreground Security, 2005). There are many companies and individuals are now facing these kind of problems and their sensitive data stolen, which is not by the use of intimidation or from the personal threats but by giving away secrets without their knowledge. A recent research shows that both employees and non-employees commit Social engineering attacks against organizations with employees committing 13% and other people at 87% (Baker J and Lee B, 2005, p 7). Social engineering includes many attacks on many forms such as phishing, pharming, staff impersonation, fake rewards, fake enquiries, lottery and jackpot skims, industrial and governmental espionage are favored ways of collecting personal and company secrets. Diagram below illustrates general pattern of social engineering attack.

Gathering Information

Developing Relationship

Exploitation of Relationship

Execution of Achieve Objective

Figure 1: Example of a social engineering attack (Mogull, R. 2002)

Figure 1 explains an example of social engineering attack cycle in organization. In the first stage the attacker gathers information from victim by using various techniques. Then attacker uses that information to develop the relationship with the individual in the stage 2. That can be using phone call or by any other methods, it can happen over a period of weeks or months. After developing relationship they will exploit the relationship in stage 3 and attacker reach to 4th and final stage to achieve desired objectives. Social engineering is serious problem which has created huge security threats to organizations. In USA only, the total estimated losses due to social engineering related incident was around $1.2 billion for year 2003 (Business Communication Review, 2005, p. 46). Socially Engineering attacks grew up to 184 % in 2003-04. The average loss per reported incident was $506,670. Banking and financial institutions such as Master Card, Visa and Bank of America have cited the aversion to publicizing security intrusions to averting drop in customer confidence (Baker J and Lee B, 2005, p 7).

Methods of Attack
The current trend of Social Engineering attacks are based online such as emails, virus, online chats, porn websites, online shopping etc. Recently, Katrina relief and Wilma relief, Brad Pitt, I love you emails have been circulated within computer network and that have plundered consumers millions of dollars. That Katrina relief email have asked email recipient to donate cyclone victims via credit card and direct deposit to the account of individuals. That was the lost of estimated amount of $4 million. There are many ways that attackers can use this technique to achieve information from business or organizations without giving any chance. The ways of attacking to the targeted people inside any organization or any individuals are categories by Microsoft (2006): Online (E-mails, phishing, malicious web page, Social Networking, online shopping) Telephone and mobile phones(Phone calls, SMS, MMS) Physical Access (USB, hard drive, personal document and identity) Waste management (Throwing paper copies and old documents in the bins) Personal approach

Reverse social engineering

These can be further categories in terms non-technical and technical aspects of Social Engineering Attacks. A. Non-Technical ways of attack Non-technical kind is perpetrated through deception; i.e. by taking advantage of victims human behaviors and their weakness (Thapar, M, 2007).Friendship is the one of the easiest way of obtaining information and access to organization. This method is best in gaining confidential data to firewall and is also to get critical information about organizations network. This non-technical Social engineering" as an act of psychological manipulation this was popularized by hacker-turnedconsultant Kevin Mitnick. He said this is much easier to trick people into giving a password for network and system than crack into system. This is the most effective method in social engineering, he claimed. There are list of non-technical method used by social engineer: Friendliness Impersonation Decoys Commitment and Consistency Scarcity Sympathy Guilt Affiliation Authority Trust B. Technical ways of attack The Technical side of Social Engineering is largely affected by internet which has become a widespread and easily accessible objective (Straumsheim, JH, 2010, p 7). As we know that, companies are more commercialized and based on computer devices which are available online. There is some lack of physical security and existence that gives social engineer an advantage. There are several methods which have been used by attacker to obtain password and other information: Awards Pop-up Window Social Networking websites E-mail Phishing Network Sniffing

Figure 2: Spam e-mail: Attacker tricks the target to install malware by posing as a fake email. The red square highlighted indicates target address belongs to an attacker (Straumsheim, JH, 2010, p 10).

Importance of Social Engineering in Risk Management

Risk management is a process, which follows a cycle of many policies and procedures that has no end. There are many elements are coming with Risk Management, many categories associated with it. Social engineering is kind of that category which cannot be neglected. Being non-technical risk, social engineering can be handling effectively by many ways. Conducting risk analysis and risk management can help companies make informed decision about what actions are needed to ensure an acceptable level of security. The result of including social engineering in risk management should also help to control mechanism that protects critical assets against social engineering risk.

Mitigation Plan: Method of Controlling Risk from Social Engineer

Mitigation planning is a framework for companies to reduce the negative impacts from future disaster on property, finance and lives. Mitigation of Social Engineering attack is complex and difficult to adjust. This plan can be describes as a cycle of three elements. Figures 3 illustrate that how this function

working in the system. The first stage of Mitigation planning of Social Engineering involves the organizing resources. This plan includes following approaches:

Organizing Resources

Business Continuity

Mitigation Plan

Incident Response

Disaster Recovery

Figure 3 : Mitigation Plan Cycle

A. Incident Response This is the set of processes and procedures which predict detect and mitigate the effects of an unexpected event that might compromise information assets and resources (Whitman ME & Mattord HJ 2007, P 68). This can be further subdivided into following categories; incident response policy, incident detection and identification, incident Response. An incident response plan is documented to provide a strong risk handling procedures from insider and outsider. Social Engineering kind of incident happened, the incident response team is responsible for putting the plan into action (Incident Response Plan, 2004, p 6). B. Disaster Recovery Disaster recovery plan is the set of planning for recovering and restoring of the data processing function of the company. These actions of plans are developed for a worst case scenario (Courton, M, 2000, p 2). Social engineering techniques have been used by attackers and they are quite successful in gathering information. To handle social engineering disaster, DRP team should be aware of their duties during disaster period. The first priorities are always the preservation of more (top) secret data and system. Then disaster must be carefully recorded from the spot and find out how and why it occurred.

C. Business Continuity This course of action can be taken after disaster which ensures the critical business function can continue even after the attacks. This function is handled by CEO of the organization. This plan is activated and monitored with DR plan when disaster is major or long term and required complex restoration of information and Information Technology resources (Whitman ME & Mattord HJ 2007, P 87). BCP is the part of the organizational strategic plan that helps reduce operational risk form social engineer. This plan may be integrated with improving company security and risk management practices.

Controlling and Defending Social Engineering Attack

Companies can defend their system by developing policies to create a strong security framework with the targeting of educating users and improving the overall organizational security structure. Social Engineering is effective and dangerous because of the nature of attacks. Being non-technical type of issue, Social Engineering can be controlled and reduced by following ways: Policy in Security planning Policy are developed and controlled by top management which plays vital on examining security risk and addressing the critical issues. Policy always helps to drive standards in the organization, which includes practice, procedures and guidelines. The overall target of making this policy is to implement processes that undermine the effects of social engineering and establish the relation of security and law & order within organization (Mogull, R, 2002, P 68). While implementing policy, user level management and their support is important. These policies are effective an efficient to establish strong security framework against Social Engineering. User Awareness, Education and Training Knowing your enemy and knowing yourself could mean winning the hundred of battles (Tzu, S, 2007, P 102). Educating users about their strength and opponents power are very crucial part of the security strategy. User awareness is also important to build up employees standard and level of smartness. Awareness and Education can be done by campaign, classroom training, informal workshops, video training, poster, and t-shirt painting, banners, promoting and awareness message. This will help to recognize spam, fraud messages, emails, phone calls, and websites. So they can specify the social engineering ticks. A real time example of people or company that has been attacked by social engineering can be very useful to make aware the employees.

Conclusion
Every year, companies spends lots of amount of fortunes on latest and updated security tools and fire wall but still fail to stop attacks. Social Engineering is more non-technical approach of gaining access to restricted information or area rather than a technical approach. In order to handle risk from social

engineering attacks, the field of emergency management (or it can be risk management) can be created and should have assess the potential for social engineering attacks. Many government agencies and organizational department are developing policies that handles the proper dissemination of confidential data. Information Security Risk Assessment, Security Awareness program Development, Incident Response Program Review, Education, Training are the course of actions that companies should have been carried out to address Social Engineering. This is how Social Engineering is so important for any organization to minimize possible risk. Last but not least, in order to implement a risk analysis effectively, a multi-layered framework of Social Engineering and its impact should be utilized (Straumsheim, JH, 2010, p 7). Despite technical counter analysis is an important aspect, its important to handle the human element of security, as the employees in most cases are both first and only line of defense.

Reference
Whitman ME & Mattord HJ 2007, Management of information security, 2nd edn, Thomson Course Technology, Boston Baker J and Lee B, 2005, the Impact of Social Engineering Attacks on Organizations: A differentiated Study, Florida Atlantic University, USA, Viewed 17 October 2011 <http://itom.fau.edu/jgoo/fa05/ISM4320/SocialEng.pdf> Microsoft, 2006, Microsoft TechNet Library Security Business Guidance: How to Protect Insiders from Social Engineering Threats, Viewed, 17 October 2011< http://technet.microsoft.com/enus/library/cc875841.aspx> Straumsheim, JH. 2010, Protecting Organizations from Social Engineering Threats, Viewed, 17 October 2011, < http://www.janhenrik.com/blog/2010/08/protecting-organizations-from-social-engineeringthreats/> Granger, S. 2001, Social Engineering Fundamentals, Part I: Hacker Tactics, Vol 2, Issue 5.

Damie, P. 2002. How Social Engineers Fool. The Hindu Business Line. Viewed 18 October 2011 < http://www.thehindubusinessline.com/features/mentor/>
Turner, T. 2008, Social Engineering Can Organizations Win the Battle, East Carolina University, USA.