Social Engineering 101

1/6/2011

Social engineering is the act of manipulating people to release confidential information that could later be used in a malicious manner. It can be a devastating security threat to any organization, especially to a financial institution. Banks spend thousands of dollars to secure their networks, servers, and workstations; however, all too often humans are the weakest link.

Below is fictitious, yet highly probable, phone conversation between a Teller and a Chief Information Officer:

CIO: “No, we don’t have anyone that works at the Bank with that name…”

Teller: “Oh no, I just gave out my password for the network and core system to perform wires, what should I do?”

CIO: “It sounds like a hacker social engineered you. We need to reset your passwords immediately.”

One of the most well known hackers, Kevin Mitnick, realized that with simple techniques, he could get an employee to trust him and get that user to give out their password. These types of malicious users can be charming, personable, and put you at ease in order to gain access within computer systems. A hacker will also perform other tasks in the social engineering scheme to make you feel as though you were talking with your best friend. Along with communication by telephone, e-mail, or an in-person conversation, a malicious user performing a social engineering attack will gather various pieces of information. Alone, these pieces of information may seem harmless, but once the hacker has several pieces to the puzzle, he can gain even more access and cause even more damage.

Several sources exist for a hacker to make a social engineering scheme appear legitimate. A simple dumpster dive through the Bank’s public trash receptacle could give away phone numbers, names, and other confidential information to a hacker. Bank employees need to ensure that documents are always shredded and disposed of properly. An unshredded phone list with employee names, titles and e-mail addresses would be a great start for a hacker. This information is often available on a Bank’s website, through LinkedIn, or even Facebook. In addition, an employee’s e-mail address might also be the username that gets used to log in to the network. At this point a hacker has quite a bit of information that could be used against the Bank.

Although social engineering against a Bank sounds intimidating, several steps can be taken to reduce the chance of a security breach. Employee training, various policies, and management enforcement can drastically reduce a social engineering hack. Bank employees should be informed that under no circumstances should they ever give out a password. Accordingly, the Bank should have an updated Password Policy defining frequency of password changes and password complexity. Annual auditing on these two areas can reveal its enforcement by management. Through these subjects and other related IT Security concerns, a layered security approach can thwart a hacker’s attempt to breach a system. Overall, one of the most important aspects to the Bank is the confidentiality, integrity, and availability of data for employees and customers.