Access Control Fundamentals

In information security, access control is imperative to ensure confidentiality, integrity, and availability. Controlling who has access to a system and the breadth of access a user has is vital to ensure the security of systems and data on the systems. Read this article to understand the terms access control, access, subject, and resource. Note the challenges, the principles, the criteria, and the practices used in access control.

10. Access Control Threats

10.13. Social Engineering

Overview
  • Social engineering is a collection of techniques used for manipulation of the natural human tendency to trust in order to obtain information that will allow a hacker to gain unauthorized access to a valued system and the information that resides on that system.
  • Forms of a Social engineering attack
    • Physical: the workplace, the phone, your trash(dumpster diving), and even on-line
    • Psychological: Persuasion
    • Reverse Social Engineering


Common Social Engineering Attacks

  • At work Place
    • In the workplace, the hacker can simply walk in the door, like in the movies, and pretend to be a maintenance worker or consultant who has access to the organization. Then the intruder struts through the office until he or she finds a few passwords lying around and emerges from the building with ample information to exploit the network from home later that night
    • Another technique to gain authentication information is to just stand there and watch an oblivious employee type in his password.
  • On Phone/Help Desk
    • It is the most prevalent type of social engineering attack.
    • A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user.
    • Help desks are particularly prone to this type of attack. Hackers are able to pretend they are calling from inside the corporation by playing tricks on the PBX or the company operator, so caller-ID is not always the best defense
    • Help desks are particularly vulnerable because they are in place specifically to help, a fact that may be exploited by people who are trying to gain illicit information
  • Dumpster Diving
    • Dumpster diving, also known as trashing, is another popular method of social engineering. A huge amount of information can be collected through company dumpsters (trash can).
    • The following items turn to be a potential security leaks in our trash:
      • company phone books which can give the hackers names and numbers of people to target and impersonate
      • organizational charts contain information about people who are in positions of authority within the organization
      • memos provide small tidbits of useful information for creating authenticity
      • company policy manuals show hackers how secure (or insecure) the company really is
      • calendars of meetings may tell attackers which employees are out of town at a particular time
      • system manuals, printouts of sensitive data, or login names and passwords may give hackers the exact keys they need to unlock the network.
      • disks and tapes can be restored to provide all sorts of useful information.
      • company letterhead and memo forms
  • Online
    • One way in which hackers can obtain online passwords is through an on-line form: they can send out some sort of sweepstakes information and ask the user to put in a name (including e-mail address – that way, she might even get that person’s corporate account password as well) and password.
    • E-mail can also be used for more direct means of gaining access to a system. For instance, mail attachments sent from someone of authenticity can carry viruses, worms, and Trojan horses
  • Persuasion
    • This a technique where the hackers themselves teach social engineering from a psychological point-of-view, emphasizing how to create the perfect psychological environment for the attack.
    • Basic methods of persuasion include impersonation, ingratiation, conformity, diffusion of responsibility, and plain old friendliness. Regardless of the method used, the main objective is to convince the person disclosing the information that the social engineer is in fact a person that they can trust with that sensitive information. The other important key is to never ask for too much information at a time but to ask for a little from each person in order to maintain the appearance of a comfortable relationship
      • Impersonation generally means creating some sort of character and playing out the role. Some common roles that may be played in impersonation attacks include: a repairman, IT support, a manager, a trusted third party, or a fellow employee
      • Conformity is a group-based behavior but can be used occasionally in the individual setting by convincing the user that everyone else has been giving the hacker the same information requested. When hackers attack in such a way as to diffuse the responsibility of the employee giving the password away, that alleviates the stress on the employee.
  • Reverse Social Engineering
    • This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around. If researched, planned, and executed well, reverse social engineering attacks may offer the hacker an even better chance of obtaining valuable data from the employees; however, this requires a great deal of preparation, research, and pre-hacking to pull off.


Countermeasures
  • Having proper security policies in place which addresses both physical and psychological aspects of the attack
  • Providing proper training to employees, helpdesk personnel