New Readers

 Home News and World Report Buyers Guide Global Excellence Technology Case Studies Editorial Awards About Info Security
How prevalent are social engineering attacks and what can be done to combat them

cmdLabs is headquartered in Baltimore, MD and provides digital forensics, incident response and related training both domestically and abroad. Our customers include law enforcement, Fortune 500 companies, government agencies, law firms and institutions of higher education.

In the following interview, Michael R. Kobett, Senior Technical Trainer at cmdLabs discusses 1:1 with Info Security PG, Editor-in-Chief of Info Security Products Guide, how prevalent are social engineering attacks and what can be done to combat them.

Info Security PG: How would you define social engineering? How prevalent are social engineering attacks, do you think the number of attacks will increase and why?

Michael Kobett: Social Engineering can be defined as skillful deception; it’s a form of attack which focuses on people, not technology.  Therefore, the attacker doesn’t necessarily need a great deal of experience in IT security; he or she needs to be able to conduct research and manipulate people. 

Social Engineering attacks are very prevalent today, however it’s difficult to generate statistics on exactly how widespread they are.  This is because when an attack is executed correctly, the victim is unaware that they’ve been taken advantage of.  In addition, these attacks are difficult to investigate because we are dealing with human and not hardware interaction. If an attacker bypasses an organization’s physical security via a technique such as “piggy backing”, there will most likely be evidence of that security breech in the form of video surveillance data.  However, there are no logs or security reports to review if an attacker scours the Internet searching for information related to the victim organization such as: employee names, phone numbers or the networking  equipment that is used.

I strongly believe that social engineering attacks will continue to increase due to how society is embracing the Internet.  Twenty years ago it was not assumed that everyone had an email address or even a home computer.  Now because of advancements in technology and social networking, the number of people who are online and constantly interacting with others has increased dramatically.  Simply put, as the opportunities for communication increases, so do the opportunities for social engineering attacks.

Info Security PG: Can you give us an example of a social engineering attack?

Michael Kobett: A classic example of Social Engineering allows an attacker to obtain a valid user name and password using only a telephone and a company's internal phone list.  The victim receives a call from the attacker who is acting as a technician from the network support department.  The caller will ask a general question like "Is the network running slowly?" or "Has your computer acted strangely within the past week?". In most cases, the victim will affirm that there is a problem and will want to help solve the problem.  The attacker will then ask the victim for their login password in order to conduct tests on the network equipment.  If the attacker is convincing enough, they will acquire the user's password and will have the required credentials to access the network.

Admittedly, this is an old method of attack and many would-be victims won't be fooled.  However hackers have found that by slightly altering the attack, they have a greater chance of achieving success.  For example, rather than asking the victim for their password, the hackers asks that the password be changed to "password" or "changeme".

In another instance the attacker may urgently call technical support using a legitimate employee's name and explain that they need to get a report to the company's Vice President but they've been locked out of their account.  They asked that their password be changed quickly so they can get the report delivered.  These examples use slightly different techniques, yet the results are the same.

Info Security PG: What can be done to combat social engineering?

Michael Kobett: There is no 100% effective process of defeating Social Engineering, but I believe that a successful defense  consists of penetration testing and continual education.  Penetration tests such as: physical security, phone-based attacks, suspicious email messages and dumpster diving could be performed to determine which Social Engineering attacks are effective and to what degree.  These tests can be performed with no negative effects on the organization's network.  In order for the testing to be effective and be as realistic as possible, it is imperative that the vast majority of employees are unaware that the tests are being conducted.  People naturally behave differently if they know they're being monitored.  For instance, most employees will not open suspicious messages or view unauthorized web sites if they know they are being observed  . 

The test results can be used to create an effective and successful training program that addresses the specific attacks that were successfully completed against the organization.  They can also be used to demonstrate that the employees are susceptible to social engineering attacks, which attacks were most successful and what damage would result if the attacks were truly malicious.  Trainees will value the information they are given once they are shown that aspects of their behavior are the problem and that correcting their own behavior will help make their work environment more secure.  In order for it to be effective, the training sessions should be occasionally repeated to remind the staff of the threat and update them on new forms of attacks.

Company: cmdLabs
1101 E. 33rd Street Suite B308
Baltimore, MD 21218 U.S.A.

Founded in: 2009
CEO: Terrance Maguire - Managing Partner
Public or Private: Private
Products and Services: cmdLabs provides services in the following areas:

  • Digital Forensics: Using industry standard practices and in-depth experience, we preserve and analyze digital evidence in support of litigation, incident response, and regulatory compliance. We combine forensic techniques with investigative expertise to unravel complex cases.
  • Incident Response: Information security incidents can leave an organization open to greater risk so long as the event continues. We have extensive experience investigating these incidents, and deploying response plans to halt unauthorized activity and restore IT systems to an acceptable state of trust.

  • Training: Keeping pace with digital forensics and information security is a daunting task. We can help to improve your skills and gain new ones in these and related areas.

Company's Goals: It is cmdLabs goal to provide unmatched levels of consistency and quality in the areas of digital forensics and incident response.

Bookmark and Share