Physical and programmed security does protect us from most attacks. However, human habit and interaction can ultimately be the weak link causing all other security implementations to fail. All security systems depend on you. Becoming aware of the human variable and its security foul-ups can aid in the defense of these systems.
Hackers steal — social engineers convince you to give them what they want. It could happen to you.
"Hackers" as portrayed in the movies are in reality far and few between. Most attacks on an individual, organization, or network are done so with the intent of financial gain. If a hacker wants to get personal information on your PC then there are two ways he might go about it. Most people would expect this hacker to somehow break to the computer, find the files they want, and download or copy them. A more realistic and proven method used by a Social Engineer might be to leave a flash drive lying around in parking lot, a restaurant, on the sidewalk, or even a business's lobby.
The Social Engineer's hope is that you would pick it up and plug it into a computer. The flash drive would have a program that would then email him the details on the PC and any network it's connected to. It looks for things like user names, passwords, and possibly even the sacred files you've just saved to the newly acquired flash drive.
He could also have a program that would send him a copy of every email sent. Emails are not very secure because they are sent in plain text. A sniffer program could easily read any content and attachments in the email allowing it to be sent to a 3rd party without anyone being the wiser. Social Engineers can do the same thing with a floppy, CD, DVD, and even devices such as an Ipod. The solution is simple: never plug in a strange drive or device into your computer.
Social Engineers exploit human flaws and habits to get what information they need. Sometimes it can be as easy as asking the person face to face, or just looking at what's out in the open. Many people like to write their passwords down and put them under their keyboard, mouse pad, or in the desk drawer under the plastic organizer.
So what can you do?
- Always be cautious and use common sense. If at work, follow their security policies and procedures. If there are none, then create them. If at home, create rules for computer use. Sticking with well thought out rules, policies, and procedures will guide you into making safe decisions.
- The Social Engineer will do anything to talk the target into giving away the information needed. They gamble that you will break from the rules, policies and procedures, allowing them to do what they want with your system and your information.
- Be alert to Social Engineering. Know the ways to protect yourself and others, understand how you can be exploited to giving away useful but seemingly useless information.
- "Burn the Source." This means to spread the word. The easiest way to stop an attack by a Social Engineer is to call them on it. Stop the interaction with them right away and let them know you won't be giving them the information requested. Also tell those around you to be on the watch of similar activity from the same individual or others. The worse thing that can happen to a Social Engineer during an attack is to learn they've been caught.
- Educate yourself and others. Like a neighborhood watch program, the more people that understand the dynamics of a threat and are aware, the safer everyone will be.
- Learn not only how to recognize a possible attack but how to foil it. Record everything about the interaction you had with the suspicious individual. If at work, post it for coworkers to see. If at home, notify your neighbors, friends, and family. Let the attacker know on no uncertain terms that you will not be surrendering any information they request.
For more information on Social Engineering and how to protect yourself and others, pick up the book, "The Art Of Deception – Controlling the Human Element of Security" by Kevin D. Mitnick and William L. Simon.