Old-fashioned hacker deceit

Information assurance isn't always a technology issue. Of course the types

of attacks we're most familiar with and best prepared to defend against

range from password cracking to van Eck radiation intercepts, in which eavesdroppers

tap the electronic emanations from a computer to steal data.

But hackers use all sorts of methods to gain entry to systems and networks

or to obtain information that makes getting in easier. One powerful tool

they use is good old-fashioned fraud, or what the hacker community calls

"social engineering."

It can be quite simple and very low-tech. For example, a hacker can

call the computer department help desk created to assist users who are having

problems with the network, including (often) users who are having trouble

accessing the network because of forgotten passwords, misplaced tokens or

misunderstood protocols.

The hacker says something like, "I can't log in today for some reason.

Can you help me?" The help-desk worker does what he or she was trained to

do — help. I know of one case in which a persuasive hacker was given a user

ID and password via the phone, and the help-desk worker sent an overnight

mail package to the hacker with the software needed to gain access.

Another type of attack has the hacker calling an employee and saying

something similar to this: "This is the security department. I'm sorry,

but your password has been compromised. Get a pencil and I'll give you the

new password we want you to change to immediately." Surprisingly, many users

will change their password as directed.

Social engineering attacks may take place over long periods of time,

not just a few phone calls. One hacker developed a phone friendship with

an employee of a target company that lasted for more than three years. The

unwitting employee provided informal access to a great deal of information

that the hacker could use to mount a successful attack.

Other social engineering attacks involve hackers posing as students

doing research or candidates seeking jobs.

In some cases, the hacker actually takes a job. Once inside the office,

the attacker may abuse the network access privileges or use the access

to information from within the organization to mount an attack from outside

of it.

The countermeasure for social engineering is a combination of an identification

and authentication process together with education and training. Help-desk

and systems operations personnel must be taught how social engineering attacks

work and be given a way to authenticate employees asking for assistance.

Employees throughout an organization should be taught to recognize and

report suspicious activities. A well-designed information security training

and awareness program for employees at all levels is one of the cheapest

and most effective methods available for protecting valuable information

assets and systems.

—Ryan is an attorney, businessman and member of the George Washington University

faculty.