Hacking the Human
eBook - ePub

Hacking the Human

Social Engineering Techniques and Security Countermeasures

  1. 266 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Hacking the Human

Social Engineering Techniques and Security Countermeasures

Book details
Book preview
Table of contents
Citations

About This Book

Information security is about people, yet in most organizations protection remains focused on technical countermeasures. The human element is crucial in the majority of successful attacks on systems and attackers are rarely required to find technical vulnerabilities, hacking the human is usually sufficient. Ian Mann turns the black art of social engineering into an information security risk that can be understood, measured and managed effectively. The text highlights the main sources of risk from social engineering and draws on psychological models to explain the basis for human vulnerabilities. Chapters on vulnerability mapping, developing a range of protection systems and awareness training provide a practical and authoritative guide to the risks and countermeasures that are available. There is a singular lack of useful information for security and IT professionals regarding the human vulnerabilities that social engineering attacks tend to exploit. Ian Mann provides a rich mix of examples, applied research and practical solutions that will enable you to assess the level of risk in your organization; measure the strength of your current security and enhance your training and systemic countermeasures accordingly. If you are responsible for physical or information security or the protection of your business and employees from significant risk, then Hacking the Human is a must-read.

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Hacking the Human by Ian Mann in PDF and/or ePUB format, as well as other popular books in Business & Business General. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Routledge
Year
2017
ISBN
9781351156868
Edition
1
Topic
Business
Subtopic
Business General
Index
Business

SECTION 1
The Risks

CHAPTER 1
What is Social Engineering?

A quick consultation with Wikipedia gives a definition of social engineering as, ‘The practice of obtaining confidential information by manipulation of legitimate users.’ This certainly captures some of the elements. At times it can be used to directly obtain confidential information, although all too often information hasn’t been classified in any way, the target of the attack may not have even recognized the confidential nature of the information they are disclosing. However, there are other occasions when the action an attacker seeks may not be directly designed to manipulate you into disclosing information. Tricking a security guard into giving access to a building, using social engineering techniques, doesn’t directly obtain confidential information – the objective may be to disable a facility and deny access to information.
The manipulation of legitimate users can play an important role in a social engineering attack. However, often you can trick an employee into going beyond their legitimate user rights as a route to your attack objective.
So a more appropriate definition, may be:
‘To manipulate people, by deception, into giving out information, or performing an action.’
This captures the distinctive aspects of targeting of people, and their manipulation, combined with the two main outcomes – direct loss of information and the achievement of some action desired by the attacker.
To identify specific improvements to your security it is vital that you can assess your vulnerabilities in a methodical way. Without this systematic approach you risk wasting investment in areas that are relatively unimportant to your overall security. If you understand the threats that your organization faces and have identified your specific human vulnerabilities, then you can target immediate improvements that offer maximum cost benefit.
Security professionals in the area of IT security have developed tried and tested methodologies for:
  • identifying risks;
  • detecting vulnerabilities;
  • obtaining new information regarding vulnerabilities;
  • developing targeted countermeasures based on risk assessments.
To give an established example; if you are responsible for the security of an Internet-facing web server, you can apply the above methodology by:
  • Identifying areas of risk through the analysis of:
    • network architecture to understand the external exposure;
    • chosen technology platform, focusing on vulnerability history;
    • specific web applications deployed, and how they are coded;
    • administration and change control systems.
  • Detecting vulnerabilities, either through penetration testing, configuration auditing or code auditing.
  • Obtaining specific information regarding existing or new vulnerabilities related to each system component through established information sharing mechanisms and system vendor releases.
  • Developing countermeasures by risk assessing new vulnerability information and available resources, such as vendor patches. This translates into:
    • a hardened web server that can withstand attack; and,
    • a protected web server, shielded from attacks.
Not 100 per cent secure, however secure enough – this is the basic principle of risk management.
The above accounts for the day-to-day work of thousands of security administrators around the world, supported by numerous available tools and consulting services.
Working with our clients, we show that a similar methodology can, and should, be applied to social engineering risk.
If you are serious about improving your security, then you must develop similar systems to understand and protect against human vulnerabilities as those currently deployed to protect your IT systems. The same methodology described for securing a web server can be applied to:
  • Identifying risks in your information security, related to human vulnerabilities, through analysis of your systems; covered in the early chapters of this book.
  • Detecting human vulnerabilities, through systematic testing. The established methodologies we use at ECSC are discussed in the later chapters.
  • Sharing information to understand the human weaknesses that attackers can, and do, exploit. The main purpose of this book, and the subject of the majority of its content.
  • Developing your countermeasures to give you:
    • resilient people, who are more likely to detect and counter an attack; and,
    • effective systemic improvements to reduce your reliance on people and their weaknesses.
As with our web server example, this will not make you 100 per cent secure. However, it is likely to be a great improvement on your current position.
With many attackers directing their efforts at obviously vulnerable systems, making your systems more secure than the majority under attack can be good enough. There are times when you may be targeted for other reasons, and your defences will need to be much stronger in these cases.
Unfortunately, humans are not as easy to secure as a web server. Fundamentally, however complex, with the right expertise an IT system can be understood. Human behaviour is much more complex. We have all been ‘programmed’ in infinitely complex ways, and therefore will react differently to the attackers’ input. However, there are many human traits that can be modelled to increase our understanding and help predict their behaviour when under social engineering attack.
Fraudsters, hackers and tricksters understand this. They use knowledge of human weaknesses to guide them in designing new and more complex attacks. Because the success of these attacks is not guaranteed, they have traditionally carried a high degree of risk for the attacker. You can imagine the life of an old-fashioned con artist and the risk of being caught. However, the advent of the Internet, and the range of modern communication technologies, can give the social engineer the ultimate protection – distance and anonymity.
Let’s take, for example, the ‘phishing’ attack we mentioned earlier; a relatively simple way of exploiting the average online banking customer’s lack of security awareness and the banks’ fundamentally weak systems, to steal your online identity. The attacker sends a fake email with a compelling reason for you to respond and links you to a realistic looking website where you log in and divulge your security details in the process.
Not only is the attack conducted from a distance (invariably from a previously hacked computer in a different country to the true attacker), it targets thousands of users simultaneously. The sheer volume of the attack means it doesn’t even have to be very effective to reap significant rewards.
If a criminal attempts a face-to-face social engineering attack, they need to be either very good, or have a workable ‘get out of jail free card’ – we will discuss this in more depth when we look at testing methodologies. With a volume attack, such as deployed with phishing, you don’t need to be very good to get a handsome return. Imagine, for example, you send 1 000 000 emails and only 5 per cent use the online bank you are targeting, and only 0.1 per cent fall for the scam. If you find £1 000 in each account compromised then you have just made £50 000, and that is with only 1 in 1 000 falling for the con.
The ease of such attacks explains why many attacks are not very well written; the early examples had numerous, simple mistakes in spelling and grammar. However, they worked to some degree and were therefore good enough for the attacker. We are now seeing more sophisticated attacks, with more applied psychology to improve the hit-rate, and fool even the most astute user.
Attackers now adopt more sophisticated techniques to target individuals in all organizations. Therefore we need to develop better understanding of human weaknesses and delve into the psychology of persuasion, if we are to counter them.

Social Engineering Threats

Many organizations, wanting to develop an effective Information Security Management System (ISMS), have looked to the ISO 27001 standard (previously also known as BS 7799, and ISO 17799). This is a broad international standard covering many areas of security, including IT, human resources, physical security and business continuity.
One weakness of the current ISO 27001 standard is that, although in many ways it is broad in its coverage of security, its recognition of social engineering is poor. With only minimal coverage on user awareness and training, it fails to direct people to a fuller understanding of social engineering threats.
Although, contrary to many peoples’ beliefs, the standard is written on the understanding that you may well develop additional countermeasures, over and above the 133 controls currently in Annex A. Close examination of the current mandatory clause 4.2.1 g) reveals, ‘Controls listed in Annex A are not exhaustive and additional control objectives and controls may also be selected.’
Therefore it is useful to map some social engineering threats to different areas of the standard to identify a complete picture of the risks.

Hidden Information Assets

At the very early stages of your information security risk identification, it is worth spending some time thinking about your information assets. This is especially valuable in thinking beyond the obvious paper files and electronic data. Particular focus should be given to knowledge that key people hold within their heads, as it is often the case that this information is crucial. You may identify critical IT systems that are largely undocumented and rely on the knowledge of key people who manage them, or in some cases wrote the software in the first place.
The type of information that is only held by key individuals can be difficult to secure as your control is limited. A social engineer is only one trick away from getting disclosure of this information, as physical and electronic access controls cannot be applied.
We are quite used to a narrow interpretation of assets simply being hardware and software. However, we do expect a realistic linkage to information storage, and/or processing. We recently came across some rather bizarre interpretation of what information assets are, in the context of an ISO 27001 implementation. In one organization, a consultant had insisted that the projector in the client’s boardroom should be included in the risk assessment. The client had rightly questioned this as they couldn’t understand the significance for their security. Risk assessments should be formulated in a way that senior managers can understand the issues and make informed judgements.
In this case, the projector wasn’t part of an important information system (they had a spare) and it did...

Table of contents

  1. Cover
  2. Half Title
  3. Dedication
  4. Title
  5. Copyright
  6. Contents
  7. List of Figures
  8. Introduction
  9. SECTION 1: THE RISKS
  10. SECTION 2: UNDERSTANDING HUMAN VULNERABILITIES
  11. SECTION 3: COUNTERMEASURES
  12. Further Reading
  13. Index