Monday, 13 August 2012



As our society becomes more dependent on information, the value of that information increases, not only to the businesses who own it, but to the criminals who wish to gain profit from stealing it. Social engineering security services identify the weaknesses in your organization and helps prevent them from occurring.




Recently there’s been a reported rise in the number of cyber incidents suspected to be the result of social engineering, a tactic which involves approaching an individual, either online or in person, and manipulating them into providing personal information that can be used to break into a computer network or assume someone’s identity.

Such schemes can be as brazen as tricking you into handing over a password or as seemingly harmless as asking what kind of software you use or the name of the person responsible for maintaining your computer network. Perpetrators may pose as coworkers, repair men, IT staff or other outsiders with an apparent legitimate need to know such information.
To avoid becoming a victim of a social engineering attack:
·        
 Be suspicious of unsolicited contacted from individuals seeking internal organizational data or personal information.
·        
 Do not provide personal information or passwords over email or on the phone.
·        
 Do not provide information about your organization.
·        
 Pay attention to website URLs that use a variation in spelling or a different domain (e.g., .com vs. .net).
·        
 Verify a request’s authenticity by contacting the company directly.
·        
 Install and maintain anti-virus software, firewalls, and email filters.
If you think you are a victim of a social engineering attack:
·        
 Report the incident immediately.
·        
 Contact your financial institution and monitor your account activity.
·        
 Immediately change all of your passwords.
·        
 Report the attack to the police, and file a report with the Federal Trade Commission (http://ftc.gov) and US-CERT (http://www.us-cert.gov/).

Social engineering security is a term that describes the non-technical intrusion into your business environment that relies on human interaction, often involving tricking people in order to break normal security policies. Similar to traditional "con games" where one person is duped because they are naturally trusting, social engineers will use any technique to gain unauthorized information. Social engineering security techniques include everything from phone calls with urgent requests to people with administrative privileges to viruses lurking behind email messages that attempt to lure the user into opening the attachments.
The results of a recent SearchSecurity.com news poll indicate that:
  •   34% of the respondents fear manipulative email attachments;
  • 33% worry about weak passwords;
  •  23% dread phone scams;
  • 10% are concerned about dumpster diving;

 


Following are the few Skills to exploits user to get access to your system.
1. Impersonating staff: This is an art of inventing scenario to persuade a target to release information or perform an action and is usually done through email or telephone. Most powerful and danger trick for gaining physical access to the system is to pretend to be someone from inside the company. Users gave their password to a "stranger” on a phone call to a member of the IT staff. This is especially true if the caller implies that their account may be disabled and that they might not be able to get important e-mail or access needed network shares if they don't cooperate . It is the most time consuming attack as it requires research to get information regarding target to establish the legitimacy in the mind of target.


2. Playing on users' sympathy the social engineer may pretend to be a worker from outside, perhaps from the phone company or the company's Internet service provider . Nature of people is to help a person who's in trouble.


3. Intimidation tactics social engineers may need to turn to stronger stuff: intimidation. In this case, the social engineer pretends to be someone important -- a big boss from headquarters, a top client of the company, an inspector from the government, or someone else who can strike fear into the heart of regular employees. He or she comes storming in, or calls the victim up, already yelling and angry. They may threaten to fire the employee they don't get the
information they want.


4. Hoaxing: A hoax is an attempt to trick the people into believing something false is real. It also may lead to sudden decisions being taken due to fear of an untoward incident.


5. Creating confusion: Another ploy involves first creating a problem and then taking advantage
of it. It can be as simple as setting off a fire alarm so that everyone will vacate the area quickly, without locking down their computers. Social engineers can then use a logged-on session to do their dirty work. 


6. Dumpster diving: Someone from the company throwing away junk mail or routine mail /letter of the company without ripping the document. If the mail contained personal information, or credit card offers that dumpster diver could use to carry out identity theft. Dumpster diver also searches for information like company organization chart, who reports to whom, especially management level employee who can be impersonated to hack important detail. Dumpster diving information can be used in impersonation attack.


7. Reverse social Engineering: An even sneakier method of social engineering occurs when asocial engineer gets others to ask him or her questions instead of questioning them. These social engineers usually have to do a lot of planning to pull it off, placing themselves in a position of seeming authority or expertise.


8. Mail: The use of an interesting subject line triggers an emotion that leads to accidental participation from the target. There are two common forms. The first involves malicious code;this code is usually hidden within a file attached to an email. The intention is that an International journal on applications of graph theory in wireless ad hoc networks and sensor networks unsuspecting user will click/open the file; for example, 'I Love You' virus, 'Anna Kournikova' worm.


9. A phishing technique that has received substantial publicity of late is “vishing,” or voice phishing. Vishing can work in two different ways. In one version of the scam, the consumer receives an e-mail designed in the same way as a phishing e-mail, usually indicating that there is a problem with the account. Instead of providing a fraudulent link to click on, the e-mail provides a customer service number that the client must call and is then prompted to “log in” using account numbers and passwords. The other version of the scam is to call consumers directly and tell them that they must call the fraudulent customer service number immediately in order to protect their account. Vishing criminals may also even establish a false sense of security in the consumer by “confirming” personal information that they have on file, such as a full name, address or credit card number . Vishing actually emulates a typical bank protocol in which banks encourage clients to call and authenticate information..