Social Engineering

WHAT’S THAT?

Social manipulation (or “engineering”: a term coined by hackers) is a collection of successful physical and psychological techniques which allow the exploitation by malicious persons of the human tendency to trust or help other people, and is one of the greatest on-going information security threats. 

Social and environmental engineering is done to gain unauthorized access to college information, or to network and computing resources.  Because it is so successful in providing  attackers a way to bypass, through users, any electronic security methods which may be in place, various social engineering techniques are used every day.

Preventing intrusion by outside parties to college systems through the unwitting collaboration of students and employees is an important goal of information security, because once any access is attained, severe damage can be done.

In a service-oriented environment such as the college, this manipulation of trust creates a significant challenge to staff and requires that we are constantly on guard.  User awareness of various methods used to gather information is an imperative step in maintaining information security. 

Campus employees should always be thoughtful about legal requirements, such as FERPA, and college policies addressing what information may and may not be released to outside parties.

 PURPOSE

The initial purpose of social engineering is to obtain a user’s password.  Any account which provides access to the Bellevue College computers or network can be used by a knowledgeable user in many malicious ways, the least of which compromises only the account for which the password is known.     

Subsequent purposes related to social engineering are to physically obtain desirable sensitive information or to gain access to unattended systems,  thus negating the need for a computer password.

Social engineering attacks use both physical and psychological methods:

Physical methods for collecting information may include:

    • Impersonation of repairmen, IT support personnel, managers, etc., either by phone or in person.
    • Collecting and analyzing information from discarded trash (dumpster diving).
    • “Shoulder surfing”, which is watching to see employees type their passwords.
    • Searching a work area for passwords or other sensitive information that has been written down.
    • Using unattended computers that are already logged-in.

Psychological methods for collecting information manipulate trust and emotion to acquire information or access.  Some of these interactions may be in person, but more likely will be over the phone or through e-mail.  Some risks include:

  • E-mail purporting to be from a campus authority, such as the Help Desk or Information Resources (IR).
  • Direct phone requests to the Help Desk for password resets for the accounts of other users.
  • Pleas or threats for information by impersonation of authority figures or support personnel.

When this type of social engineering is done by e-mail, it is often referred to as “phishing.”

SUGGESTED RESPONSES

Area of Risk:   Office trash; dumpsters

Malicious user Tactic: Dumpster diving

Strategy to combat: Once something is left for trash, there is no expectation of privacy.

    • Reports containing confidential or sensitive data should be shredded before disposal.
    • All computer system media (Floppy disks, CD-ROM disks, tape, internal or external hard drives, USB drives, etc.) should be carefully erased and disposed of properly.

Area of Risk:  Psychological

Malicious user Tactic:  Impersonation; persuasion

Strategy to combat:  If you don’t know someone, check!

    • Challenge the authority or identity of persons unknown to you – ask them to identify themselves.
    • IT support personnel will always wear Bellevue College identification.

Area of Risk:  Network, e-mail, and internet usage

Malicious user Tactic:  Creation and insertion of malicious software on systems to acquire passwords or other sensitive information

Strategy to combat:  User initiative and awareness

    • Appropriate password use and management.
    • Campus user caution regarding e-mail from unknown senders and e-mails with attachments.

Area of Risk:  Offices

Malicious user Tactic:  Shoulder surfing; stealing sensitive documents or external hard drives; wandering through halls looking for open offices; using unattended computers that are already logged-in

Strategy to combat:  User initiative and awareness

  • Don’t type passwords with anyone else present (and be courteous by not watching others typing in theirs).
  • Mark documents as confidential and require hard copies of those documents to be physically locked up.
  • Lock external hard drives and USBs up at night.
  • Require all guests to be escorted.
  • Do not store or post passwords near computers.
  • Lock computer when user not present, even for a “minute”.

Area of Risk:  Phone

Malicious user Tactic:  Stealing toll-free access

Strategy to combat: 

  • Protect SCAN codes the same as passwords.

Area of Risk:  Help Desk

Malicious user Tactic:  Impersonation; persuasion

Strategy to combat: 

  • Remember that the Help Desk will not ask you for your password in an e-mail or over the phone.

If you have any questions about social engineering, or are uncertain if you have been a victim of social engineering, be sure to contact the Help Desk (415.564.4357).

EBay intrusion exposes personal information

Personal privacy issue

As stated on the home page for this blog, sometimes I will be writing about privacy issues, as they are intricately tied to many topics related to information security.  In fact, the whole basic idea of information security is to keep electronically-stored things private when they should stay private.

I will also sometimes talk about issues that may not be directly tied to information security at the workplace.  This is because personal security and privacy practices related to our non-work lives can have tenets  or lessons that can apply directly to our work security and privacy practices.  Today is an example.

Currently, there is a lot of news about an intrusion into the network systems holding personal and private information related to eBay customers .  Because of this breach, the company is recommending that all customers change their passwords.

In fact, the eBay passwords that may have been compromised are encrypted, which will be difficult for the hackers to break (but not impossible).  However, a significant aspect of this data security breach is that the exposed user accounts may have also included unencrypted personal information, such as names, addresses, etc.

This puts many of eBay’s customers at a high risk of increased attempts to social engineer, or trick,  them into providing even more  private personal information.

The importance of password security and the principles of social engineering are basic information security concepts every technology user should understand, whether you are applying them to your personal life, or to your work responsibilities.

If you are an eBay customer, or a customer of PayPal, which is also owned by eBay, you should at least take the recommended precautionary step of changing those passwords.  Making this change does not guarantee that your personal information held by the company is totally secure, but it is a good first step in the wake of this incident.


 

Copyright law and file sharing

Just a short post today, as I try to get out some links to basic information security material out to the campus.

The college has a legal obligation to provide notice annually to campus users regarding the sharing of electronic copies of copyrighted materials.  While the law (related to the federal Higher Education Opportunities Act) specifically addresses  notification to students, the college policies related to copyright apply to all employees and other users of campus technology, as well.

Because of a responsibility to post this notification in a public place, an extensive Knowledge Base article is available at http://depts.bellevuecollege.edu/helpdesk/students/file-sharing/ which everyone on campus should read.

As always, if you have any information security concerns, ideas or questions, please feel free to contact me.

Purposes of this site

Information security program

In addition to providing a channel for ongoing communication regarding information security at the college through this blog, this website is also the repository for some of the documents which are part of the official information security program. 

Today a new link is posted on the top menu which allows users to see the current information security standards.  Along with college policies and procedures, these standards address how the college ensures secure interactions will take place within specific aspects of the college’s technical working environment.

The college’s information security standards are categorized as either:

  •  TECHNICAL, which usually is only of interest to those IT support personnel on campus providing technical support in the specific areas addressed in the standard, or
  • GENERAL, which is of interest to all users on campus.  These standards provide guidelines regarding how the security of information must be maintained by all technology users and how campus technology may be accessed and used.

All information security standards will be numbered (generally in accordance with the domains established under ISO/IEC standard 27002, if you are interested in the tedious details).  General  standards will have just a number and those that are technical in nature will be appended with a letter “T.”

As of this posting, there are no standards listed on the page yet.  All information security processes on campus are undergoing revision during the next few months and approved updated versions of the standards will be posted as they are approved.

(Though they are out of date and reflect many expectations and processes that are no longer in effect, the old security standards may be accessed at: http://commons.bellevuecollege.edu/itsecurity/old-standards/)

Five Important Security Concerns for Employees

The items listed below seem to be the source of the most consistent confusion and questions, particularly with regard to individual employee responsibilities and expectations regarding information security.

All employees have expected roles securing the valuable information available for use on campus and the technology with which we access it.   In the interest of saving some time, I am including only fairly brief bullet points regarding these five areas of particular concern; if you have further questions regarding this or any other information security topic, please feel free to contact either myself or the Help Desk (x4357).

Every Bellevue College employee should understand:

1- Login accounts and passwords providing access to Bellevue College IT resources should not be shared. 

In some cases, groups of individuals may share access to an e-mail account acting as a central unit contact resource for business purposes, but such shared e-mail accounts may never be used to log into computers or the college network.

Individuals should also never allow anyone else to use a computer into which they’ve logged-in.  This is not only a security risk for the network, it is an individual identity protection measure as well.  If someone else is logged in as you, everything they may do online appears to be your doing. 

2- Bellevue College policies require that employees secure their workstations if they leave the immediate area

This may mean logging out and shutting down the computer in some cases, but most of the time locking the screen and requiring a password to unlock it is sufficient.

3- Electronic data is subject to the same privacy restrictions as non-electronic information and data, and requires the same protections. 

Protection of sensitive electronic data collected and used at the college is the primary purpose for implementing information security measures.   

  • Caution always needs to be used to ensure that protected college data is not unintentionally disclosed through e-mail, instant messaging, the web, blogs or podcasts.   The physical security of protected data saved to any storage media (tapes, disks, USB drives or hard drives), especially  data stored on college laptop computers, is of the highest concern at all times.
 4- All communications through the college network is logged (recorded in a database), and is publically-disclosable information.

This does not mean individual activities are monitored on a routine basis, but it does mean that Bellevue College has an obligation to produce all network records when legally required (either in response to a public records request, to civil litigation, or in a criminal investigation).  In the case of on-going investigations, this could include real time monitoring, as directed by the HR VP.

A significant aspect of the public nature of college electronic communication is the use of e-mail.  All e-mail is potentially disclosable in response to a legal or public disclosure request. A good rule of thumb is not to put something into an e-mail that you would be uncomfortable with being subsequently published in a newspaper. 

5- All software and technology hardware used at Bellevue College must be properly licensed and processed through Computing Services (CS) for records and auditing purposes.

  • The civil and financial liability to the college and to individuals related to using improperly licensed software is significant, as much as $100,000 for each individual incident!   

    In the case of college-owned technology, this requirement for keeping records includes any hardware and software, whether purchased by unit funds, college funds or professional development funds.

    Personally-owned or purchased software and hardware may be installed on campus, but the same guidelines for licensing apply.  In the case of personally-owned hardware, requirements exist for testing for compatibility with the existing BC technology and network, and for proper security configuration.


These points obviously do not cover all aspects of IT security on campus, but they are perhaps the five areas most misunderstood and most easily remedied by employees.  If everyone on campus understands these issues and follows the guidelines and procedures related to them, information security on campus can be significantly increased.