Tag Archives: phones

Social Engineering

WHAT’S THAT?

Social manipulation (or “engineering”: a term coined by hackers) is a collection of successful physical and psychological techniques which allow the exploitation by malicious persons of the human tendency to trust or help other people, and is one of the greatest on-going information security threats. 

Social and environmental engineering is done to gain unauthorized access to college information, or to network and computing resources.  Because it is so successful in providing  attackers a way to bypass, through users, any electronic security methods which may be in place, various social engineering techniques are used every day.

Preventing intrusion by outside parties to college systems through the unwitting collaboration of students and employees is an important goal of information security, because once any access is attained, severe damage can be done.

In a service-oriented environment such as the college, this manipulation of trust creates a significant challenge to staff and requires that we are constantly on guard.  User awareness of various methods used to gather information is an imperative step in maintaining information security. 

Campus employees should always be thoughtful about legal requirements, such as FERPA, and college policies addressing what information may and may not be released to outside parties.

 PURPOSE

The initial purpose of social engineering is to obtain a user’s password.  Any account which provides access to the Bellevue College computers or network can be used by a knowledgeable user in many malicious ways, the least of which compromises only the account for which the password is known.     

Subsequent purposes related to social engineering are to physically obtain desirable sensitive information or to gain access to unattended systems,  thus negating the need for a computer password.

Social engineering attacks use both physical and psychological methods:

Physical methods for collecting information may include:

    • Impersonation of repairmen, IT support personnel, managers, etc., either by phone or in person.
    • Collecting and analyzing information from discarded trash (dumpster diving).
    • “Shoulder surfing”, which is watching to see employees type their passwords.
    • Searching a work area for passwords or other sensitive information that has been written down.
    • Using unattended computers that are already logged-in.

Psychological methods for collecting information manipulate trust and emotion to acquire information or access.  Some of these interactions may be in person, but more likely will be over the phone or through e-mail.  Some risks include:

  • E-mail purporting to be from a campus authority, such as the Help Desk or Information Resources (IR).
  • Direct phone requests to the Help Desk for password resets for the accounts of other users.
  • Pleas or threats for information by impersonation of authority figures or support personnel.

When this type of social engineering is done by e-mail, it is often referred to as “phishing.”

SUGGESTED RESPONSES

Area of Risk:   Office trash; dumpsters

Malicious user Tactic: Dumpster diving

Strategy to combat: Once something is left for trash, there is no expectation of privacy.

    • Reports containing confidential or sensitive data should be shredded before disposal.
    • All computer system media (Floppy disks, CD-ROM disks, tape, internal or external hard drives, USB drives, etc.) should be carefully erased and disposed of properly.

Area of Risk:  Psychological

Malicious user Tactic:  Impersonation; persuasion

Strategy to combat:  If you don’t know someone, check!

    • Challenge the authority or identity of persons unknown to you – ask them to identify themselves.
    • IT support personnel will always wear Bellevue College identification.

Area of Risk:  Network, e-mail, and internet usage

Malicious user Tactic:  Creation and insertion of malicious software on systems to acquire passwords or other sensitive information

Strategy to combat:  User initiative and awareness

    • Appropriate password use and management.
    • Campus user caution regarding e-mail from unknown senders and e-mails with attachments.

Area of Risk:  Offices

Malicious user Tactic:  Shoulder surfing; stealing sensitive documents or external hard drives; wandering through halls looking for open offices; using unattended computers that are already logged-in

Strategy to combat:  User initiative and awareness

  • Don’t type passwords with anyone else present (and be courteous by not watching others typing in theirs).
  • Mark documents as confidential and require hard copies of those documents to be physically locked up.
  • Lock external hard drives and USBs up at night.
  • Require all guests to be escorted.
  • Do not store or post passwords near computers.
  • Lock computer when user not present, even for a “minute”.

Area of Risk:  Phone

Malicious user Tactic:  Stealing toll-free access

Strategy to combat: 

  • Protect SCAN codes the same as passwords.

Area of Risk:  Help Desk

Malicious user Tactic:  Impersonation; persuasion

Strategy to combat: 

  • Remember that the Help Desk will not ask you for your password in an e-mail or over the phone.

If you have any questions about social engineering, or are uncertain if you have been a victim of social engineering, be sure to contact the Help Desk (415.564.4357).