Social Engineering

Introduction

The Bellevue College (BC) procedure addressing Social Engineering articulates the business risks related to the manipulation by malicious persons of the human tendency to trust in order to break into college computer networks or gain unauthorized access to college information or computing resources.  This article is intended to summarize some of the key information contained within that procedure.

Social manipulation (or “engineering”: a term coined by hackers) was identified as early as 1991 as a successful technique for circumventing network and computer security. Because it is so successful bypassing the technical protections providing computer security, various social engineering techniques continue to be used to this day.

Social engineering relies on the cooperation of college computer users, who are often trusting and helpful, and is one of the greatest on-going information security threats. It provides the attacker a way to bypass all electronic security methods that may be in place on computers or networks.

A goal of the BC procedure is to help prevent intrusion by outside parties through the unwitting collaboration of college employees, because—once access is attained—severe damage can be done to the any or all college network and computing systems.

Purpose

The main purpose of social engineering is to obtain a user’s password.  Any account which provides access to BC technology assets can be used by a knowledgeable user in many malicious ways, the least of which compromise only the account for which the password is known.

A secondary purpose related to social engineering is to physically obtain desirable sensitive information or gain access to unattended systems, thus negating the need for a computer password.

Social engineering attacks include both physical and psychological methods:

Physical methods for collecting information may include:

    1. Impersonation of repairmen, IT support personnel, managers, etc. either by phone or in person.
    2. Dumpster diving to collect and analyze information from trash.
    3. “Shoulder surfing” watching to see employees type their passwords.
    4. Searching a work area for passwords or other sensitive information that has been written down.
    5. Using computers that are already logged-in.

Psychological methods of collecting information depend upon the assumption of trust and manipulate emotion to acquire information or access. Many times the interaction can be by phone or e-mail, and risks include:

    1. Direct phone requests to the Technology Service Desk for password resets for the accounts of others.
    2. Pleas or threats for information by impersonation of authority figures or support personnel.

Some of these methods can be used in person; some can be over the phone or through email.  When this type of social engineering is done by email, it is sometimes referred to “phishing.”

Social engineering relies fundamentally on the victim’s willingness to trust or help other people. In a service-oriented environment, this trust creates a significant challenge to staff and requires they are constantly on guard.  Awareness of various methods used to gather information is an imperative step in maintaining security.

Campus employees are expected to be familiar with Bellevue College policies and procedures prescribing what may and may not be released to outside parties, and these guidelines should always be followed.

Suggested Responses

Responses designed to limit social engineering opportunities can be implemented at the office level.  Important general precautions all users can take include:

Area of Risk: Dumpsters, office trash

Malicious user Tactic: Dumpster, trash diving

Strategy to combat risk:  Once something is left for trash, there is no expectation of privacy.

  • Reports containing sensitive data should be shredded before disposal.
  • All computer system media (Floppy disks, CD-ROM disks, Tape, Hard drives, USB drives [Internal or External], computer systems) should be disposed of following the procedures listed in college procedure #5220-P2 – Data Storage and Lifecycle (Procedures).

Area of Risk:   General-Psychological

Malicious user Tactic: Impersonation & persuasion

Strategy to combat risk: 

  • Challenge the authority or identity of persons unknown to you – ask them to identify themselves.
  • IT support personnel will wear Bellevue College identification.

Area of Risk:   Bellevue College Network, Email, Internet Usage

Malicious user Tactic: Creation & insertion of malicious software to acquire passwords or other sensitive information

Strategy to combat risk:

  • Appropriate password use and management.
  • Campus user awareness regarding emails from unknown senders and emails with attachments.

Area of Risk:   Offices

Malicious user Tactic:  Shoulder surfing;  Stealing sensitive documents;  Wandering through halls looking for open offices;  Using vacant computers that are already logged-in

Strategy to combat risk:

  • Don’t type in passwords with anyone else present (or if you must, do it quickly!).
  • Mark documents as confidential & require hard copies of those documents to be physically locked up.
  • Require all guests to be escorted.
  • Do not store or post passwords near computers.
  • Lock computer when user not present, even for a “minute”.

Area of Risk:   Phones

Malicious user Tactic:  Stealing phone toll access

Strategy to combat risk:  Protect Scan codes as passwords.


Area of Risk:   Service Desk

Malicious user Tactic:  Impersonation; persuasion

Strategy to combat risk:  Technology Service Desk will give out passwords only upon clear verification of individual identity.

Details

Article ID: 21730
Created
Tue 12/13/16 11:33 AM
Modified
Wed 1/9/19 1:05 PM