Firewalls, RSAs, passwords and encryption... the lists go on and on. Billions of dollars are spent annually on network security for the latest and greatest tools to make our systems safe. But are we anywhere near even a comfortable level of secure? The answer is no! Why? Because we continue to fail to recognize the greatest computer of them all as a threat... the human mind!

If we can see it, feel it, play with it; if it has lights that flash, buzzers that sound, and a price tag that seems exorbitant then we have great security - in our minds. The greatest risk to our computer systems has a budget of nearly zero dollars; yet is the greatest risk which is regularly ignored. Human intervention is where all of the hardware fails miserably. What we're describing is hacking via "social engineering."

What is social engineering, how does it affect us, and what can we do to prevent it?

To begin, we must recognize that we are all a target for someone or some reason. All too often, we overlook the motivation for someone to select us as a target, since we feel that we have no information anyone could ever want or use. This cannot be further from the truth. If I wanted the financial information about your company, I might have a hard time going through your firm to get it. But what if I attacked your CPA firm? What if I engineered an attack using your attorney's office? The path taken is not always direct to the target, but almost always the path of least resistance.

In social engineering, the techniques are varied, but it almost always includes what is known as "pretext calling." It utilizes the art of distraction, or subterfuge. This type of attack is typically performed by former disgruntled employees, criminals and/or jealous competitors. The concept is to talk your way into the target by being as convincing as possible on the phone. More is clearly less in this type of attack, because the human mind will fill in many of the empty spaces, and make assumptions about what we are really doing. A favorite saying of ours is "everyone is everyone else's dream." It is for this reason that 1-900 numbers work so effectively. As we talk to someone on the phone, we tend to picture that person in our minds. Couple that with our innate desire to help, and we have the perfect storm brewing. Most victims of social engineering will provide more information than is ever requested.

We define the art of social engineering as "10 degrees of separation," not the six we are all familiar with. "10 degrees" starts with the most innocuous, minute amount of information and continually builds upon the last bit of intelligence gathered. It is a process that may last for months, and gradually builds until the goal is achieved. It is a process where the first degrees involve learning the vocabulary or terminology of a particular company and the process grows from there. A good example is a recently assessed case in which information supplied by a worker revealed the code name for a secure facility. Based on knowing that name, the social engineers were able to solicit company information based on saying that they were calling from the secure location. Other techniques can include ensuring that a "good show" is produced. Social engineers will often record "on-hold" music from target companies they can use in their pretext calling. While engaging a company representative on the phone they will ask that person to hold for a minute, and play the recorded hold music. The person on the phone will hear the music they are familiar with and assume the caller must be from that company. This re-assurance seems to be coming from the target and not the caller.

A great misnomer about social engineering is that the perpetrators are technologically savvy. This could never be further from the truth. In fact, having less of a technological background is an asset. To understand this, we must look at human behavior. If we have a greater working knowledge, we tend to accept a technical challenge and try to prove our superior intellect by beating the hardware that challenges us. "Script kiddies" exist for this purpose. "A script kiddie is a derogatory term for inexperienced crackers who use scripts and programs developed by others, without knowing what they are or how they work, for the purpose of compromising computer accounts," according to Wikipedia. But if we have only a peripheral knowledge of a system, we will take the path of least resistance and have someone supply us the information, just by asking!

Our surroundings and our patterns also give away much intelligence information. A recent example occurred in the Washington DC area, near the Pentagon. Prior to the U.S. attacking Iraq, much of the operation was secret. However, many in the DC area knew the attack was imminent, even before the information was released. How? Catering orders and pizza deliveries to the Pentagon at night increased dramatically. The result: many in the DC area knew something was about to happen since everyone was working late that night!

Billions of dollars are spent annually on protecting and defending data streams. This is a necessary cost, and advancements are consistently being made to remain consistent with the current threat levels. As technology evolves, our defenses will evolve, but we must recognize that hardware alone is not the solution. The effects of social engineering are defensible through technique recognition and training. A caution to this statement is that we cannot be led falsely into believing that we can perform these critical functions internally. Just as IT functions are specialized, social engineering techniques are constantly changing and evolving. Additionally, we run the risk of looking at the risks with a blind eye, due to our familiarity with our operating procedures. We tend not to recognize issues, since we assume reactions to those issues are just that: assumptions. A perfect example of our human tendencies to overlook the familiar would be in our married lives. How many times have our spouses come home with a new haircut, only to be unrecognized? Our familiarity with the everyday causes us to turn a blind eye to the issues.

What actions can we take to prevent or at least attempt to minimize the effects of social engineering? First, recognize and appreciate the damage that can be performed by social engineering. Ask yourself, what would it cost my company if we lost this information? Second, conduct an internal assessment of your security procedures and IT protocols, from the view of a potential offender who wants to damage your company, not as the Security or IT Director. And finally, contract with an external firm to discuss your findings, establish an external group testing protocol, and provide training for the deficient areas that were discovered. When coupled together with an effective hardware system, the risks are minimized and the danger can be alleviated.

Sal Lifrieri is President of Protective Countermeasures & Consulting, Inc., www.protectivecountermeasures.com. The firm specializes in providing cost-effective security solutions for businesses worldwide, utilizing 25 years of distinguished experience to protect valued assets against risks and threats. Mr. Lifrieri can be reached at 914-576-8706 or via email at s_lifrieri@protectivecountermeasures.com.