Your Company Logo
Goes Here


Volume 1, Issue 1
February 2002

Inside this issue...

There Are No Secrets: Social Engineering and Privacy

Unmasking Social-Engineering Attacks

Protect Against Social Engineering Attacks

For additional information contact your Gartner Sales Executive or cathy.telesco@gartner.com

   Your commentary will go here.

Unmasking Social-Engineering Attacks
Attacks on enterprise security defenses often use social-engineering principles to trick users into violating policies and procedures. The best deterrent is to maintain and enforce these policies, as well as employee education.

"Things are seldom what they seem, skim milk masquerades as cream," sing two cheerfully disenchanted characters in Gilbert and Sullivan's operetta "H.M.S. Pinafore."

With social engineering, things are never what they seem. The primary activity of social engineering as defined in the IT security sector is the manipulation of people using a combination of spying, theft and deceit to successfully breach an enterprise's security (see "Protect Against Social Engineering Attacks," TG-14-7359, and "There Are No Secrets: Social Engineering and Privacy," TU-14-5662). Attackers use psychological ploys – primarily impersonation – to take advantage of users' good will, trust and desire to be helpful. Users are thus duped into taking some personal or online action on behalf of the attacker.

The unwittingly victim of social-engineering attacks acts against the best interests of the enterprise, such as by making "an exception" for the attacker or otherwise violating standing policies. The attacker can be a person inside or outside the enterprise who pretends to be someone else:

  • In person
  • On the telephone
  • Via conventional mail or e-mail
  • Through a malicious program disguised as an interesting message or a legitimate program

Regardless of the medium employed to communicate with the victim, social-engineering attack activities can include:

  • Gathering logon information and passwords, or otherwise gaining access to corporate systems
  • Tricking the victim into opening an e-mail that, in turn, opens the door for malicious code
  • Uncovering proprietary or confidential, personal information

Social-Engineering Attacks

The four major types of social engineering attacks are:

Figure 1
 The Plausible Personal Request
What It IsHow It WorksHow to Prevent It
A Common type of person-to-person con game – involving impersonation and lying – that exploits the helpfulness of the victim. The employee responds to a plausible request to "help out" with a problem or emergency, often from someone who claims to have "no time" to go through channels. The usual goal is to obtain logon information and passwords. The attacker may:
• Ask for help "changing a password."
• "Forget" the system password and ask people in the vicinity for it.
• Say, "I left my badge in my other purse and I really need to get into the lab."
• Pretend to be an executive and – taking advantage of a new system administrator – demand access to the real executive's account.
• Identify himself as a tech support representative who needs help with a test – e.g., "Just give me your user name and password" or "Can you please change your password to..."		 Technology
• Technical/procedural means to verify the caller's identity for a password reset – e.g., calling line identification (CLI), "callback" or automated self-service password reset.

Process
• The desire to be helpful renders people vulnerable; therefore, extra effort must be expended to enforce information security policies and procedures.

Awareness
• Education regarding security policy, beginning when new employees are hired.
• Policy statements on appropriate screens – e.g., "System administrators will never ask you for your password" could appear as a pop up during server loin.
• Frequent refresher courses for managers so that employees feel comfortable saying, "Just a moment, please, while I clear your request with my manger."

Source: Gartner Research

Figure 2
 "Just Answering a Few Questions ..."
What It IsHow It WorksHow to Prevent It
The attacker directly solicits proprietary or confidential personal information. Often, the perpetrator gathers fairly routine information from a number of sources and puts the pieces together to deduce proprietary information. In the United States, this is called "contexting"; in the United Kingdom, it's called "blagging." A somewhat different con game, this type of attack is widely used to extract information from healthcare organizations, banks and insurance companies. The employee is flattered by the opportunity to "know the answer," to appear smart and competent. The attacker may:
• Identify himself as a student or reporter conducting research
• Ask for specific information about the company, its products and employees – ostensibly as apart of a poll or "to update records."
• Impersonate a doctor at another hospital or the manager at another bank who needs information from patient/client records because of an emergency.
Motivations behind this type of attack can range from gathering competitive information on behalf of a client, to collecting proprietary or personal information for various illegal and criminal purposes.		 Technology
• Technical/procedural means to verify the caller's identity for a password reset – e.g., calling line identification (CLI), "callback" or automated self-service password reset.

Process
• The desire to be helpful renders people vulnerable; therefore, extra effort must be expended to enforce information security policies and procedures.

Awareness
• Education regarding security policy, beginning when new employees are hired.
• Policy statements on appropriate screens – e.g., "System administrators will never ask you for your password" could appear as a pop up during server loin.
• Frequent refresher courses for managers so that employees feel comfortable saying, "Just a moment, please, while I clear your request with my manger."

Source: Gartner Research

Figure 3
The Really Interesting E-Mail
What It IsHow It WorksHow to Prevent It
E-mails that offer friendships, diversion, gifts and various free pictures and information take advantage of the anonymity and camaraderie of the Internet to plant malicious code. The employee opens e-mails and attachments through which viruses and worms and other uninvited programs find their way into systems and networks. He or she is motivated to open the message because it appears to:
• Offer useful information, such as security notices or verification of a purchase
• Promise a diversion, such as jokes, gossip, cartoons or photographs.
• Give away something for nothing, such as music, videos or software downloads.
As with all viruses and worms, the outcome can range in severity from nuisance to system slow-down to destruction or alteration of records.		 Technical
• Technical defenses such as content monitoring and security patches for e-mail clients.
•Regular updating of antivirus software package and new virus "patterns" on each employee's desktop.

Process
• Well-publicized procedures must instruct employees on what actions to take and whom to contact when they encounter suspicious messages.

Awareness
• Education regarding the telltale signs of e-mails that are "false friends." Example: "Goner" was a worm that required users to click on an attachment that offered a free screen saver.

Source: Gartner Research

Figure 4
The Trojan Horse
What It IsHow It WorksHow to Prevent It
A seemingly innocent program hides malicious code, just as the Trojan horse of antiquity appeared to be a gift statue but, in reality, was a hiding place for enemy soldiers who laid waste to the city of Troy. The employee takes what appears to be a routine system action, such as logging in or providing information. In reality, he or she has assisted in activating a Trojan horse program, which is a technical attack with a social-engineering component. A master of disguises, the Trojan horse could appear to be:
• A normal login screen. The user logs in as usual and receives a "network not available" message or is automatically handed over to the real login program. The Trojan horse, meanwhile e-mails the logon information to the attacker.
• An electronic form to be filled out for some worthy purpose, but which really provides a full dossier of information to the attacker.
Unlike a virus or worm, a Trojan horse nearly always has malicious intent.		 Technical
• Continuous technical monitoring to detect the presence of illegal programs before they have a chance to victimize users.
• Defenses to ensure that the Trojan horse does not come through the gates in the first place – e.g., restrict users' ability to download or install software.

Process
• Well-publicized procedures that instruct employees what actions to take and whom to contact when encountering suspicious messages.

Awareness
• In a Trojan horse attack, few symptoms indicate to users that an illegal program is in operation.
• Education to make clear the types of questions the enterprise's system(s) will never ask.

Source: Gartner Research

When social-engineering attacks succeed, it is not because of a lack of security, nor is it because the users are stupid and gullible. Rather, it is because the users are human. People at all levels of an enterprise can fall victim to the wiles of the social-engineering attacker and can be deceived into taking action on the attacker's behalf that violates security policies and procedures. It would be a mistake to assume that anyone is immune.

The best deterrent to social-engineering attacks consists of maintaining and enforcing security policies and practices, as well as the education of employees:

  • Clearly define and widely distribute and discuss security policies and procedures covering the main areas of vulnerability to social-engineering attacks.
  • Conduct educational programs at all levels of the enterprise. Back up the education program with an occasional "drill" (a type of penetration testing) in which a manager pretends to be a plausible outsider to better gauge the degree to which the education is working, and to better instruct employees on how to handle such a situation.
  • Create a communication model in which employees know where and how to report suspicious people, telephone calls or e-mails. The report should be treated with respect, logged and acted on – otherwise, employees will be discouraged from noticing or reporting suspected social-engineering attacks.

Core Topic
Security and Privacy: Individual and Corporate Privacy

Key Issue
How will enterprises evolve organizationally, architecturally and procedurally to respond to growing concerns over corporate and personal privacy?

Tactical Guidelines

  • Clearly define and widely distribute security policies and procedures covering the main areas of vulnerability to social-engineering attacks.
  • Conduct educational programs at all levels of the enterprise to train employees on how to respond to suspicious people, telephone calls or e-mails.
  • Create a communication model in which employees know where and how to report suspicious people or messages.

Source: Gartner Research

Bottom Line: The good news is that the deceptive actions described above constitute social-engineering attacks only when they work. The rest of the time, they are merely momentary diversions, such as strangers being ushered out of the building, nuisance phone calls quickly ended or junk e-mail deleted – i.e., routine security matters. The bad news is that enterprises that fail to educate their employees as to how to identify and react to social-engineering attacks risk falling victim to malicious con artists.

Gartner's Information Security Strategies Research Note TG-15-1287, 19 December 2001.

Back to Top

Entire contents © 2002 by Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.