Exploiting Security Weaknesses Social Engineering

An employee who needs permission to access an electronic workspace, database, or other information systems resource typically fills in a request form and obtains approval from the responsible manager. The manager then routes the request to one of the system's administrators. Highly trusted and well-trained systems administrators spend a significant amount of time doing nothing more technical than adding or removing names from access control lists. In large organizations, it's not unusual for systems administrators to have never met any of the people involved in a specific request. The administrators may not even work in the same office. Hackers have learned to take advantage of this approach to access authorization. They begin by probing an organization. The hacker doesn't expect to compromise the system during this initial probe. He or she just starts by making a few phone calls to learn who is responsible for granting access and how to apply. A little more probing helps the hacker learn who's who within the organization's structure. Some organizations even post this information online in the form of employee directories. With this information in hand, the hacker knows whom to talk to, what to ask for, and what names to use to sound convincing. The hacker is now ready to try to impersonate an employee and trick a systems administrator into revealing a password and unwittingly granting unauthorized access. Organizations determine who needs access to which applications.

They also need a system through which they can authenticate the identity of an individual making a request. Finally, they need to manage this process both effectively and inexpensively.

a. Describe the business problems that this exercise presents.
b. Suggest several ways to reduce an organization's exposure to social engineering.
c. Prepare an orientation memo to new hires in your IT department describing "social engineering." Suggest several ways employees can avoid being tricked by hackers.