ZDNet AnchorDesk: Why firewalls aren't always enough

AnchorDesk

Why firewalls aren't always enough

Robert Vamosi
Senior Editor, Reviews
Monday, Mar. 15, 2004

Add your opinion

Forward in

Format for

Like con men and grifters, criminal hackers (a.k.a. crackers) are talented people. The infamous Kevin Mitnick, for example, conducted most of his corporate intrusions by using the telephone, relying on the gullibility and friendly helpfulness of real people to gain access to corporate networks.

What you can do

There may be no software or hardware solution to social engineering hacks. But that doesn't mean you shouldn't protect your network and your systems with firewalls and other standard security tools.

Netgear WGT624 108 Mbps Wireless Firewall Router

NetGear FWG114P ProSafe 802.11g Wireless Firewall w/4 Port 10/100 Switch and USB Print Server

Such "social-engineering attacks"--often precursors to computer-network attacks--are still real threats, which is why they were a hot topic at this year's RSA Conference in San Francisco. That's why I thought it would be good to further explain what social-engineering attacks are and offer some pointers on how to protect yourself from them.

SPEAKING AT this year's RSA, Ira Winkler, a former financial analyst for the National Security Agency (NSA) and now a security consultant, offered several examples of real-world social-engineering attacks. Winkler himself was once hired by a large financial institution and given just four days to try to gain access to their internal network. Did he start his mission on the Internet? No, he began by calling the local office of the financial institution and asking for the company's annual stockholder report.

The report--rich in detail of the company's internal structure, including the names and contact info for corporate officers--allowed Winkler to select one upper-level manager who had launched a new corporate initiative. Winkler then called that manager's office posing as a corporate human resources agent wanting to do a news bit for the internal company newsletter. While gushing on about her boss, the manager's secretary confirmed to Winkler the manager's employee ID number, along with other details.

Winkler could have followed any number of roads to get this information. He could have called pretending to be from the company's travel department or listened to out-of-the-office phone messages providing dates of the absence, names of internal projects, or the name and number of an immediate supervisor. In other words, what might be random, trivial information to you is sometimes just enough to help an outsider crawl deep into the heart of your corporation.

What ultimately worked for Winkler, however, was a copy of the company's internal phone directory. He obtained it by first calling the company's graphics department with a bogus PowerPoint order to learn how the company uses its internal billing process; he then called the mail room to obtain the company's Federal Express account number. With both pieces of information, Winkler ordered himself a company directory, charged to a department he didn't work for and delivered to him overnight by FedEx.

Using the directory and his conversation with the upper-level manager's secretary, Winkler called the company's IT department. He pretended to be a middle manager out on the road with a new laptop, unable to log on to the company's VPN. Needless to say, Winkler beat the institution's four-day deadline for accessing their internal network.

ASIDE FROM using the telephone, Winkler cited other ways crackers score information. Among them: good old dumpster diving, shoulder surfing (literally reading typed passwords over someone's shoulder, say, on the train), outright theft (stealing a backup tape, a notebook, a PDA, or a prototype model), and finally, getting hired into a low-level job at the company. It's common, said Winkler, for criminal hackers to apply for jobs as janitors or mailroom assistants within a targeted company.

Want to protect yourself and your company? Realize that it's only human nature to want to help others but that this instinct can also undo tight security practices within companies. Winkler's security mantra is "No common sense without common knowledge." He feels (and I agree) that if everyone on staff is aware of the hidden dangers in leaking even trivial corporate information, outsiders won't be able to gain an easy foothold.

So here are 10 things that you and your company can do to prevent potential losses through a social-engineering attack:

Activate caller ID at work. Calls within my company, for example, display the name of the person calling.
Set your company's outbound caller ID to display only the front desk's phone number, not individual phone extensions.
Implement a company call-back policy. If someone calls asking for information about the company, say you'll call them back, then dial the number from within your corporate directory or go through their company's switchboard operator.
Be mindful of information posted in out-of-the-office messages. For example, don't leave the full name of your supervisor. A skilled cracker could now call another department and say that your supervisor is on his back because you're out on vacation and the cracker really, really needs access to this one particular account. In this case, a little knowledge can go a long way.
Never allow anyone you don't know to piggyback physical access into a room on your security ID card.
Confront strangers. Ask if you can take them to someone's office or help escort them outside.
Get to know your IT support staff. That way, if someone else calls saying they're from IT and needs your network password, which you should never give out anyway, you can say no and hang up with confidence.
Never write down your network password on a Post-it Note or tape it to the bottom of your keyboard; crackers, if inside the building, know where to look.
Periodically perform a Google search on your company and scrutinize whether sensitive company information is available outside your corporate firewall.
Institute a companywide security alert system. Have anyone who receives a suspicious phone call report it to a simple e-mail address, something like securityalert@company.com.

Does your company's security policy also include social-engineering attack prevention? Does your company even have a security policy? TalkBack to me below.

Special sponsor stores

Dell Home

BNET Industries
Check out BNET's newest resource for managers and executives. Need to do research on your competitors? Don't have time to read every trade pub? BNET Industries is the new source for daily news, insights, and research on 11 major industries and 9,000 public companies.
The technology industry from a different angle
See what's hot in the auto industry
Stay on top of the energy industry