In this article Anna Johnson discusses why information security professionals and organizations need to be vigilant against the largest and potentially most damaging vulnerability of all.

We're Only Human After All
The vulnerability with the most potential to cause damage is not a Trojan, virus or any kind of malicious code. While it is often quoted in computer security and hacking circles, it is not directly related to computers. This vulnerability existed long before the computer was invented. In fact it is has existed since the dawn of time. It is quite simply human fallibility.

"Social engineering" is the term given by hackers, crackers and information security specialists to describe taking advantage of human fallibility. Social engineering is nothing more than the process of conning someone. As you can imagine, social engineering or "the con" is a widely used criminal practice. It is far from being the exclusive domain of highly skilled computer crackers. The only difference between social engineering and other types of deception is the objective. Social engineering is used to describe the plethora of non-technical methods of manipulating people in order to penetrate an information system. Since it is arguably the most powerful tool at the disposal of crackers, it is very much the concern of all information security professionals.

The Biggest Problem of All
Human fallibility is the biggest problem of all because no matter what security devices are utilized, if the right person or people are successfully misled, deceived or manipulated then a cracker can obtain access to whatever information or system he or she desires. Now, misleading or conning the "right person" or the "gatekeeper" may not be easy, depending on the organization and person or persons in question. Also, there are definitely systems and procedures that can be instituted to circumvent human fallibility. Indeed, banks and hospitals are just two types of organizations that (theoretically) use solid systems and procedures to prevent employees knowingly or unknowingly giving away access rights to unauthorized people.

Or do they? People still manage many critical functions in banks and hospitals. Such people can still be tricked, manipulated or even bribed. Many people are inherently trusting - especially when confronted by someone who poses no obvious threat. The most successful crackers - or criminals of any kind - are those who appear to be "normal." Such people do not match the stereotypical notions of how a cracker or criminal should appear or act. In reality, successful social engineers are people who appear to fit right in to a given environment - as though they are supposed to be there.

How Social Engineering Works
Imagine that you work in a large organization. You are working in an open office environment when someone whom you do not recognize strides purposefully passed your desk. This person is dressed in a business suit, carries a briefcase and looks as though she is on a mission. Perhaps she is someone from another division, or a new employee, or a client, or the company lawyer or accountant, or a contractor. Or perhaps she is someone off the street with malicious intent. What would you do if this woman sat down at a vacant desk nearby and switched on the computer? Would you ask for her credentials? Would you ask her what on earth she was doing? Or would you presume that she is supposed to be doing whatever she is doing? I submit that most people - especially new and junior employees who don't want to be embarrassed or get into trouble - would not do anything in relation to this strange woman. If this scenario seems implausible please know that it happens all the time.

Often, a stranger is a client, contractor or person who has been invited into the office for a legitimate reason, although a given employee may not know whom he or she is. Sometimes, however, a stranger is not meant to be there at all.

Everyone just assumes that someone else knows who the stranger is and what he or she is doing. Shake Communications performed an exercise in which an employee of Shake Communications successfully obtained access to the billing department of a large Australian telecommunications company. Let us call him P and describe exactly how he did it:
To begin with, P donned the typical attire of a businessman: conservative suit, brief case and mobile telephone. Now, the entrance of the building housing the billing department was locked and could only be opened with a mil key. As a result, P waited near the entrance. When someone opened the door to leave the building P walked casually through the door. He was in. The elevators could only be operated with the insertion of a mil key. P tried the stairwell instead. The doors to both the stairwell and the first floor were unlocked, so P made it to the foyer of the first floor. A locked glass door obstructed access from the foyer to the billing department (which was located on the first floor). Again, a mil key was required to unlock the door. However, a cleaner was working nearby, on the other side of the glass door. P pulled out his mobile phone and began speaking into it. The cleaner approached the door and politely opened it for P. P vaguely acknowledged the cleaner and strode into the billing department. Our hero had obtained access to the billing department.

On first appearances, P exploited vulnerabilities in both physical and human systems in order to obtain access to the billing department. Perhaps his task would have been made much more difficult had the doors to the stairwell and first floor been locked. However, on closer examination we see that a physical security device did guard each of the critical access points: the front entrance, the elevator and the door to the billing department were all locked.
People - an outgoing person and the cleaner - allowed P to obtain access to firstly, the building and secondly, the billing department.

Thousands of pages could be filled with examples of how people can be subtly or overtly deceived. Social engineering covers a whole spectrum of tricks and techniques for obtaining both physical access and access to information systems. In fact, computer crackers are notorious for using nothing more than a telephone and a fake identity to trick an unwitting system administrator, security guard or some other person into giving away usernames, passwords and/or other information. Nor are information technology personnel the only victims. For instance, marketing personnel are often targets for industrial spies pretending to be university students ("working on an assignment") who want confidential marketing data.

How to defend your Organization against Social Engineering
It would be naïve to suggest that there is a foolproof way of preventing social engineering. We are human after all - and humans can be foolish at times. However, there are steps we can take to reduce the chances of being "socially engineered".

Firstly, the organization needs to develop and institute a security policy that is taught and enforced at all levels of the organization. Such a policy should cover human fallibility and the potential for social engineering. The policy should encourage (not punish) employees to suspend trust in circumstances where someone or something they don't recognize is trying to obtain physical or information access. This does not mean that they should be rude - just wary.

Procedures should be enforced whereby a stranger must provide evidence of his or her identity. This could be as simple as wearing or carrying a visitor pass.
Also, access to anything important should not be left in the hands of just one person. There should be no weak links!

As well as protecting assets in their own right, more sophisticated physical and/or information security systems can be useful in overriding human fallibility. In the example of P: had a biometric device governed access to the billing department, P would not have been able to walk through the door (without alerting everyone that he was not a member of staff) despite the best intentions of the cleaner. This is not to suggest that biometric devices are necessarily sufficient by themselves.

Conclusion
Installing a highly sophisticated security system can be very expensive. Managing threats to information and physical security is like managing any other risk. The aim is to reduce the risk to an acceptable level in the most cost-effective way. Interestingly, human fallibility is a problem that can be relatively easily and inexpensively addressed by instituting security policies and procedures. Practicing and enforcing these policies and procedures are the challenges. Therefore, the organization needs to make a commitment to ongoing employee education. Of course, employees themselves can be the worst social engineers of all… but that is another story.