Security Awareness: Social Engineering
by Roman H. Kepczyk, CPA.CITP (April 20, 2005) 

Have you ever been solicited and bought something from a direct marketer either online or via the phone from a company or person that you had never heard of before?  How about answering an online survey or questions about “updating the information in your profile” to a person you did not know?  Did you ever let a courier, exterminator, repair, or pizza delivery guy into your office unescorted?  If yes, you have experienced how easy it is to be “socially engineered” into providing what could be inappropriate access to your building or confidential information, which could be used to compromise your organization’s security or your personal identity.  Providing this information could appear to be as benign as verifying employee numbers, internal phone extensions or the names of your IT personnel, or as sensitive as providing passwords, logins, social security or credit card numbers. While the majority of these interactions are with legitimate businesses, criminal hackers (also known as crackers) employ these techniques to get confidential information about your personnel and your firm’s network.  With a simple phone call or walk through the office, crackers can get all the information they need to breach your security infrastructure. 

When security is discussed in most firms, management thinks in terms of Internet and password access with policies and training geared towards keeping firewalls, security patches, and anti-virus updates current.  These organizations usually also have policies in place explaining what is acceptable computer and Internet use, and they may even have had a security awareness training session in the past.  Unfortunately, most firms have not updated their training and awareness to incorporate education on social engineering attacks and phishing schemes which can divulge confidential information.  When you consider the magnitude of financial information within CPA firms, particularly in tax return files, it is the responsibility of CPAs to do what is necessary to secure this data.  This includes updating security policies and training to minimize the impact on social engineering attacks, which begins by firm personnel understanding the risks.

Employees need to be educated on how a cracker can use physical access to compromise a firm.   A walk through the office can reveal passwords stuck to a computer monitor or under a keyboard.  A lunchroom bulletin board can have a listing of internal support personnel names, email addresses and phone extensions, or a vacation schedule that states when specific people will be out of the office.  An unescorted person could pick up any of this information or look over someone’s shoulder as they type in their login or password.  If no one was looking, they could easily attach a data collection device to the back of a computer or even leave a CD in the computer drive or on a desktop, which when loaded can install compromising applications on that machine. Some crackers have even gotten themselves hired on as janitors or low level employees to get access to information.

Employees must also be educated on how phone calls and emails are utilized in social engineering attempts. Crackers can be as blunt as phoning and saying they are from the firm’s IT internal or external support organization and ask to verify logins or passwords or more commonly, they can use the phone to build a trusted relationship with someone within the firm.  Over time, the relationship develops to the point where the internal person divulges confidential information without even realizing it.  Remember it is critical to remind employees that crackers are criminals that are intent on getting access to firm resources or individual’s information for unscrupulous purposes.  Employees should be taught that when they become suspicious of phone call that they should ask questions to verify the caller’s identity and request a callback number, so that the employee can initiate the contact.

Email and instant messaging are also effective tools used by crackers to get unsuspecting people to divulge information or provide access to the network. Emails from unknown parties that ask the recipient to open an attachment can lead to an application being loaded on the individual’s computer.  This avenue of attack can be even made worse in IT environments where employees can access personnel email accounts on firm laptops when away from the office (and not protected by the firm’s internal security infrastructure).  These programs can include keyboard logging programs that capture passwords as well as programs that turn the unsuspecting computer into a relay for spam or other unscrupulous purposes.  Attachments including Zip files and JPG photos can also carry hacker tools. Personnel should also be educated on “phishing” schemes that purport to be from authentic companies requesting the user update their information or purchase a product at ridiculously low prices.  To counter this, personnel should be trained to never go to a website by clicking on a link within the email, instead they should open a browser and go to the website from there.

Most firms today have become very aware of security risks created by opening up their networks to the Internet and most have the infrastructure to support and maintain a basic level of security.  With this in mind the hacking community has found that using social engineering scenarios can often times be easier than trying to break in through the firewall.  It is important that firms make a concerted effort to educate their people about these risks and to update their policies accordingly.

Roman H. Kepczyk, CPA, CITP is President of InfoTech Partners North America, Inc. which works exclusively with CPA firms to implement today’s best practices as they transition to a “less paper” or digital environment.

<Back to Home Page    ^Back to Vision Alert Index

 © 2005 InfoTech Partners North America, Inc....your technology partner  (480) 706-1728