Social engineering sounds like a sub discipline of psychohistory, the fictional science of Isaac Asimov’s Foundation series. Social engineering is also one of the primary methods by which an attacker can get access to your network. One of the simplest social engineering attacks is when an attacker rings up the helpdesk pretending to be an employee and asks for “their” password to be reset. Attackers from outside the organization can use the company’s website to locate the name of a user. Almost all company websites have some employee information on them, often including email addresses. As many organizations use the same login name as a person’s email prefix (for example a login of orin.thomas on the network derived from the email address orin.t[email protected]) the attacker can contact the helpdesk pretending to be that person.
“Hello, this is Orin Thomas, I’ve forgotten my password. Would you please reset it?”
This sort of attack is even more effective now that everyone uses VPNs to remotely access the corporate network. A smart attacker will even place a separate helpdesk call asking to verify the organization’s VPN configuration.
“Hi, this is Orin Thomas. I’m having trouble with my VPN connection. What is the IP address of the VPN server again?”
Someone from within the organization who wants to gain access to someone else’s files doesn’t even need to scour a website to learn a login, it is likely that they already know the target login and are just waiting for the password to be reset. Someone doing this from within the organization has the added advantage of appearing to have a local extension, assuming that the helpdesk technician has noted the extension number.
Attackers using social engineering to get helpdesk technicians to reset passwords are likely to call towards the end of the day. Most helpdesk techs are less likely to do any rigorous background check on someone ringing at 4:57 on a Friday afternoon even though it should be obvious that if someone was having password problems, they’d be more likely to ring at the start of the day.
The only way to guard against this type of attack is to have a strict policy in place about password resetting. At one place I worked, we weren’t allowed to reset a password until we had sighted a staff card. The downside of this was that it was difficult to explain to someone on the other side of the campus that they would have to walk 2 kilometers to our office so that we could see their card.
Once you have a policy, you should regularly test it. Organize for someone to contact the helpdesk to ascertain how difficult it is to reset someone else’s password. No system is going to be perfect, but as any security geek knows, you can only slow down a determined attacker, you can rarely protect against them completely.