In-Depth

Defending Against Layer 8

Remember the 8th layer of the OSI networking stack: humans. System administrators must educate themselves and their users about social engineering practices to prevent attacks.

• By Danielle Ruest and Nelson Ruest
• 05/27/2004

Social engineering. Even the most comprehensive security strategies often omit it. That's because it addresses what Steve Riley, product manager with the Microsoft Security Business Unit, calls the 8^th Layer of the Open System Interconnection (OSI) networking stack: humans. "It's amazing how social engineering is repeatedly ignored by system administrators," says Riley. "Yet, there is no computer on the planet that does not rely on humans in some way, shape, or form," he continues. Riley is presenting a special Tech•Ed session on Friday, May 28, "Defending Against Layer 8," focusing on social engineering. Riley, a Tech•Ed veteran, says his session will concentrate on two elements: indoctrination and inoculation. Indoctrination is aimed at making system administrators aware of the problem; inoculation, at helping them fix it.

"Social engineering is a real risk," says Riley. "It amazes me that people still hand out their passwords to virtual strangers, even today." That's right. People just don't attach enough importance to password protection. They write them down, put them on "Post-it" notes, stick them under their keyboards or in their drawers—and what's worse, are often ready to tell them to any help desk technician that comes around. The problem also lies with the technicians themselves.

Indoctrination
Today, with technologies such as Remote Assistance built into Windows XP, there's no reason for anyone to know anyone else's password. Yet, this practice is prevalent. That's because people often think that the only way to perform operations inside another user's security context is to use their account name and password. This is one myth Riley is set to unravel. But it's not the only one. In fact, Riley is ripe with examples of social engineering: people calling the help desk to request a password change for accounts that don't belong to them; people calling users to impersonate the help desk; people pretending to need information they shouldn't have access to, and so on.

One large company sent out an internal memo about an upcoming security conference in its city, so its staff was aware of the conference at least a week in advance. "Yet, during the conference, a speaker called the help desk and got them to change a password for an account that didn't belong to him—all this in front of a crowd of attendees," relates Riley. How embarrassing.

Another story he tells is about someone who set up a fake automated teller machine (ATM) in a New Jersey mall. People kept trying to use it even if it didn't work. In the end, this person stole hundreds of thousands of dollars because his machine read the card information and captured the personal identification numbers (PINs) for each card. All he had to do was print new cards and use them in real ATMs throughout the city. According to Riley, this person might not have been caught if an off-duty policeman hadn't heard one of the people involved in the scam brag about it in a bar.

Inoculation
"I just want system administrators to be aware of the problem and realize their vulnerability," says Riley. Once this indoctrination is done, the second part is inoculation. Part of the problem lies in the fact that the 8^th layer deals with people. System administrators must educate their users about social engineering practices. This includes communication programs—something that many administrators have little experience with.

But Riley has other approaches. For example, administrators can put special policies in place. "If people call the help desk for a password change, put them on hold for a while," suggests Riley. If they have malicious intent, they'll probably start feeling a little nervous after being on hold for a couple of minutes. Another policy Riley suggests is a callback policy: If unknown users call for a password change, call them back to a prearranged number before changing the password. This way you can ensure you're talking to the right person.

Riley's objective is to help you find out how and why you might be vulnerable to social engineering attacks and then provide you with examples of how to defend yourself—examples that stem from real-life experiences and are often simple to implement but also effective against this prevalent attack strategy. It's great to see Microsoft doing such a non-technical session—one that focuses on the human aspect of security—at Tech•Ed, one of its most technical shows. This can only mean that Microsoft is serious about security this time.