SAP-email-2005-01.html

January 2005

Quarterly Security Newsletter

01 What is social engineering?

02 Moving forward together

03 Examples

04 Connecting the dots

05 Slow leaks are devastating

06 Tips

07 Further info

Social Engineering

"No one can build his security upon the nobleness of another person." -Willa Cather

The confidence game is as old as human history. At its core, it relies on human willingness to disregard one's own best judgement. Con men swindled people out of hard earned cash at medicine shows during the "age of enlightenment".

It's just as easy to exploit human weakness in the computer age.

What is social engineering?

Social engineering tactics penetrate the company's security by exploiting human factors.

(See Examples.)

Then by collecting scraps of data, intruders assemble a meaningful picture.

(Try the Bridge Puzzle)

Crea-Soft's Jigsaw Puzzles are © copyright www.crea-soft.com (Traian Trante) and are used with the permission from the owner.

Moving forward together

Our security policies are continually being tested. By those who are confirming our security-- and those who mean us harm.

Security can be quickly and devastatingly breached when your best human impulses are exploited. But if we're consistent, a social engineering attempt just won't succeed. Let's stick together!

More about the "Trioker" domino game variant (in the original French) or translated into English.

Examples

A support person receives an urgent request for a "forgotten" password:
"I don't have have access to the company e-mail system at the moment," the caller says. "But I need the information or I'm going to be fired!"

Someone dressed in business casual attire engages you in conversation in an elevator lobby on one of our floors. The pleasant conversation moves into confidential territory. You're lulled into a sense of familiarity because your elevator-mate salts the discussion with inside information.

Or how about this one: "I rushed out of the house this morning and forgot my photo badge." (Or worse yet, no one says anything at all but you hold open the door for that nice "workmate" as you enter the office.)

Social Engineering Techniques

Impersonation- by taking on an assumed role, the intruder attempts to break down your defenses.

Ingratiation- friendliness is used to dissolve resistance.

Conformity- designed to make you snap into step with the intruder.

Sticky fingers- a finicky thief can uncover revealing information from your easily stolen PDA, laptop, Blackberry, Smartphone, etc.

Reciprocation- people feel obligated to share in turn. The hacker gives up a tidbit and expects to win a gem back in return.

Eavesdropping- once the social engineer takes on protective coloration, they successfully linger in hallways, elevators and popular eating/drinking establishments favored by the target company.

Connecting the dots

Because social engineers work by "connecting the dots," it's obvious that we must guard every scrap of confidential information.

Every breach has an impact.

It doesn't matter how politely a request is made or how dire the scenario may be when posed by the person making the request.

Don't rest on assumptions about perceived identity or status of individuals unknown to you.

Don't let manufactured urgency divert you from your routine caution. Don't get rushed into doing or saying anything that you'd consider with greater care given a calmer or more dispassionate circumstance.

Don't be "nice" at the expense of our security. Social engineering exploits depend on the natural human inclination to please.

take a step back

Take yourself out of the loop. Escalate the request. Retelling the story to someone else often helps to reveal the dubious aspects of ill-intended requests.

Don't guess what to do. Consult policy first.

Slow leaks are devastating

Dumpster diving

Use designated disposal repositories to keep confidential information out of the wrong hands.

( More on the St. Francis Dam disaster)

Tips

Vary your passwords. It's tempting to use the same password for a multitude of purposes. But whether your account is corporate or personal, imagine the impact if your "one-size-fits-all" password is compromised!

Don't share your passwords with anyone.

Further info


January 2005	Quarterly Security Newsletter
01 What is social engineering? 02 Moving forward together 03 Examples 04 Connecting the dots 05 Slow leaks are devastating 06 Tips 07 Further info	Social Engineering "No one can build his security upon the nobleness of another person." -Willa Cather The confidence game is as old as human history. At its core, it relies on human willingness to disregard one's own best judgement. Con men swindled people out of hard earned cash at medicine shows during the "age of enlightenment". It's just as easy to exploit human weakness in the computer age.
	What is social engineering? Social engineering tactics penetrate the company's security by exploiting human factors. (See Examples.) Then by collecting scraps of data, intruders assemble a meaningful picture. (Try the Bridge Puzzle) Crea-Soft's Jigsaw Puzzles are © copyright www.crea-soft.com (Traian Trante) and are used with the permission from the owner.
	Moving forward together Our security policies are continually being tested. By those who are confirming our security-- and those who mean us harm. Security can be quickly and devastatingly breached when your best human impulses are exploited. But if we're consistent, a social engineering attempt just won't succeed. Let's stick together! More about the "Trioker" domino game variant (in the original French) or translated into English.
	Examples A support person receives an urgent request for a "forgotten" password: "I don't have have access to the company e-mail system at the moment," the caller says. "But I need the information or I'm going to be fired!" Someone dressed in business casual attire engages you in conversation in an elevator lobby on one of our floors. The pleasant conversation moves into confidential territory. You're lulled into a sense of familiarity because your elevator-mate salts the discussion with inside information. Or how about this one: "I rushed out of the house this morning and forgot my photo badge." (Or worse yet, no one says anything at all but you hold open the door for that nice "workmate" as you enter the office.)
	Social Engineering Techniques Impersonation- by taking on an assumed role, the intruder attempts to break down your defenses. Ingratiation- friendliness is used to dissolve resistance. Conformity- designed to make you snap into step with the intruder. Sticky fingers- a finicky thief can uncover revealing information from your easily stolen PDA, laptop, Blackberry, Smartphone, etc. Reciprocation- people feel obligated to share in turn. The hacker gives up a tidbit and expects to win a gem back in return. Eavesdropping- once the social engineer takes on protective coloration, they successfully linger in hallways, elevators and popular eating/drinking establishments favored by the target company.
	Connecting the dots Because social engineers work by "connecting the dots," it's obvious that we must guard every scrap of confidential information. Every breach has an impact. And the damage could be cumulative. No matter how trivial an inquiry seems to you: It doesn't matter how politely a request is made or how dire the scenario may be when posed by the person making the request. When you're asked to violate policies, be in the moment: Don't rest on assumptions about perceived identity or status of individuals unknown to you. Don't let manufactured urgency divert you from your routine caution. Don't get rushed into doing or saying anything that you'd consider with greater care given a calmer or more dispassionate circumstance. Don't be "nice" at the expense of our security. Social engineering exploits depend on the natural human inclination to please. If you have any doubts, take a step back. Avoid being a player in someone's devious game: Take yourself out of the loop. Escalate the request. Retelling the story to someone else often helps to reveal the dubious aspects of ill-intended requests. Don't guess what to do. Consult policy first.
	Slow leaks are devastating Dumpster diving is a serious threat. Perpetrators sift through corporate trash and come back with pearls. Use designated disposal repositories to keep confidential information out of the wrong hands.
	( More on the St. Francis Dam disaster)
	Tips Vary your passwords. It's tempting to use the same password for a multitude of purposes. But whether your account is corporate or personal, imagine the impact if your "one-size-fits-all" password is compromised! Don't share your passwords with anyone.
Further info
	More on social engineering: Hacker Tactics Social engineering of Internet fraud The psychology of social engineering Give me your password: a social engineering intro Other topics: IT Help Desk: http://intranet.eng.salesforce.com/en/helpdesk/ IT Policies, Standards and Guidelines The Security Awareness Series Contact us about your security concerns: security@salesforce.com