Network security: The weakest link
By Capt. Theresa Thomas , 39th Communications Squadron information assurance flight chief
/ Published November 29, 2006
INCIRLIK AIR BASE, Turkey --
It's Monday morning and the 39th Communications Squadron information assurance office is flooded with phones calls. The majority of the phone calls deal with common access card personal identification number or user name and password updates. Without support, many accounts would be deleted from the network within 24 hours.
Most computer users are familiar with tactics that exploit network vulnerabilities such as viruses, worms, and Trojan horses, but few are familiar with techniques such as social engineering and phishing scams a.k.a. "Spear Phishing."
Social engineering is a form of intelligence-gathering by people who want to disrupt or cause damage to network resources. Trickery techniques to obtain information may consist of talking, listening, looking, and/or passing themselves off as something else.
"Social engineers use deception, influence and persuasion to get their information," said Senior Master Sgt. Michael Schorn, 39th CS information systems flight superintendent. "They get people to do things they normally would not do. Essentially, it's a hacker's clever manipulation of the natural human tendency to trust."
Social engineering can occur in several forms of human deception with something as simple as a phone call and posing as a person who you feel can be trusted, like someone alleging to be higher ranking, or stating they know a mutual friend.
Social engineering tactics may involve attempts to obtain small amounts of information from several sources, such as old phone books or rosters that give names, titles and phone numbers within an organizational structure.
"Social engineers may target a number of different employees, especially those new to the organization because they do not understand, or may not care about the value of the information released," said Staff Sgt. Rickesia Bryant, 39th CS information assurance office.
Network experts believe social engineers' end result is to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. How many people bother to check the credentials of someone who shows up to "repair" a computer?
"It's easy to pose as an insider when you know the unit structure and leadership," said Sergeant Bryant.
Fake e-mails, known as phishing scams, are also part of a social engineer's toolkit..
"When you receive an e-mail that appears to come from a legitimate source such as a bank, a credit card company or phony network account, a phishing scam has occurred," said Staff Sgt. Amber Koehler, 39th CS information protection office. "The e-mail may ask for 'verification' of information and warn of some dire consequence if it is not done such as 'your account will be disabled on such date."
The originator may request help to download and install software from a website or request help to forward a document because their computer is broken.
"It can even warn of an event occurring on the network requiring your PIN or password to prevent your account from being disabled or your computer from being disconnected from the network," said Sergeant Koehler. "In every case, the request will appear genuine but usually contain a link to a fraudulent Web page, a form requesting personal information to verify ATM card information or, may ask for PIN or passwords to network accounts."
There are measures every network user can take to protect themselves. The 39th CS network information protection office specializes in protecting the "front door," or firewall, using technology and monitoring tools; while the "back door" is left vulnerable to insider threats. The human vulnerability -- Incirlik's 3,500 network users operating on the inside of the network - is potentially the weakest link.
"While techniques to manipulate people to divulge critical information will continue to exist, network users can protect themselves and the network by applying a few simple rules when computing on a network," said Maj. Michael Cote, 39th CS commander.
The rules are:
-- Never download or run illegal software from someone you do not trust.
-- Never reply to e-mail requests for personal or financial information such as account numbers or passwords. Again, never give out your PIN or password.
-- Never select the option to store passwords in your browsers.
-- Do not open e-mails, links, attachments, or images from senders you do not know.
Always validate the source of the e-mail by contacting the company that is the subject of the e-mail to check that the e-mail is legitimate.
-- Update time compliance network orders (software security patches) as required.
-- Type in a trusted Web address for the company's Web site using the address bar of your Internet browser to bypass the link in the suspected phishing message -- never connect using the Web link in the message.
"The bottom line is network security is everyone's business," said Major Cote. "People must maintain a constant vigilance and exercise caution when dealing with suspicious e-mail whether at home or at work."
It only takes one weak link to create a vulnerability that affects the entire network.
Educational awareness and good network practices will help prevent users from becoming the weakest link. Always practice good operational and computer security --the security of the network and our military operations are relying on it.
If you feel like you are a victim of social engineering or want to report a suspected phishing scam, call the wing information assurance office at 676-6146, or your client systems administrator immediately.