Proceedings magazine is a communication tool for the Coast Guard's Marine Safety & Security Council. Each quarterly magazine focuses on a specific theme of interest to the marine industry.
Issue link: https://uscgproceedings.epubxp.com/i/436751
27 Winter 2014 – 2015 Proceedings www.uscg.mil/proceedings By having these processes in place, if there is an emergency, the person calling will be expecting nothing more and noth- ing less, and the person answering the telephone will not have the dilemma of having to improvise against standard procedure, as this is an expected eventuality. About the author: Mr. Ron Schnell is an adjunct professor of computer security at Nova South eastern University in Ft. Lauderdale, Florida, and a principal at Berkeley Research group. He has been in the software industry for more than 30 years, having worked at Bell Laboratories, IBM, and Sun Microsystems. He began lecturing at NYU's Courant Institute of Mathematical Sciences in 1981, when he was 14 years old, and travels the world speaking to students, com panies, and organizations. Successful social engineers know this. I've witnessed people gain information or access, despite the highest level of secu- rity imaginable, using lingo and confdence. It is extraordi- narily diffcult for someone to overcome human nature and the desire to be helpful, the tendency to trust, and the fear of getting into trouble. Process and Procedure It is possible to maintain an organization or company that can defend against these sorts of attacks, but it requires ongoing training, and trainees must be made very aware of social engineering techniques. Additionally, this training must extend to the lowest-ranking person in the organiza- tion, even if that person has no access to sensitive data or capabilities. Why should someone who doesn't even have access or capa- bilities be trained for this circumstance? It can be surprising how resourceful someone can be when they think there is an emergency, they fear failure, or believe they have a chance to be a hero. The target can even become an unknowing advocate for the attacker and extend the attack to superiors. It may seem silly, but regularly performing surprise social engineering attacks on one's own organization is the best way to prepare personnel to deal with such attacks. Military organizations regularly perform drills regarding physical attack, or even cyber attacks. Social engineering attacks should be another sort of drill. Process and procedure are already important parts of any military organization and most successful companies. But it is important that they account for situations of apparent duress, as well as nominal situations. There should be some- thing in place for when a hysterical person calls with some emergency that would require a departure from the normal procedure to mitigate the situation. This procedure might be to treat it exactly the same as any other request for information or action, even in "life or death" situations, or it could be a streamlined process, as long as the authentication portion doesn't short-circuit certainty. Red Flags There are certain red fags that can be apparent during a social engineering attack, including: Refusing to give contact information: Oftentimes, the attacker will make up an excuse, or even feign a bad connection. Rushing: If someone is in an inexplicable hurry to get to conclusion, it can indicate that the person is a bit too eager to fnish the telephone call or exchange. Name-dropping: A social engineering attacker is apt to drop names in addition to lingo, to put the target at ease. Intimidation: A person with legitimate access would not (or should not) use intimidation to insist on authority, apart from proper procedure. Staf or personnel should be trained to look for these red fags, in spite of lingo, when evaluating whether a request or command is authentic. They should also be trained to see lingo for what it is — shorthand that bad actors can use against you.