Reach Out & Hack Someone
Provide your users with the right common knowledge so they can practice common sense.
One day a few years ago, I was in the process of performing a remote audit of
a bank's firewall. In the middle of the test, I received a call from the bank's
help desk. I picked up the phone, and was told something to the effect of -- minus
the cursing -- "Stop your social engineering garbage!"
I informed the person that I was doing a straight firewall assessment and that there was no social engineering. They loudly implied, again with lots of colorful language, that I was lying. I then asked them why they thought I was social engineering them. Their response: "Because you do that social engineering stuff!"
I asked them what they were specifically talking about. They told me that someone called up their help desk asking what type of software they were using for a few critical applications. I asked, "What did you do in response?"
I have yet to be turned down when I’ve
requested a password over the phone.
They told the caller that they would find out the information and give them
a call back. I asked them again as to why they thought it was me. They told
me that the number that the caller gave was a fake, and that it must have been
me doing social engineering. I again told them that it wasn't me. Luckily, someone
from the bank was at my location to oversee the test. I put that person on the
phone, who assured them I was not doing any social engineering.
When I was back on the phone, they asked if the other call was a real attack. I told them that it probably was, and congratulated them for doing the right thing. I wondered, though, what would have happened if they didn't know a firewall assessment was in process and that I was personally involved; they were clearly on heightened alert for any potential attacks.
Social engineering is an overly sophisticated term used by people to describe
lying on the part of a hacker. Basically, hackers are looking for a way to obtain
access to computer systems when technical efforts alone won't succeed. It's most
often used to con users out of their passwords, get help desks to manipulate accounts
on their behalf to facilitate access or to obtain information about technical
architecture that would facilitate an attack.
The deed is most often done through telephone calls to obtain information. Depending on the circumstances, however, it can be more broadly defined to include any non-technical attacks, including on-site visits where the hacker tries to physically collect information. While this usually involves dumpster diving, where the attacker goes through the trash to look for information, an attacker may try to get into facilities. If that happens, they can do anything from looking for passwords taped to PC monitors to accessing unattended computers and planting spyware on systems.
Whether the attacks are physical or over the phone, they're possible because
of failings in an organization's behaviors. Your security policies might be
adequate to thwart such attacks, but the reality of how they're implemented
could leave you exposed.
Remember, no matter how good your technical security posture is, your organization can be compromised through human failings. That could mean a specific person failing to comply with practices, or management executing flawed processes.
In my previous article ("Dumb
and Dumber," March 2005), I described some of the most egregious security
lapses I've seen in my years as a penetration tester. Many readers recounted
similar failings in their own organizations, situations that defy common sense.
Clearly, everyone should know that you just don't give out a password to a stranger
on the phone, or tape a password to a monitor. A basic principle, however, holds
that you can't have common sense without common knowledge. The average user
just doesn't have a base of common knowledge to exercise that common sense.
Basic Common Knowledge
To prevent users from falling prey to social engineering attacks, you need to
make sure they have a firm base of common knowledge -- then they can exercise
common sense. What seems obvious to someone in the industry may not be obvious
at all to a layperson. And, frankly, even most people in the industry don't
have an acceptable level of common knowledge.
A Common-Knowledge Primer
With that in mind, here are some foundational common knowledge concepts to get
across to your users:
No. 1: The Bad People Will Target You
People know about hackers, and most are aware that some inside their own organization
might not be trustworthy. Where they fail is in their belief that it will never
happen to them.
An individual's position within a company is almost irrelevant. Some people are in positions where they have a lot of access, and they will be targeted. Other people just provide a random access point for an attacker; if the hacker can compromise a low-level account, he can then use that as a foothold for crimes or other attacks. This may sound obvious, but few people realize -- or at least acknowledge -- this.
No. 2: People Lie
Again, this seems obvious, but many people just accept the voice on the other
side of a telephone and give them what they ask for. I have yet to be turned
down when I've requested a password over the phone. On average, my team and
I find that maybe one person in 100 actually challenges a request for sensitive
information during one of our penetration tests. Anyone can call up claiming
to be anyone. They can ask for anything, and even the most innocuous call can
be part of a major attack.
No. 3: The Bad Guys Aren't Geniuses
While the overall attacks seem sophisticated, they're not the result of some
sort of criminal mastermind. The attacks are successful because the victims
leave themselves vulnerable. The success is dependent on the luck or tenacity
of the criminal, not his genius. They either stumble on a vulnerability or they
keep trying until they find one. Either way, it's usually a vulnerability or
the user's naiveté -- using something as simple as "password" for
their password -- that enables the attacks.
No. 4: Sweat the Small Stuff
Because it's often the small problems that enable attacks, it makes sense to
address those small problems. Take away the low-hanging fruit for attackers
to target, and they'll have to move onto other targets. This, in turn, forces
them to look for more difficult-to-exploit vulnerabilities. That means that
they put themselves at more risk of being detected.
Instilling Common Knowledge
While the list above isn't comprehensive, it's enough to get you started. If
your organization can grasp and act on these issues, security will improve almost
immediately. Here's how to do it.
Keep It Simple
The reason cars are relatively safe is that people know the basic rules of the
road. Red means stop. Green means go. Speed limit signs have a number and say
"Speed Limit." Pretty easy to understand … it's when the signs get
complicated that problems occur.
In the same way, you need to offer simple guidance. Over the years, I've come to believe that sometimes you have to stop trying to say "why" and just say "what." Limit your guidance to what people must and must not do. Sure, you can try to tell people that there are bad guys out there, but the truth is that it doesn't matter.You have to let them know what behaviors are acceptable, and make it clear that there could be a penalty for not following procedures.
is dependent on the luck or tenacity of the criminal. They either
stumble on a vulnerability or they keep trying until they find one.
I recommend creating bulleted lists of up to eight different behaviors that
people should or shouldn't do. The bullets must be simple and clear: "Never
give out your passwords over the phone." "Lock your desk at the end
of the day." Let there be no chance of misunderstanding the requirement.
Consider a statement that says, "As appropriate, your supervisor will be
responsible for verifying that you adhere to security procedures." Workers
are much more likely to learn the rules if they believe they'll be tested on
You should also acknowledge that people make mistakes. Have a policy stating that if there's a security incident, and it's properly reported, there will be amnesty, while a cover-up will result in harsher penalties. Don't go into the "Why." Even if people understand the why, they don't think it will happen to them.
Get Executive Support
A great many things that administrators and general security staffs need to do
require funding and management support. Remember that you're trying to change
the culture of the organization. Getting people to prominently wear their ID badges
can be a challenge, and you may need a jumpstart to get it going.
For this, consider a company-wide letter from the CEO. It gives you authority to take the necessary actions, and deal with complaints from end users reluctant to change their work habits.
Make It Easy to Do the Right Thing
you can try to tell people that there are bad guys out there, the
fact is that it doesn’t matter.
When possible, ease the burden on users. This means, for example, buying and putting
in lots of shredders -- even by every desk if possible. It means including a screensaver
password lock on the default configurations of organizational computers, so users
don't have to figure it out for themselves. It means considering single sign-on
and multifactor authentication, or other similar technologies. This can eliminate
the need for passwords and drastically reduce the effectiveness of social engineering
attacks. It means something as simple as providing enough cabinet space so that
people have enough room to lock up their materials at the end of the day.
I firmly believe that most people want to do the right thing. Unfortunately, even when they have the right common knowledge, there are many cases where it's logistically impossible to do the right thing.
Repeat After Me: Repetition
While a listing of specific behaviors is crucial, it's important to reinforce
the message as often as you can. In the intelligence world, there are stickers
on the phones reminding people not to disclose classified information to outside
phones. In one large company, I saw posters in an elevator reminding people
to take off their badges as they leave the building. AOL constantly tells users
that AOL will never ask for their password. These simple reminders are generally
placed where they'll be seen, and where they're most relevant. Your organizations
should look for similar opportunities to instill this common knowledge.
Technology Is Your Friend
While social engineering attacks target human weaknesses in one form or another,
there are a lot of technologies that can limit or possibly prevent damage after
a successful social engineering attack, including:
- If a user discloses their password, wouldn't it be great if your system
looked at where a logon was coming from, and alerted you that a user was coming
from an outside location, or was possibly logged on twice? Some intrusion
detection software can do that, as well as looking for abnormal behavior.
- Multifactor authentication renders a compromised password mostly useless.
- Internal network segmentation can limit the damage a compromised account
can do, as can assigning user accounts only the access privileges they need.
As you can see from just a few examples, there are many opportunities for technology to contain social engineering.
Practice Common Sense
Securing the enterprise is an endless task, but it's clear that better education
will help users limit the danger created by social engineering attacks. Every
organization is different, and you need to tailor your security awareness strategies
to your own environment. Of course, in enterprise settings there are usually multiple
environments within an environment, and you may need different strategies to address
each of them.
When I began working at the NSA, my security awareness indoctrination was several days long. But it may
surprise you to learn that even there -- a highly secretive national intelligence agency -- there was nothing special about the training we received. It was just very detailed about very basic security precautions, like taking off
your badge when you leave the facilities, not taking
out classified materials, not discussing work outside of work and so on. We weren't personally taught how to perform bug sweeps; we were just reminded what we were expected to do.
In that setting, of course, you could go to jail for security compromises.
But using the same tactics with your own user awareness programs can have a
great effect. It's unlikely that your organization is going to institute three
days of security awareness training, but you can put the other elements in place.
Just make sure that those elements are very basic, and focus on the expected
behaviors. And teach them to answer the phone without swearing at people who
they think are trying social engineering attacks!