Reach Out & Hack Someone

Provide your users with the right common knowledge so they can practice common sense.

One day a few years ago, I was in the process of performing a remote audit of a bank's firewall. In the middle of the test, I received a call from the bank's help desk. I picked up the phone, and was told something to the effect of -- minus the cursing -- "Stop your social engineering garbage!"

I informed the person that I was doing a straight firewall assessment and that there was no social engineering. They loudly implied, again with lots of colorful language, that I was lying. I then asked them why they thought I was social engineering them. Their response: "Because you do that social engineering stuff!"

I asked them what they were specifically talking about. They told me that someone called up their help desk asking what type of software they were using for a few critical applications. I asked, "What did you do in response?"

I have yet to be turned down when I’ve requested a password over the phone.

They told the caller that they would find out the information and give them a call back. I asked them again as to why they thought it was me. They told me that the number that the caller gave was a fake, and that it must have been me doing social engineering. I again told them that it wasn't me. Luckily, someone from the bank was at my location to oversee the test. I put that person on the phone, who assured them I was not doing any social engineering.

When I was back on the phone, they asked if the other call was a real attack. I told them that it probably was, and congratulated them for doing the right thing. I wondered, though, what would have happened if they didn't know a firewall assessment was in process and that I was personally involved; they were clearly on heightened alert for any potential attacks.

Con Game
Social engineering is an overly sophisticated term used by people to describe lying on the part of a hacker. Basically, hackers are looking for a way to obtain access to computer systems when technical efforts alone won't succeed. It's most often used to con users out of their passwords, get help desks to manipulate accounts on their behalf to facilitate access or to obtain information about technical architecture that would facilitate an attack.

The deed is most often done through telephone calls to obtain information. Depending on the circumstances, however, it can be more broadly defined to include any non-technical attacks, including on-site visits where the hacker tries to physically collect information. While this usually involves dumpster diving, where the attacker goes through the trash to look for information, an attacker may try to get into facilities. If that happens, they can do anything from looking for passwords taped to PC monitors to accessing unattended computers and planting spyware on systems.

Whether the attacks are physical or over the phone, they're possible because of failings in an organization's behaviors. Your security policies might be adequate to thwart such attacks, but the reality of how they're implemented could leave you exposed.

Remember, no matter how good your technical security posture is, your organization can be compromised through human failings. That could mean a specific person failing to comply with practices, or management executing flawed processes.

In my previous article ("Dumb and Dumber," March 2005), I described some of the most egregious security lapses I've seen in my years as a penetration tester. Many readers recounted similar failings in their own organizations, situations that defy common sense. Clearly, everyone should know that you just don't give out a password to a stranger on the phone, or tape a password to a monitor. A basic principle, however, holds that you can't have common sense without common knowledge. The average user just doesn't have a base of common knowledge to exercise that common sense.

Basic Common Knowledge
To prevent users from falling prey to social engineering attacks, you need to make sure they have a firm base of common knowledge -- then they can exercise common sense. What seems obvious to someone in the industry may not be obvious at all to a layperson. And, frankly, even most people in the industry don't have an acceptable level of common knowledge.

A Common-Knowledge Primer
With that in mind, here are some foundational common knowledge concepts to get across to your users:

No. 1: The Bad People Will Target You
People know about hackers, and most are aware that some inside their own organization might not be trustworthy. Where they fail is in their belief that it will never happen to them.

An individual's position within a company is almost irrelevant. Some people are in positions where they have a lot of access, and they will be targeted. Other people just provide a random access point for an attacker; if the hacker can compromise a low-level account, he can then use that as a foothold for crimes or other attacks. This may sound obvious, but few people realize -- or at least acknowledge -- this.

No. 2: People Lie
Again, this seems obvious, but many people just accept the voice on the other side of a telephone and give them what they ask for. I have yet to be turned down when I've requested a password over the phone. On average, my team and I find that maybe one person in 100 actually challenges a request for sensitive information during one of our penetration tests. Anyone can call up claiming to be anyone. They can ask for anything, and even the most innocuous call can be part of a major attack.

No. 3: The Bad Guys Aren't Geniuses
While the overall attacks seem sophisticated, they're not the result of some sort of criminal mastermind. The attacks are successful because the victims leave themselves vulnerable. The success is dependent on the luck or tenacity of the criminal, not his genius. They either stumble on a vulnerability or they keep trying until they find one. Either way, it's usually a vulnerability or the user's naiveté -- using something as simple as "password" for their password -- that enables the attacks.

No. 4: Sweat the Small Stuff
Because it's often the small problems that enable attacks, it makes sense to address those small problems. Take away the low-hanging fruit for attackers to target, and they'll have to move onto other targets. This, in turn, forces them to look for more difficult-to-exploit vulnerabilities. That means that they put themselves at more risk of being detected.

Instilling Common Knowledge
While the list above isn't comprehensive, it's enough to get you started. If your organization can grasp and act on these issues, security will improve almost immediately. Here's how to do it.

Keep It Simple
The reason cars are relatively safe is that people know the basic rules of the road. Red means stop. Green means go. Speed limit signs have a number and say "Speed Limit." Pretty easy to understand … it's when the signs get complicated that problems occur.

In the same way, you need to offer simple guidance. Over the years, I've come to believe that sometimes you have to stop trying to say "why" and just say "what." Limit your guidance to what people must and must not do. Sure, you can try to tell people that there are bad guys out there, but the truth is that it doesn't matter.You have to let them know what behaviors are acceptable, and make it clear that there could be a penalty for not following procedures.

Success is dependent on the luck or tenacity of the criminal. They either stumble on a vulnerability or they keep trying until they find one.

I recommend creating bulleted lists of up to eight different behaviors that people should or shouldn't do. The bullets must be simple and clear: "Never give out your passwords over the phone." "Lock your desk at the end of the day." Let there be no chance of misunderstanding the requirement. Consider a statement that says, "As appropriate, your supervisor will be responsible for verifying that you adhere to security procedures." Workers are much more likely to learn the rules if they believe they'll be tested on them.

You should also acknowledge that people make mistakes. Have a policy stating that if there's a security incident, and it's properly reported, there will be amnesty, while a cover-up will result in harsher penalties. Don't go into the "Why." Even if people understand the why, they don't think it will happen to them.

Get Executive Support
A great many things that administrators and general security staffs need to do require funding and management support. Remember that you're trying to change the culture of the organization. Getting people to prominently wear their ID badges can be a challenge, and you may need a jumpstart to get it going.

For this, consider a company-wide letter from the CEO. It gives you authority to take the necessary actions, and deal with complaints from end users reluctant to change their work habits.

While you can try to tell people that there are bad guys out there, the fact is that it doesn’t matter.
Make It Easy to Do the Right Thing
When possible, ease the burden on users. This means, for example, buying and putting in lots of shredders -- even by every desk if possible. It means including a screensaver password lock on the default configurations of organizational computers, so users don't have to figure it out for themselves. It means considering single sign-on and multifactor authentication, or other similar technologies. This can eliminate the need for passwords and drastically reduce the effectiveness of social engineering attacks. It means something as simple as providing enough cabinet space so that people have enough room to lock up their materials at the end of the day.

I firmly believe that most people want to do the right thing. Unfortunately, even when they have the right common knowledge, there are many cases where it's logistically impossible to do the right thing.

Repeat After Me: Repetition
While a listing of specific behaviors is crucial, it's important to reinforce the message as often as you can. In the intelligence world, there are stickers on the phones reminding people not to disclose classified information to outside phones. In one large company, I saw posters in an elevator reminding people to take off their badges as they leave the building. AOL constantly tells users that AOL will never ask for their password. These simple reminders are generally placed where they'll be seen, and where they're most relevant. Your organizations should look for similar opportunities to instill this common knowledge.

Technology Is Your Friend
While social engineering attacks target human weaknesses in one form or another, there are a lot of technologies that can limit or possibly prevent damage after a successful social engineering attack, including:

  • If a user discloses their password, wouldn't it be great if your system looked at where a logon was coming from, and alerted you that a user was coming from an outside location, or was possibly logged on twice? Some intrusion detection software can do that, as well as looking for abnormal behavior.
  • Multifactor authentication renders a compromised password mostly useless.
  • Internal network segmentation can limit the damage a compromised account can do, as can assigning user accounts only the access privileges they need.

As you can see from just a few examples, there are many opportunities for technology to contain social engineering.

Practice Common Sense
Securing the enterprise is an endless task, but it's clear that better education will help users limit the danger created by social engineering attacks. Every organization is different, and you need to tailor your security awareness strategies to your own environment. Of course, in enterprise settings there are usually multiple environments within an environment, and you may need different strategies to address each of them.

When I began working at the NSA, my security awareness indoctrination was several days long. But it may surprise you to learn that even there -- a highly secretive national intelligence agency -- there was nothing special about the training we received. It was just very detailed about very basic security precautions, like taking off your badge when you leave the facilities, not taking out classified materials, not discussing work outside of work and so on. We weren't personally taught how to perform bug sweeps; we were just reminded what we were expected to do.

In that setting, of course, you could go to jail for security compromises. But using the same tactics with your own user awareness programs can have a great effect. It's unlikely that your organization is going to institute three days of security awareness training, but you can put the other elements in place. Just make sure that those elements are very basic, and focus on the expected behaviors. And teach them to answer the phone without swearing at people who they think are trying social engineering attacks!


comments powered by Disqus

Subscribe on YouTube