Five things you should know about Social Engineering

March 22, 2010

You’ve seen it in movies, you’ve read about in books. The bad guy fakes his way into a bank by wearing a UPS uniform. The good guy pretends to be a person of authority and bullies an unsuspecting person on the phone until he gets the information he needs.

Social Engineering is not new – but it is still widely misunderstood, and yet, must be a part of your organization’s overall information security strategy.

When we define information security, we say that it is a business goal, and that it is about people.

When we define social engineering, we say that it doesn’t target servers or PCs – it targets people.

I’ll let you draw your own parallel between those two statements.

We run social engineering assignments very regularly, and they make for great – sanitized – stories to share during seminars and public speaking engagements. A quick example: I once ran a phone-based engagement against a financial institution from Massachusetts. The day before, the ISO told me how they had trained all their employees and that they were very confident. The next day, I had 75 user IDs and corresponding passwords 15 minutes after sending a fake email to their employees. That ISO? She felt less confident once I shared those results with her!

Let’s look at the five things that you should know about social engineering:

1. What is Social Engineering, anyway?

Social engineering is the art of targeting people – instead of servers, routers, firewalls or databases – to gain access to confidential information. Simply put: I can spend the time it takes to run a full brute force attack against a server to try and crack passwords – or I can pick up the phone and ask a user! In my experience, the latter is much quicker, and for hackers, quicker is better.

2. What can I do to test my organization against social engineering activities?

You should run a social engineering test at least once a year. The tests are usually a combination of three different vectors of attack: web-based, phone-based and in person.

In a web-based test, users are confronted with a site that looks like their organization’s legitimate site, and are asked to provide their network user ID and password under some pretense.

In phone-based engagements, we call unsuspecting employees and attempt to make them display contra-policy behavior: sharing a password, running commands on their computer, etc…

During physical security engagements, we try and gain access to parts of the building that are private and therefore not open to the public. We attempt to plant a key logger without being noticed. We check out the trash cans to see if any confidential information can be acquired.

Regardless of the scenario used, it is important that the social engineer be experienced so that the test can be seen as a realistic assessment of the security posture of the organization. For large-scale engagements, for example, we use a gentleman who used to be CIA operative. Unfair, you say? So are malicious hackers!

3. It’s not a level playing field.

Your employees are busy with running whatever business processes are assigned to them. On top of that, they have to remain security-aware. Our social engineers only focus on how to trick people. It’s not a level playing field, to say the least! We need to understand and accept that fact so that we can set our employees up for success by creating an elaborate and customized social engineering strategy that meets the organization’s business and security goals.

4. What your social engineering strategy should include.

Your information security strategy should feature a dedicated social engineering section. In that section, the most efficient components are: policy creation, training and testing.

Your organization should have social engineering-specific policies, including some related to the use of social media. It is so easy to target and connect with employees through Twitter, LinkedIn and Facebook to name but a few that social media have become a very lucrative attack field for hackers.

Once policies and their supporting procedures have been created, your users must receive training so that they are both aware of the issue, and know how to respond per the appropriate approved policies. This is what we mean by setting them up for success.

Once the training has been provided, it’s time to test the employees to ensure that the policies work under “live fire”, and that the salient points of the training are ingrained in their consciousness. Wow, that last part sounded almost Orwellian!

5. What if my organization fails the test miserably?

Rejoice! First of all, you’re in good company. We can’t talk about the rest of the industry, but in our experience, we have never been shut down. Second of all, that’s the point of testing, to ascertain which areas need to be worked on additionally so that we can alter the policies if need be, and provide more targeted – and therefore more efficient – training to employees. This test you can afford to fail. The live one against a malicious social engineer, however…

In closing, I would like to remind you that, because social engineering targets people, there is a very real cultural dimension of which to be cognizant. You want to make sure that when you set up the engagement(s), you do so in a way that does not make employees feel like they were ruthlessly tricked.

The goal is not to create resentment – it’s to continually work on ameliorating the organization’s security posture. We cannot reach this goal without the active participation of the employees! We specialize in crafting solutions that provide realistic, actionable findings while not placing in jeopardy the trust that exists between employees and management.

So ask yourself this: how do you feel your organization would fare if it were confronted with a malicious social engineer?

While it has definitely received the Hollywood treatment, a good movie to watch to see some social engineering techniques is Sneakers. For one thing, it features an all-star cast with the likes of Robert Redford, Sidney Poitier, the late River Phoenix, Dan Aykroyd and Ben Kingsley. For another, the technical consultant for that movie is none other than the ex-CIA operative I mentioned earlier on, which brought to the film an undeniable “real-world” quality.


Five things any business owner should know about penetration testing

March 17, 2010

Penetration testing is part mystique, part business tool. Tell people at the local watering hole that you are an ethical hacker, and that you hack networks at their owner’s request to identify security vulnerabilities and assist them with remediation, and they start looking at you funny. Go ahead, try it sometimes. It’s fun. You’ll also notice that they never quite hear the word “ethical” on the first try!

But beyond this, a penetration test is a very useful business tool, yet there are still many misunderstandings about it. So without further ado, let’s quickly review the five things that any business owner should know about penetration testing.

1. What is a penetration test?

A pen test is a business tool through which you can evaluate the point-in-time security posture of a target host or environment. In plain English, it means that you can define how secure a computer or a network would be against a malicious hacker’s attacks. Because the pen tester will use real world tools and tactics against the target scope, it replicates what real attacks would put your network through and provides realistic and valuable test findings.

2. Not all pen tests are created equal.

The pen test is only as valuable as the pen tester who conducted it is experienced. While there are many script kiddies out there – i.e. malicious hackers who use ready-made tools they downloaded from the Internet with little understanding of what they do or how they do it – there are also very powerful and knowledgeable hackers whose techniques, dedication, skills and intelligence are remarkable. For the pen test to have any meaning, and therefore any business value, you want to make sure that the pen tester is also someone whose talents and skills in the trade are well documented.

A “bad pen test” with results that shouldn’t be trusted is probably more dangerous to an organization than no pen test at all!

Another important difference between pen tests in terms of value resides in the quality and usefulness of the deliverables. Simply put, the report with which you are presented should be a useful business tool. Make sure that it addresses all the relevant audiences in your organization, that it is not an unwieldy 100-pound, 1000-page behemoth and that it contains actionable remediation information.

3. How often should penetration tests be conducted?

The short answer is at least once a year, you should have both an internal and an external penetration test done.

Note that many organizations fall under different mandates, some at the state and/or federal level, others at the commercial level, that may dictate the actual regularity of when penetration tests should be conducted.

The reasonable, cost-effective solution seems to be to have one full-out pen test a year, followed by a smaller test 6 months later to verify that the remediation activities that took place after the large test were successfully carried out.

4. What are the different types of penetration tests?

A quick overview would single out the following types:

a. External Pen Test: because some of your computers are directly facing the Internet, they can be accessed both legitimately and maliciously from anywhere in the world, and are therefore more in danger than the computers that reside in your internal network. Typically, an external pen test will target your firewall(s), your web and mail servers, maybe a remote access server such as a VPN concentrator, etc… the idea here is that anyone, anywhere can at anytime probe these servers to determine whether they are plagued by vulnerabilities and can be taken over. If such vulnerabilities exist, you need to be aware of them as fast as possible so that you can proceed with appropriate remediation to remove the risk these vulnerabilities represent to your business.

b. Internal Pen Test: the FBI famously published statistics several years ago that showed that around 80% of all hacking attacks originated from inside companies, not outside. With that in mind, it’s important to make sure that those computers that are critical to the business are tested regularly.

c. Application Test: an app test is a security test that targets an application or program. The idea is to make sure that the data is always protected, whether it is at rest, in transit or being processed, that unauthorized users can’t get access to the data, and that authorized users cannot gain more access to the application and the data it contains than their security profile should allow.

d. Vulnerability Assessment: a VA is basically a Pen Test with a reduced scope. Indeed, the very first stage of a pen test includes all of the activities that make up a VA. The large difference is that the vulnerabilities that are identified in a VA are not tested, and therefore the report created to sum up the findings may include false positive findings. Note that because a VA takes a lot less time to be conducted than a pen test, they tend to also be a lot less expensive – but provide less value.

5. What business value can I expect to derive from a penetration tests?

There are several answers to this question – and they may not all be pertinent to all organizations.

a. Compliance: simply put, many organizations are mandated to have pen tests done every year.

b. Peace of mind: critical assets to your business should be tested. It allows you to not worry about being front page news as the next victim of a data breach.

c. Due diligence: if a breach does occur despite your best efforts, it is always productive to be able to show due diligence! Proving that reasonable efforts had been made prior to a hacking event always lowers the cost of dealing with the breach – and may also lower the actual loss of goodwill and reputation to the business.

d. Legal liability: your clients trust you with their information. If this information falls into the wrong hands, especially because of a data breach, you can expect law suits to be filed against your organization. As noted above, being able to demonstrate due diligence and reasonable security measures is always a plus. Furthermore, a federal regulation such as HITECH includes the possibility of criminal charges against negligent entities and their representatives in case of non-compliance.

There is a saying in the industry that the cost of having a pen test done is always lower than the risk of being in business without having one done regularly. While I could be perceived as a biased entity, I cannot help but agree. Not only because my firm provides ethical hacking services, but also because that statement is firmly grounded in common sense.

So… when’s the last time your network was tested? By an ethical hacker, that is…


Five things you should know about encryption… for non geeks!

March 3, 2010

When most people wake up in the morning, somehow, encryption is not the premier thought on their mind. I know, I know, this statement may come as a shock to you.

Most people probably even believe that they could go an entire lifetime without ever thinking once about what encryption is, and what it can do for them.

Some people, I tell you.

The truth is simple: if you are in business, you don’t have to be an encryption expert, but there are 5 things that you should know about encryption.

Before we proceed, here’s a quick primer on how to think about your data.

Understanding data states.

Data resides in different states, including at rest, in transit, or in use.

An example of data “at rest” is a Word document not currently open, but saved to the hard drive on your laptop.

An example of data in transit is that same Word document, attached to an email, on its way to your sister-in-law’s email inbox after you clicked on “send”.

An example of data in use is a computer program that processes information that resides in a backend database.

Understanding threats to the data.

Each state includes inherent risk to the data being used:

That data could be pilfered by an unauthorized third-party (a loss of data confidentiality.)

The data could be corrupted by a virus (a loss of data integrity.)

This data could be erased by malware or a malicious internal user (loss of data availability.)

Protecting the confidentiality, integrity and availability of data assets is what information security is all about.

Understanding data classification.

Data classification is the concept of assigning a confidentiality rating to all data assets. This is the concept to which all the “TOP SECRET” stuff you see in movies is linked. The idea is simple:

Look at each data asset your organization owns, and then decide:

1. “I don’t care who or what sees this information.” It’s safe to say that this data asset can be classified as “Public” as no harm will come to you or your organization if this information were to be read by a third-party.

2. “I want some of my business partners and some of my internal resources to see this information, but not everybody out there.” In this case, the data asset can be classified as “Confidential – Third Party”.

3. “I don’t want anyone but my internal resources to see this information.” This calls for a data classification level of “Confidential”.

Why bother with doing all this work? Tagging each data asset with a classification rating allows you to simply decide during the course of doing business whether an asset should be shared or not – and with whom. For example, you could decide that all Word document titles will from now on be assigned a suffix of C, C3 or P. If a document used to be called 2010_financial_statements.doxc, you could rename it to C_2010_financial_statements.doxc. That way, even if you do not directly know the contents of this document, you will be able to tell, just by seeing the file name, whether it should be shared freely or not. This is a simple and effective control to protect you against inadvertent data breaches.

Five things you should know about encryption:

1. Confidential and Confidential/3rd-Party data should be protected – i.e. encrypted – regardless of the state in which it currently finds itself. Hackers are equal-opportunity criminals. If your data is encrypted at rest, but not in transit, they will go after it while in transit.

2. Rule of thumb: encryption strength is related to the amount of bits. Therefore, 256-bit encryption is stronger and more difficult to defeat than 128-bit encryption. You never want to use an encryption solution with a strength lower than 128 bits.

3. You should have a clear, realistic, enforced and published corporate encryption policy – and supporting procedures – that dictate how data is to be protected. Then you should train your users and make sure that the policy reinforces your business processes – as opposed to hinder them – so as to maximize employee adoption.

4. When in doubt, ENCRYPT! Many encryption solutions are free, there is no reason NOT to encrypt.

5. Confidential data should never be placed on a mobile device – laptop, phone, PDA, etc… But if the organization has a legitimate business needs that requires that this would happen, then said confidential data MUST be encrypted.

In conclusion…

Data should be classified in terms of its criticality/confidentiality status. Confidential should be encrypted regardless of which state it finds itself into. Understand that the state of the same data item may change over time!

Encryption should not be seen as a security control that is “nice to have”, but as a “must have.” This is a perfect example of a control that reinforces your business goals. It is a simple, best-practice control that is required by many regulatory mandates such as HITECH, the Massachusetts Data Breach Notification Law, the PCI standards, etc… so, when’s the last time your organization reviewed its encryption policy and its effectiveness?

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!


An unexpected value gained from Twitter.

March 3, 2010

Using social media is all the rage as of late, and for good reasons. In a previous blog entry, I mentioned several of the risks that are inherent to the use of social media, so it is not my intent to rehash this information here.

At a party I attended recently, I was asked why I use social media. I explained what can be gained from it from a business perspective, from brand awareness to brand management, and used pertinent and impressive explanations to back up the points I was making.

In truth, I wish I could claim that those “pertinent and impressive explanations” were mine, but credit must be given where credit is due: those pearls of wisdom were directly lifted from the likes of Rich Brooks from Flyte Media, Lynnelle Wilson from Bold Business Consulting, Chrystie Corns from Thirteen Thirty Marketing, David Washburn from David Washburn Marketing, Fred Abaroa, the Marketing Imagineer, and Jaica Kinsman from Guiding Stars to name but a few. My thanks to those talented individuals for making me sound smarter and hipper than I am!

One positive aspect of Twitter in particular that I recently discovered may take you by surprise. It is not related to being online – it’s about real life. That’s right, real life. What a concept!

Here’s what I noticed: people whose tweets I follow tend to be people for whom I have a lot of respect in real life.

It gets more interesting: most of those people I had never met before.

In other words, whatever qualities they displayed in their tweets were qualities that they actually have in person, and the reasons why I enjoyed following them on Twitter translated into our real life interaction and why I enjoy being around them so much.

I wonder if part of the reason for that is the fact that Twitter limits us at 140 characters per tweet, and that one has to focus on the essence of the message. I believe that the way in which one achieves that is to also, in many ways, express the essence of who they are as a person in the process.

As much as I enjoy following tweets online, I have far more enjoyed the live, in-person interaction I have shared with many people with whom I probably would never have connected hadn’t it been for the interface that Twitter provided.

The risk? Hey, I am an information security pro, so I have to consider risk… the risk is that a talented social engineer could use this as a way to tweet his/her way into conning unsuspecting targets.

Remain vigilant, and make sure that your security policies and procedures are up-to-date and successfully transmitted to your users!

Oh yeah, and remember to hug your ISO today!

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!


Four things you should know about data breaches

March 3, 2010

It seems that each day brings news of another collection of data breaches. A question I am asked regularly is “What should I know about data breaches?”

Excellent question indeed! Let’s quickly review the salient points raised by this question, and what can be done to palliate these issues.

1. What is a data breach?

Anytime information falls into the hands of an “unauthorized third-party”, it is technically a data breach. Basically, it is a loss of confidentiality for a given data item.

2. How much does a data breach cost?

The cost of a data breach can be difficult to ascertain. It is usually referred to as a “per-record” cost. A recent article in Network World indicated that the per-record cost of a breach used to be around $100 as of 5 years ago. Today, on average, it is in excess of $200.

Note: this cost does not take into account the cost of potential litigation, fines and reputational loss – the latter being the most difficult to quantify pre-breach.

3. How do data breaches occur?

There are mostly three categories of causes for data breaches:

Human error: from losing a PDA or laptop – or, dare I say it, an iPad – to not logging off a computer, the list of errors that a human can make is seemingly endless. It could be summed up as “human negligence.”

Machine-error: a computer glitch, an unpatched host, a PC without up-to-date anti-virus can all contribute to a loss of confidentiality.

Malicious behavior: either internal or external, malicious behavior is first and foremost a crime of opportunity – in a report published a year ago, Verizon reported that about 80% of all hacking attempts started as a crime of opportunity. The lesson to be learned here is simple: remove the opportunity, remove 80% of the actual crime.

Simpler said than done!

4. So… what can I do about it?

The first requirement is to be security-aware. It is quite difficult to protect something you don’t know you have, and didn’t realize you had to protect!

The second requirement is to develop a security program. It doesn’t have to be a cost-prohibitive endeavor to be successful, either.

As part of this security program, different controls can be designed and deployed, including, but not limited to, creating policies and procedures, providing employee training and performing internal and external penetration testing on your computer network.

The need for policies is simple: let’s figure out a way to run a given business process in a way that 1. guarantees the creation of the business value that prompted the need for the process, and 2. guarantees that the security of the assets involved in that process is not threatened.

Once that policy is created, we can create procedures to supplement it.

Finally, through consistently using these policies and procedures, we can protect ourselves from threats to the confidentiality of those assets.

But this consistency will only be attained if all users are trained and made aware of these policies and procedures, hence the importance of training all employees – not just those that are directly linked to IT or the Security department.

So here’s a quick exercise for you:

Think about the type of confidential information your business hosts. Maybe it’s financial records. Maybe it’s health records. Maybe it’s credit card records. Now think about how many of those records your business has accumulated through the simple act of doing business. Multiply that amount of records by $200. That’s the potential cost of a data breach to your business.

Let’s pretend that a medical practice has 20,000 medical records and that they are all breached. That’s an exposure of $4,000,000. Before lawsuits from angry patients, before reputational loss – would you go to a doctor’s office that can’t keep your health information secure and confidential?

So what is a data breach? It is a risk incurred every day by your business, a risk that can severely impact not only the bottom line, but potentially the very existence of your business.

If you were to have questions about the information contained in this blog, please feel free to contact me.

Thanks for reading!

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!


10 questions you should ask about social media and data security.

March 3, 2010

Don’t look now, but social media is everywhere. Try as you may to escape it, you simply can’t. The reason for that universality is that social media, simply put, delivers on the promise.

It is therefore difficult to tell a business that they should refrain from using social media as a growth vector, and indeed, such is not our message.

However, it would be foolish to venture into this new set of business processes without carefully analyzing not only what the business can gain from it, but also what threats to the business are inherent to the use of social media.

Ten simple security questions:

At the InfoSec Group, we believe in two things:

1. Information Security is about business, not IT.
2. Simple – yet efficient – rules yield far more attractive results than complex ones.

With that in mind, here are some simple questions any business should consider prior to launching itself in the wild world of social media:

1. Should all employees be involved in social media, or should it be a selected, chosen few?
2. Should those employees who will not be professionally tasked with handling social media be allowed to access those sites?
3. Who owns the content and the followers/friends/connections: the business, or the employees?
4. Which social media platforms – twitter, facebook, linkedin, etc… – should the company use?
5. Which functions – messaging, posting, discussions, file transfer, group membership, etc… – should employees be allowed to use in the name of the company?
6. Which topics should employees be barred from commenting on? (Politics, religion, abortion, etc… come to mind.)
7. What is the reputational risk to the company of having employees publicly converse on social media platforms as representatives of the company?
8. How much, if any, monitoring of employees’ output and behavior on social media sites should take place?
9. What internal policies should be created or augmented to respond to the risks inherent to the use of social media by the company?
10. What training should employees receive before being allowed to officially represent the company on social media sites?

Some of these questions are first-degree, while others are more in-depth and will require a significant amount of internal discussions. I would recommend that any organization interested in using social media would answer at least those questions – many more come to mind, but for the sake of not writing a tome that would rival War and Peace in length, we decided to limit ourselves to ten.

Furthermore, it would behoove any company to make sure that representatives of different departments be present during these conversations, including, but not limited to:

Legal counsel
Information Security

Because of the perceived threat that social media can represent to an organization, the US Marine Corps decided that Marines cannot discuss anything related to their work on social media platforms anymore.

We are not advocating that your organization’s position should be as black and white, but we are certainly recommended that threats be identified and analyzed, and that remediation controls be deployed to answer them before your organization launches itself into the wonderful world of social media.

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!


Understanding Information Security

March 3, 2010

At the InfoSec Group, we assist our clients with meeting – and exceeding! – their information security goals. Some of our clients are mandated to do so, while others understand the importance to protect their business, their assets and their clients and have taken a proactive approach to acknowledging their responsibility as business owners/operators.

We enjoy the idea of increasing an organization’s information security awareness level from the top on down, and in the process of doing so, we have discovered that there are myths out there that certainly do die hard.

So in an effort to more accurately describe what it is that Information Security is, we traditionally communicate the following concepts:

1. Information Security is about business.
It is, simply put, a business goal. And like any other business goal, it is imperative that a strategy be developed, and that this strategy be designed to be integrated with the organization’s overall business strategy. The two must be aligned, otherwise the goals will not be reached.

2. Information Security is about people.
Because it is inherently cultural and behavioral, information security is and has always been about the people involved. To be successful, the company has to foster a culture of security. That cannot be achieved unless the culture is created and promoted by the C-level executives. After all, who wants to be burdened by security measures if the boss doesn’t have to abide by the same rules?

What we try to accomplish is to have employees understand the value that information security brings, and “buy in”. No buy in, no success.

3. Information Security is hinged on risk management.
Not understanding what risks threaten your assets – and therefore your business – and what costs are associated with these risks means that you are unprepared to protect yourself against these threats. A careful risk assessment process is a potent approach to identifying these threats and the controls necessary to protect the business. And because the process involves assigning a dollar value to the assets and the remediation controls, the process allows for the solutions chosen to make business sense.

4. Information Security is NOT about IT!!!
This is the biggest myth of all. Information Security is NOT an IT function – it is a business function. Making it an IT function means that your strategy is flawed from the start. To illustrate this point, consider the following:

Would you deploy an anti-virus solution to protect an asset threatened by a virus infection? Yes, because it makes IT sense to do so.

Would you deploy a $300,000 anti-virus solution to protect a $100,000 asset threatened by a virus infection? No, because it doesn’t make business sense to do so.

This is why information security has to be a business function, and not an IT function.

Furthermore, for IT to be in charge of security would be a violation of the basic principle of separation of duties, and is therefore widely regarded as a violation of security best practices.

In our next blog, we will look at the risk that the use of social media can create for a business. We will see that social media should be used – but that being aware of the inherent risks, and designing a simple strategy to palliate those risks will insure that the organization can reap the benefits of social media without attracted unwanted threats.

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!