You’ve seen it in movies, you’ve read about in books. The bad guy fakes his way into a bank by wearing a UPS uniform. The good guy pretends to be a person of authority and bullies an unsuspecting person on the phone until he gets the information he needs.
Social Engineering is not new – but it is still widely misunderstood, and yet, must be a part of your organization’s overall information security strategy.
When we define information security, we say that it is a business goal, and that it is about people.
When we define social engineering, we say that it doesn’t target servers or PCs – it targets people.
I’ll let you draw your own parallel between those two statements.
We run social engineering assignments very regularly, and they make for great – sanitized – stories to share during seminars and public speaking engagements. A quick example: I once ran a phone-based engagement against a financial institution from Massachusetts. The day before, the ISO told me how they had trained all their employees and that they were very confident. The next day, I had 75 user IDs and corresponding passwords 15 minutes after sending a fake email to their employees. That ISO? She felt less confident once I shared those results with her!
Let’s look at the five things that you should know about social engineering:
1. What is Social Engineering, anyway?
Social engineering is the art of targeting people – instead of servers, routers, firewalls or databases – to gain access to confidential information. Simply put: I can spend the time it takes to run a full brute force attack against a server to try and crack passwords – or I can pick up the phone and ask a user! In my experience, the latter is much quicker, and for hackers, quicker is better.
2. What can I do to test my organization against social engineering activities?
You should run a social engineering test at least once a year. The tests are usually a combination of three different vectors of attack: web-based, phone-based and in person.
In a web-based test, users are confronted with a site that looks like their organization’s legitimate site, and are asked to provide their network user ID and password under some pretense.
In phone-based engagements, we call unsuspecting employees and attempt to make them display contra-policy behavior: sharing a password, running commands on their computer, etc…
During physical security engagements, we try and gain access to parts of the building that are private and therefore not open to the public. We attempt to plant a key logger without being noticed. We check out the trash cans to see if any confidential information can be acquired.
Regardless of the scenario used, it is important that the social engineer be experienced so that the test can be seen as a realistic assessment of the security posture of the organization. For large-scale engagements, for example, we use a gentleman who used to be CIA operative. Unfair, you say? So are malicious hackers!
3. It’s not a level playing field.
Your employees are busy with running whatever business processes are assigned to them. On top of that, they have to remain security-aware. Our social engineers only focus on how to trick people. It’s not a level playing field, to say the least! We need to understand and accept that fact so that we can set our employees up for success by creating an elaborate and customized social engineering strategy that meets the organization’s business and security goals.
4. What your social engineering strategy should include.
Your information security strategy should feature a dedicated social engineering section. In that section, the most efficient components are: policy creation, training and testing.
Your organization should have social engineering-specific policies, including some related to the use of social media. It is so easy to target and connect with employees through Twitter, LinkedIn and Facebook to name but a few that social media have become a very lucrative attack field for hackers.
Once policies and their supporting procedures have been created, your users must receive training so that they are both aware of the issue, and know how to respond per the appropriate approved policies. This is what we mean by setting them up for success.
Once the training has been provided, it’s time to test the employees to ensure that the policies work under “live fire”, and that the salient points of the training are ingrained in their consciousness. Wow, that last part sounded almost Orwellian!
5. What if my organization fails the test miserably?
Rejoice! First of all, you’re in good company. We can’t talk about the rest of the industry, but in our experience, we have never been shut down. Second of all, that’s the point of testing, to ascertain which areas need to be worked on additionally so that we can alter the policies if need be, and provide more targeted – and therefore more efficient – training to employees. This test you can afford to fail. The live one against a malicious social engineer, however…
In closing, I would like to remind you that, because social engineering targets people, there is a very real cultural dimension of which to be cognizant. You want to make sure that when you set up the engagement(s), you do so in a way that does not make employees feel like they were ruthlessly tricked.
The goal is not to create resentment – it’s to continually work on ameliorating the organization’s security posture. We cannot reach this goal without the active participation of the employees! We specialize in crafting solutions that provide realistic, actionable findings while not placing in jeopardy the trust that exists between employees and management.
So ask yourself this: how do you feel your organization would fare if it were confronted with a malicious social engineer?
While it has definitely received the Hollywood treatment, a good movie to watch to see some social engineering techniques is Sneakers. For one thing, it features an all-star cast with the likes of Robert Redford, Sidney Poitier, the late River Phoenix, Dan Aykroyd and Ben Kingsley. For another, the technical consultant for that movie is none other than the ex-CIA operative I mentioned earlier on, which brought to the film an undeniable “real-world” quality.