If you're a CTO or a network admin, you've probably memorised some of the basics of network security. Have lots of well-configured firewalls and IDS/IPS devices. Use switches instead of hubs. Make sure everyone uses complex passwords and make sure they don't write them down anywhere. Have lots of eyes and cameras around the building for the sake of physical security.
But in designing a secure network and workplace, your system is only as secure as your weakest link.
It's great to focus a lot of attention on hardware, software, and physical security. But there's one area that's frequently overlooked, and it can be the downfall of your business. Weaknesses in human nature are often the cause of major information security problems which can cost your company lots of money and put you at risk for litigation.
In security-hardening your network, you must also harden your human beings – your employees, your executives, and yourself. That's the only way to mitigate social engineering attacks, a surprisingly common problem.
According to a study of 850 IT professionals done by Dimensional Research between 2009 and 2011, 48% of large businesses suffered from social engineering attacks at least twenty-five times each.
Financial loss from a social engineering attack ranged from US$25,000 to $100,000 per event. So, the average large business in the study lost millions from their workers being deceived by attackers.
One of the most effective ways to learn is to understand other people's mistakes and how to avoid them
Social engineering
During the July 2012 Def Con, US retail giants Walmart and Target fared the worst in social engineering tests.
Def Con participant Shane McDougall phoned the store manager of a Canadian Walmart store, posing as a fictional government logistics manager named “Gary Darnell.”
“Gary Darnell” said he had an opportunity for a multimillion dollar government contract, and that he needed to visit a few Walmart stores in the area in order to consider Walmart as a new supplier. “All I know is that Walmart can make a ton of cash out of it.”
While having had no contact with “Gary Darnell” other than as a voice on the other end of the phone call, McDougall got a lot of valuable sensitive information, which are called “flags” in the Def Con social engineering competition. McDougall got all of the competition's “flags” while talking to the Walmart store manager on the phone.
They included employee shift schedules, janitorial and cafeteria service providers, and information about the manager's work PC, including its operating system, web browser, and antivirus software.
If a real attacker knew that sort of information about a target, they could then orchestrate conventional computer hacking attacks which exploit vulnerabilities that are specific to particular applications and hardware. Even if “Gary Darnell” was a real government logistics manager, why would he need to know that sort of stuff in order to consider those Walmart stores as a business partner?
“Darnell” even managed to get the store manager to try to visit a specific URL. If that URL led to an actual phishing website, an attacker could then penetrate the target PC and the network it’s connected to with malicious web server-side scripting, and client-side scripting such as JavaScript. The entire corporate network could go down with a few clicks by the victim.
McDougall excitedly announced “All flags!” to the convention audience.
At the same competition, John Carruthers already knew one of the applications Target uses in their supplier system. Competition participants were encouraged to research information about corporations that's publically available on the web.
He pretended to be a Target employed systems administrator while he was on the phone with a store manager who was at Target's Minnesota headquarters.
Knowing the application, and a lot of technical jargon that'd go over the head of someone who lacks computing expertise, Carruthers was able to overwhelm the store manager.
I assume the store manager thought, “of course this guy is one of our tech people, listen to the way he talks!” He was pretending to need sensitive information in order to apply a software patch. He got all of the information he wanted.
Other big corporations that failed the Def Con competition miserably included Cisco, HP, Shell, Verizon, FedEx, and UPS. Cisco really concerns me, because they make network security devices such as firewalls.
Thankfully, the competition participants were whitehat, and just conducted their activity to demonstrate how insecure those big corporations were. And the vulnerabilities were simply human nature.
AOL
Back in 1998, America Online was a much larger and much wealthier tech company than it is now.
In May of that year, the American Civil Liberties Union had an AOL presence. A blackhat acquired unauthorised access to ACLU's site and was able to deface it.
An audit revealed that a lot of the time, people could call AOL with a username and a customer's name, and that'd be all they'd need in order to reset an AOL account's password. With an attacker having a password to an AOL account, and with the account's paying customer not having it, an attacker could do whatever they wanted to the customer's website, and lock the paying customer out of their account.
Knowing that particular attack happened to the ACLU, it probably happened to many other AOL accounts as well.
The help desk attack vector
Just like with AOL, even these days, a corporation's consumer tech support department is usually a huge vector for social engineering attacks that can cost millions of dollars each.
In SANS' 2013 Help Desk Security and Privacy Survey, hundreds of companies of all sizes and industries were found to have massive help desk vulnerabilities.
The security measures that most help desks in the survey depended on were just full employee or customer names, email addresses, and locations.
Far too many targeted corporations have a lot of that information on their websites. Even more of that information can be acquired simply by looking at the social networking site profiles of specific people.
Social engineering attacks, via telephone, email, and other means, are exceedingly common and even big tech companies are susceptible to them.
How to create and enforce a security-aware corporate culture
There are a few simple things that corporations can do to protect themselves from devastating social engineering attacks.
• Train All Employees and Executives to Be Vigilant
Use corporate workshops, memos, and training to make it clear to all employees, contractors, and executives that they can become subject to social engineering attacks, usually via email or telephone.
Employees and contractors will often fear being reprimanded for not fully cooperating with someone who identifies themselves as a fellow employee or a superior in the organisation. Make it corporate policy that all sensitive data should only be shared to people who can prove who they are in person, rather than over the phone, email, or SMS.
Make it clear that no one will be reprimanded for not sharing information when they have any reason to be suspicious.
Teach all employees, contractors, and executives how easy it is for attackers to spoof call display phone numbers, and email addresses. Email address spoofing is as easy as using a web form.
Make sure that everyone in the organisation gets social engineering resistance training when they're hired, and reminders at least once every six months while they work for the company. Anyone can become subject to social engineering attacks, not only help desk and customer service workers.
• Redesign Help Desk Policies
But on that note, be aware that help desk and customer service workers are the most vulnerable. A lot of social engineering vulnerabilities are built into corporate policy and should be changed.
Wherever applicable, insist that employees and customers use passwords and digital authentication measures such as key cards when they try to make changes or access information that an attacker can use to hurt the company.
Otherwise, where possible, insist that employees and customers meet in person, or use video conferencing when the other party can recognise the face of someone else in the organisation.
• Penetration Test for Social Engineering Vulnerabilities
Businesses in all industries and of all sizes should hire third-party penetration testers at least once a year. Make sure that the pen testers have CISSP or CEH certification, and see if they have a good reputation with their other clients by checking work references.
During each penetration test, make sure that the testers do at least some testing for social engineering vulnerabilities. That means the testers may phone or email employees, contractors, and executives and the subject won't know they're being tested.
If your pen testers find that your organisation shares sensitive information too easily, you can fix those specific vulnerabilities with training and possible policy changes.
The most important thing to keep in mind is that information security is a process, not a product. Security isn't created simply by installing hardware, software, and certain parameters. Every single day you're in business, security should be minded and improved upon.
Kim Crawley is a security researcher for the InfoSec Institute, an IT security training company.