Over the years much has been written about how users are the weakest link in security, and there are surely not many people who would disagree. Despite this, companies often under value the importance of educating personnel about the important security issues of the day. It is easy to see what the reasons might be; companies have spent considerable time and money deploying firewalls and other technical controls. This makes sense to IT staff and it is often what people expect IT to spend their time on.
Users, however, are an integral part of the business and often require more Tender-Loving-Care than we give them credit for. No one will dispute that the technical work is required but unless the organisation provides security awareness training to users in an effort to help protect the organisation’s information the risks are high. The purpose of this article is to highlight the dangers of the growing phenomenon of social engineering, and to offer some practical advice for dealing with the same.
In a nutshell, social engineering is a method of gaining access privileges to an organization and its assets by querying personnel over communications medium such as telephone, e-mail, chat, bulletin boards, face-to-face etc. from a fraudulent “privileged” position. The methodology employs a number of techniques to determine the level of ‘security awareness’ that exists in the organization under review. In fact, reformed computer criminal and security consultant Kevin Mitnick popularized the term social engineering, pointing out that it’s much easier to trick someone into giving you his or her password for a system than to spend time hacking in. He claims it to be the single most effective method in his arsenal.
I’ve worked on many projects over the years where we’ve attempted to gain access to a network and the data on it using social engineering techniques. One of the more common tactics used involves calling end-users and impersonating IT staff and other, usually non-existent, companies. The % of username and passwords given away by staff always astonishes me, typically we have a 75% plus success rate. This carries across private and non-private companies, medium to large organizations and works equally well against high-end business managers who are likely to have remote access. When this is combined with scanning for publicly accessible services, it can prove a highly effective way to gain remote access to a system or network. External PPTP VPN and SSL VPNs are prime examples of such services.
But how much work does an attacker have to do to get usernames and passwords from end-users? In my experience, unless a company already has a security awareness program in place, a few hours on the Internet and a few phone calls is all that’s needed. Before making calls an attacker need only spend a couple of hours researching user names, phone numbers and addresses on the Internet. This is followed up with a few initial phone calls to reception to get the names of the IT manager, the number for IT support and maybe even some names of the IT support staff. All this information is ideal for some name-dropping in the phone calls to add an air of authenticity to your call, especially if you are pretending to do an authorised third party audit or pretending to actually be from the IT support team. A few calls to users later and the chances are you will have some usernames and passwords, all without having to worry about technical things like password cracking or any other mathematically challenging work.
Of course, unless the user has received some security awareness training why wouldn’t they give their username and password to someone who says they are working in IT support, especially if the IT manager (who’s name could be dropped in the telephone call) has authorized this as part of a major fictitious incident? In some companies it is common practice for the IT support team to ask users for their password to resolve support cases more quickly, which makes users even more likely to give away their password when asked for it.
If all this seems unlikely to catch your well-trained users out, perhaps a more focused and targeted phishing attack may be more effective. This modus operandi is surprisingly proficient and has the potential to harvest more usernames and passwords from even the most savvy of users.
At first glance, the technicalities involved in setting up a phishing attack may appear a bit complicated but for the technically adept it should not take more than a couple of hours. After harvesting a number of user names and email addresses from the Internet the only task left is to send off some emails, and wait for a bite! In a recent project for a client, within 24 hours 10% of the users emailed had supplied their username and passwords to our bogus website. Could you be sure you or your users would not do the same?
Without security aware users it is unlikely that this type of attack would even be noticed. The main indicators that the users could have picked up on were the fact that we used a http site and that the survey website was hosted on an external server with the link being in the form of http://IPAddress/itsurvey.html. Worryingly, however, if a company has any cross site scripting problems on their web server it would be possible to use a link with the real company web site address in it rather than just an IP address.
If further justification were required that security awareness training should be implemented it is recommended as part of many security standards including ISO 27001 and the payment card industry standard PCI. Both standards mandate that staff shall be aware of information security threats and issues and shall be equipped to support organizational security policy.
The bottom line is that by taking the time to run a short and simple end-user awareness program you will benefit from seeing remarkable changes in the behavior of end-users. A 30-minute seminar run once a year can inform and educate your personnel on the dangers lurking on the other end of the phone or in that friendly email. An educated, security savvy user is more of a friend and less of a liability!