Sophisticated tech security won’t stop criminals from conning staff into giving secrets
When a consultant came to the small engineering firm, saying he was hired by the president (who was away at that time) to assess the new project, no one suspected anything illegitimate.
His leather briefcase, luxury watch, dark suit and ability to butter people up with rumours about upcoming promotions gave him access to the R&D, marketing and finance departments.
After meeting with a few engineers who gave him blueprints, and receiving figures from the marketing and finance staff about their programs, he took everyone to lunch. He thanked everybody, and told them he was going to work from home for a while and drove away.
A few weeks later a competitor of this small engineering firm came out first with the same product it had been working on for the last 14 months.
What happened to this firm is known as social engineering — the criminal art of tricking staff into revealing corporate information. It can be used not only in face-to-face interaction, but also over the telephone, e-mail, letter mail or even through another person.
Many in the security industry seem to have forgotten that computers and technology are merely tools, and that it is the human that is using, configuring, installing, implementing, using and abusing these tools. Information security is more than just implementing a variety of technologically complex controls. It encompasses dealing with the behaviour, or more appropriately, the misbehaviour of people. Money and effort can be spent on technical controls and producing better, more secure code, but all of this is moot, if staff give away the keys to the kingdom.
The success of social engineering attacks is primarily due to two factors: basic human nature and the business environment.
Human nature
Falling victim to a social engineering attack has nothing to do with intelligence, and everything to do with being human, being somewhat naive, and not having the proper mind set and training to deal with this type of attack. People, for the most part, are trusting and co-operative by nature.
The primary targets of social engineering are help desks or administrative and technical support people. The interactions are usually one on one but not necessarily face to face (the relationship is usually virtual in nature either by phone or online). Attackers tend to seek out individuals who display signs of being susceptible to this psychological attack.
Business environment
Thanks to the increase of mergers and acquisitions, rapid advances in technology, and the proliferation of wide area networking, business environments have become more susceptible to social engineering. It is not uncommon to have never met the business contacts one deals with on a regular basis, including those from one’s own organization, let alone suppliers, vendors and customers. Face-to-face human interaction is becoming even more rare with the widespread adoption of telecommuting technologies for employees. It’s possible to work for an organization and rarely set foot in the office.
Businesses and organizations today have also become more service-oriented than ever before. Employees are often rated on how well they contribute to a team environment and how well they serve customers and other departments. It is rare to see an evaluation that measures the degree to which someone is conscious of security when performing duties. This needs to change in order to deal effectively with the threat of social engineering.
Mitigating the risk
Social engineering attacks tend to follow a phased approach, and in most cases, the attacks are very similar to how intelligence agencies infiltrate their targets. The phases can be categorized as:
•intelligence gathering;
•target selection; and
•the attack.
Regardless of the type of social engineering attack, the success rate is alarmingly high. Attacks are often difficult to trace and in some cases difficult to identify. If the attacker has gained access via a legitimate account, in most cases the controls and alarms will never be activated, as they have done nothing wrong as far as the system is concerned.
If social engineering is so easy to do, then how do organizations protect themselves against the risks of these attacks? The answer is relatively simple but it entails a change in thinking by the entire organization. To mitigate the risk of social engineering, organizations need to educate and train staff on information security threats and how to recognize potential attacks.
Protecting an organization from the threat of social engineering requires a basic understanding of information security. Protection mechanisms usually fall into three categories. To adequately protect information security assets a combination of all three are required:
•physical security;
•logical (technical) security; and
•administrative security.
Information security initiatives must be customized to meet the unique needs of the business. Effective information security is the result of a process of identifying an organization’s valued information assets, considering the range of potential risks to those assets, implementing effective policies to those specific conditions and ensuring that those policies are developed, implemented and communicated properly.
What does this mean for human resource specialists? It means that the HR department needs to be in close contact with the information security department so that a variety of effective measures are built into HR processes.
Physical security: The physical security components are the easiest to understand, and arguably, the easiest to implement. Most people will think of keys, locks, alarms and guards when they think of physical security. While these are by no means the only security precautions that need to be considered when securing information, they are a logical place to begin. Physical security, along with the other two, logical and administrative, is a vital component and is fundamental to most information security solutions. Physical security refers to the protection of assets from theft, vandalism, catastrophes, natural disasters, deliberate or accidental damage, and from unstable environmental conditions such as electrical, temperature, humidity and other related problems. Good physical security requires efficient building and facility construction, emergency preparedness, reliable electrical power supplies, reliable and adequate climate control and effective protection from both internal and external intruders.
Logical (technical) security: Logical security measures are those that employ a technical solution to protect the information asset. Examples include firewalls, access control systems, password systems and intrusion detection systems. These controls can be very effective, but usually they rely on human element or interaction to work successfully. It is this human element that can be exploited rather easily.
HR/administrative security: Administrative security controls are those that usually involve policies, procedures, guidelines. Administrative security examples include information security policies, awareness programs, background checks for new employees. All of these are administrative in nature and do not require a logical or technical solution to implement, but they all address the issue of information security.
Leadership
The highest level of management present in any organization must endorse and support the idea and principles of information security. Everyone from top to bottom must understand the security principles involved, and act accordingly. This means that high-level management must define, support and issue the information security policy of the organization, which every person in the organization must then abide by. It also means that upper management must provide appropriate support, in terms of funding and resources, for information security. A successful information security policy requires the leadership, commitment and active participation of top-level management.
Critical information security strategies rely primarily on the appropriate and expected conduct on the part of personnel, and secondly on the use of technological solutions. This is why it is critical, for all information security programs to address the threat of social engineering.
Policies, awareness, education
The problem with countering social engineering attacks is that most logical security controls are ineffective as protection mechanisms. Because the social engineering attacks target the human element, protective measures need to concentrate on the administrative portion of security. An effective countermeasure is to have good, established policies that are communicated across the organization.
Policies are instrumental in forming a “rules of behaviour” for employees. Examples of these types of policies could include: access control, proper use of the Internet, proper use of the e-mail system, malicious software protection.
These policies can only be effective if they are understood by all employees. A good way to communicate policies is to merge them into existing HR processes, such as annual job review programs, introductory orientation sessions for new employees.
When policies are established and combined with an effective user awareness program, the result is an integrated security program that everyone understands and believes is part of their own required job duties. It is critical to convey this message to all employees, from top to bottom. The result will be an organization that is more vigilant at all levels, and comprised of people who believe they are contributing to the well-being of the corporation. This is an important perception that contributes greatly to employee satisfaction level. It also protects from the threat of disgruntled employees, another major concern to information security programs. It can be these disgruntled employees who willingly give sensitive information to unauthorized users, regardless of the social engineering methods.
Most people learn best from first-hand experience. Once it’s shown that each individual is susceptible to social engineering attacks, employees tend to be more wary and aware. It is possible to improve an organization’s immunity to social engineering by providing a forum for discussions of other organizations’ experiences.
Continued awareness is important. An awareness program needs to be repeated on a regular basis to reaffirm policies. With today’s technology it is easy to set up effective ways to communicate with employees on a regular basis. A good way to provide this type of forum is to use a Web site that will contain not only corporate policies, but also safety tips and information regarding amusing social engineering stories. Amusing stories tend to get the point across better, especially because people love to hear about other people’s misfortunes.
Explaining to employees the importance of information security and that there are people who are prepared to try and manipulate them to gain access to sensitive information is a wise first step in a defence plan. Simply forewarning people of possible attacks is often enough to make them alert enough to be able to spot them, and react accordingly. The old saying is true: “knowledge is power” — or in this case, it increases security.
John Berti is a senior manager with Deloitte & Touche Security Services. He may be reached at [email protected].
His leather briefcase, luxury watch, dark suit and ability to butter people up with rumours about upcoming promotions gave him access to the R&D, marketing and finance departments.
After meeting with a few engineers who gave him blueprints, and receiving figures from the marketing and finance staff about their programs, he took everyone to lunch. He thanked everybody, and told them he was going to work from home for a while and drove away.
A few weeks later a competitor of this small engineering firm came out first with the same product it had been working on for the last 14 months.
What happened to this firm is known as social engineering — the criminal art of tricking staff into revealing corporate information. It can be used not only in face-to-face interaction, but also over the telephone, e-mail, letter mail or even through another person.
Many in the security industry seem to have forgotten that computers and technology are merely tools, and that it is the human that is using, configuring, installing, implementing, using and abusing these tools. Information security is more than just implementing a variety of technologically complex controls. It encompasses dealing with the behaviour, or more appropriately, the misbehaviour of people. Money and effort can be spent on technical controls and producing better, more secure code, but all of this is moot, if staff give away the keys to the kingdom.
The success of social engineering attacks is primarily due to two factors: basic human nature and the business environment.
Human nature
Falling victim to a social engineering attack has nothing to do with intelligence, and everything to do with being human, being somewhat naive, and not having the proper mind set and training to deal with this type of attack. People, for the most part, are trusting and co-operative by nature.
The primary targets of social engineering are help desks or administrative and technical support people. The interactions are usually one on one but not necessarily face to face (the relationship is usually virtual in nature either by phone or online). Attackers tend to seek out individuals who display signs of being susceptible to this psychological attack.
Business environment
Thanks to the increase of mergers and acquisitions, rapid advances in technology, and the proliferation of wide area networking, business environments have become more susceptible to social engineering. It is not uncommon to have never met the business contacts one deals with on a regular basis, including those from one’s own organization, let alone suppliers, vendors and customers. Face-to-face human interaction is becoming even more rare with the widespread adoption of telecommuting technologies for employees. It’s possible to work for an organization and rarely set foot in the office.
Businesses and organizations today have also become more service-oriented than ever before. Employees are often rated on how well they contribute to a team environment and how well they serve customers and other departments. It is rare to see an evaluation that measures the degree to which someone is conscious of security when performing duties. This needs to change in order to deal effectively with the threat of social engineering.
Mitigating the risk
Social engineering attacks tend to follow a phased approach, and in most cases, the attacks are very similar to how intelligence agencies infiltrate their targets. The phases can be categorized as:
•intelligence gathering;
•target selection; and
•the attack.
Regardless of the type of social engineering attack, the success rate is alarmingly high. Attacks are often difficult to trace and in some cases difficult to identify. If the attacker has gained access via a legitimate account, in most cases the controls and alarms will never be activated, as they have done nothing wrong as far as the system is concerned.
If social engineering is so easy to do, then how do organizations protect themselves against the risks of these attacks? The answer is relatively simple but it entails a change in thinking by the entire organization. To mitigate the risk of social engineering, organizations need to educate and train staff on information security threats and how to recognize potential attacks.
Protecting an organization from the threat of social engineering requires a basic understanding of information security. Protection mechanisms usually fall into three categories. To adequately protect information security assets a combination of all three are required:
•physical security;
•logical (technical) security; and
•administrative security.
Information security initiatives must be customized to meet the unique needs of the business. Effective information security is the result of a process of identifying an organization’s valued information assets, considering the range of potential risks to those assets, implementing effective policies to those specific conditions and ensuring that those policies are developed, implemented and communicated properly.
What does this mean for human resource specialists? It means that the HR department needs to be in close contact with the information security department so that a variety of effective measures are built into HR processes.
Physical security: The physical security components are the easiest to understand, and arguably, the easiest to implement. Most people will think of keys, locks, alarms and guards when they think of physical security. While these are by no means the only security precautions that need to be considered when securing information, they are a logical place to begin. Physical security, along with the other two, logical and administrative, is a vital component and is fundamental to most information security solutions. Physical security refers to the protection of assets from theft, vandalism, catastrophes, natural disasters, deliberate or accidental damage, and from unstable environmental conditions such as electrical, temperature, humidity and other related problems. Good physical security requires efficient building and facility construction, emergency preparedness, reliable electrical power supplies, reliable and adequate climate control and effective protection from both internal and external intruders.
Logical (technical) security: Logical security measures are those that employ a technical solution to protect the information asset. Examples include firewalls, access control systems, password systems and intrusion detection systems. These controls can be very effective, but usually they rely on human element or interaction to work successfully. It is this human element that can be exploited rather easily.
HR/administrative security: Administrative security controls are those that usually involve policies, procedures, guidelines. Administrative security examples include information security policies, awareness programs, background checks for new employees. All of these are administrative in nature and do not require a logical or technical solution to implement, but they all address the issue of information security.
Leadership
The highest level of management present in any organization must endorse and support the idea and principles of information security. Everyone from top to bottom must understand the security principles involved, and act accordingly. This means that high-level management must define, support and issue the information security policy of the organization, which every person in the organization must then abide by. It also means that upper management must provide appropriate support, in terms of funding and resources, for information security. A successful information security policy requires the leadership, commitment and active participation of top-level management.
Critical information security strategies rely primarily on the appropriate and expected conduct on the part of personnel, and secondly on the use of technological solutions. This is why it is critical, for all information security programs to address the threat of social engineering.
Policies, awareness, education
The problem with countering social engineering attacks is that most logical security controls are ineffective as protection mechanisms. Because the social engineering attacks target the human element, protective measures need to concentrate on the administrative portion of security. An effective countermeasure is to have good, established policies that are communicated across the organization.
Policies are instrumental in forming a “rules of behaviour” for employees. Examples of these types of policies could include: access control, proper use of the Internet, proper use of the e-mail system, malicious software protection.
These policies can only be effective if they are understood by all employees. A good way to communicate policies is to merge them into existing HR processes, such as annual job review programs, introductory orientation sessions for new employees.
When policies are established and combined with an effective user awareness program, the result is an integrated security program that everyone understands and believes is part of their own required job duties. It is critical to convey this message to all employees, from top to bottom. The result will be an organization that is more vigilant at all levels, and comprised of people who believe they are contributing to the well-being of the corporation. This is an important perception that contributes greatly to employee satisfaction level. It also protects from the threat of disgruntled employees, another major concern to information security programs. It can be these disgruntled employees who willingly give sensitive information to unauthorized users, regardless of the social engineering methods.
Most people learn best from first-hand experience. Once it’s shown that each individual is susceptible to social engineering attacks, employees tend to be more wary and aware. It is possible to improve an organization’s immunity to social engineering by providing a forum for discussions of other organizations’ experiences.
Continued awareness is important. An awareness program needs to be repeated on a regular basis to reaffirm policies. With today’s technology it is easy to set up effective ways to communicate with employees on a regular basis. A good way to provide this type of forum is to use a Web site that will contain not only corporate policies, but also safety tips and information regarding amusing social engineering stories. Amusing stories tend to get the point across better, especially because people love to hear about other people’s misfortunes.
Explaining to employees the importance of information security and that there are people who are prepared to try and manipulate them to gain access to sensitive information is a wise first step in a defence plan. Simply forewarning people of possible attacks is often enough to make them alert enough to be able to spot them, and react accordingly. The old saying is true: “knowledge is power” — or in this case, it increases security.
| A time-honoured technique of criminals |
| “Social engineering,” which in the past has referred to authoritarian practices of over-regulating in order to change behaviours within a society, has recently acquired a new meaning. The new meaning came into usage primarily in the IT world, and refers to hackers and competitors who infiltrate computer systems by conning people into revealing sensitive data. In the context of corporate security, it refers to criminal attempts to influence staff into revealing information or acting in a manner that would result in unauthorized access, unauthorized use or unauthorized disclosure to systems or data. It’s synonymous with conning or deceiving someone. Using deception or conning a person is nothing new in the field of criminal activity, yet despite its longevity this kind of behaviour is still surprisingly effective. It would be very interesting to point to information on the apparent size of the social engineering problem. Unfortunately there is very little data to use for this purpose. Despite the frequent references to social engineering in the information security field there has not been much direct discussion of this type of attack. The reasons for this vary. Some within the field have suggested that social engineering attacks the intelligence of the victim, and as such there is a reluctance to admit that it has occurred. Yet, despite this reluctance, some of the most infamous computer criminals have relied more on social engineering to perpetrate crimes than on any real technical ability. Why spend time researching and scanning systems looking for vulnerabilities and risk being detected when one can simply ask someone for a password to gain access? Most criminals are opportunists. They look for the easy way into a system, and what could be easier than asking or deceiving someone to let them in. Companies seem to have done a good job instilling the notions of teamwork and co-operation in the workplace. So much so that with the eagerness to help out, employees are falling prey to unscrupulous people who gain unauthorized access into systems through social engineering attacks. |
John Berti is a senior manager with Deloitte & Touche Security Services. He may be reached at [email protected].
