Social Engineering for Security
Debra D’Agostino
Untitled Document
CIO Insight: What is social engineering?
Mogull: Social engineering is the manipulation of people rather than
electronic systems in a security attack. The reality of it is that we all use
it on a day-to-day basis-to get a discount at a store, to maybe get into a concert
that we’re not supposed to get into, and so forth. Successful social engineering
can completely circumvent all of our security.
Here’s an example: How hard do you think it is to get a UPS uniform? You can
buy one on eBay for $50 bucks with 48-hour delivery. How much access do we give
the UPS guys? Say this UPS guy comes in early in the morning before anyone else
is in the office and he’s got a delivery for so-and-so. He walks into the data
center with a PDA, plugs it into the computer, and voila. He can suck down anything.
Obviously, there are a lot of tools at the disposal of somebody who wants to
perpetuate these kinds of problems.
Another example: The cleaning and maintenance staff have access to your entire
organization overnight while they’re cleaning and maintaining. How do you know
that they don’t have a Ph.D. in computer science and malicious intent? You don’t.
Here’s a great story, and it’s true: A CEO of a company goes on vacation. The
day after he leaves, a consultant, wearing a suit, carrying all the right references,
walks in the door of the office and says, "Mr. Johnson hired me and asked
me to take a look at your engineering plans. Apparently, there was a technical
problem." Someone says, "Oh, he just went on vacation, he’s not here."
The consultant responds: "Well, you know, I came from out-of-town, I’m
only here for basically the one day. This is pretty important, and, frankly,
you guys already paid me a lot of money. Is there anyone I could talk to about
this?" So this person sits down, spends an entire day going over the engineering
plan, and walks out with copies because there are some issues that he needs
to work on later. Meanwhile, the CEO gets back from vacation and says: "What
consultant?"
A further example. A company went out and did scanning over public networks,
and they did it legally. They wanted to find out how much information they could
find out about the CIA by just using Internet tools only-no phone calls, nothing
else. Know what they found? Phone numbers and the names of people at those desks,
internal lines, through DNS registers and through network scanning. They mapped
the topology of the network, and then they were able to figure out who was in
charge of many of those network sectors. Now you get that information and you
make a phone call, and you know now the person’s name, you know their internal
extension, and you can use that to manipulate: "Hey, Bob, this is Jim over
from network engineering. We’re having a problem. Can you send me this e-mail,
how about this, how about that?" And that’s an example of this scanning
of the physical and the electronic worlds to gain information.
So we’re basically talking about cyber-crime-not necessarily digital break-ins,
but also physical break-ins?
Right. Social engineering is a scam, it’s a con, and whether it’s digital or
physical, it depends on what the attack is. When I talk about it, I talk about
it in the terms of electronic attacks and how it’s used to perpetuate those
particular kinds of attacks. Oftentimes, it’s manipulation to get the user name
and the password. Direct manipulations of corporations for credit card information,
other account information. Insider attacks-somebody within an organization that’s
got some kind of malicious intent-are very large. I also classify former employees
in the same vein because they’ll often take advantage of another employee to
do some kind of internal attack.
How much more of an issue are these kinds of attacks today than they were
five or 10 years ago?
If there’s a worse anything, it’s just that organizations have a higher reliability
on their electronic systems, and oftentimes, if you think about 20 years ago,
more people have access to those systems than ever had access to them before.
But social engineering is a very well-known issue in the security community.
It’s also one that’s a bit more difficult to address than a lot of the traditional
security issues because, you know, you can’t stop people being from being people,
and as much as you’d like, your users are going to make mistakes and they’ll
be manipulated and everything else. I think it’s been a consistent problem.
What do CIOs and CISOs have in their arsenal to battle this problem?
I am not a fan of generic security training. It’s useless, absolutely a waste
of time. A wall poster about security won’t do anything if you don’t properly
structure your program. So the first step is to get your governance in place.
Then you can build you awareness and change your culture. You also train people
on security issues. System administrators need a lot of different training than
a developer, line employees or senior leadership needs. You need to teach them
what to do, how to report problems, how to respond to problems. You have to
have a hotline, and usually the help desk is the best place to put this. So
if there’s something they suspect, be it physical or electronic security, it
doesn’t matter, they’ve got one place to report it. I’ve often heard stories
about people reporting laptop thefts to the IT department and not physical security.
Is computer theft a technical or physical problem? It’s both. Depending on their
level of access, employers need to do background checks and not just a criminal
background check. If they have access to the data center, I don’t care if they’ve
got a garbage can in their hands or if they’ve got a laptop in their hands,
do the same background check. Especially when they’re the guys who are there
at 3 o’clock in the morning.
Terminated employees are a big problem. I hate to say this because you won’t
think it’s nice, but you know what? Don’t give anybody hints that you’re going
to fire them until you do, unless you really, really, really trust this person.
If there’s a sense that they’re disgruntled at all, then you have to have employee-termination
procedures. You have to change all their accounts, changing all their physical
access and make sure that they can’t go back and do stuff. Now again, it depends
on their job role, it depends on what kind of information you have. Monitor
usage patterns for unusual access or behavior. By the way, management hates
it when I say this, but if you have a positive working environment, you have
fewer disgruntled employees.
Are more companies beginning to adopt these policies?
I see some enterprises that are really good and very protective. Financial
services is moving a lot more in this direction, some of the more highly security
conscious organizations. But most people still can’t get their basic security
issues solved, and there are a lot of people out there who still just need to
stick with the basics. That’s because security is a cost center. It can be seen
as an inconvenience. Think about security in real life in the rest of the world.
It’s not something that gets us profit. It’s not necessarily where people put
their first investments, which I think is unfortunate. If you built a house
with no security, with no locks on the windows or doors, you’re going to have
a heck of a lot of work to do to retrofit it. It’s less work and time and cost
to integrate it in from the start.
And that’s what we do in real life. We do integrate it. We know when we buy
a house, we go ahead. Or, if you have a store, okay, you think about what other
forms of security you’ll need. Here’s the safe, here are the door locks, here
are the cameras, here are the security practices and policies, and we’re going
to get insurance if all this stuff fails. Trouble is, many companies haven’t
been all that great about implementing that same kind of design into their digital
systems. Companies need to stop relegating security to a line item of the IT
budget and really take a look at how they can best leverage all of their technology
investments and use security as a positive tool. That involves the security
guys working more closely with the business guys, and making sure that their
wants and needs and everything else are aligned. They have to have strong communication.
The role of a security department is to enable a business to take the greatest
amount of risk it wants to take in the safest way possible.
The IT department is responsible for the overall running of IT systems, so
they’re the ones who make sure the firewalls are up and configured and are functioning
in line with the security team. And then when there’s some kind of a potential
security incident, the security team is brought in, and they actually look at
resolving what the issue is. The security team puts representatives on major
projects so that the security needs of the project are dealt with very early
on. But oftentimes it’s the technology guys that are going to do the nuts and
bolts implementation.
How does social engineering affect the culture of a company?
People have to have a modicum of caution. Let’s face it, we as people are not
naturally distrustful (even though I am, but I’m paranoid and delusional). We’re
not naturally distrustful, and as such we’re open to manipulation, and there
are specific psychological techniques that are actually used to manipulate people.
And how much is too much? When do you cross the line from being secure to
being paranoid?
You don’t need to make people paranoid, not at all. The line is when security
interferes with your ability to do business. If you can’t get your job done
because the security’s getting in the way and if it’s inhibiting your growth,
that’s when you’ve gone too far.
Copyright © 2003 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in CIO Insight.
