Social Engineering for Security

Social Engineering for Security

Debra D’Agostino

Untitled Document

CIO Insight: What is social engineering?

Mogull: Social engineering is the manipulation of people rather than

electronic systems in a security attack. The reality of it is that we all use

it on a day-to-day basis-to get a discount at a store, to maybe get into a concert

that we’re not supposed to get into, and so forth. Successful social engineering

can completely circumvent all of our security.

Here’s an example: How hard do you think it is to get a UPS uniform? You can

buy one on eBay for $50 bucks with 48-hour delivery. How much access do we give

the UPS guys? Say this UPS guy comes in early in the morning before anyone else

is in the office and he’s got a delivery for so-and-so. He walks into the data

center with a PDA, plugs it into the computer, and voila. He can suck down anything.

Obviously, there are a lot of tools at the disposal of somebody who wants to

perpetuate these kinds of problems.

Another example: The cleaning and maintenance staff have access to your entire

organization overnight while they’re cleaning and maintaining. How do you know

that they don’t have a Ph.D. in computer science and malicious intent? You don’t.

Here’s a great story, and it’s true: A CEO of a company goes on vacation. The

day after he leaves, a consultant, wearing a suit, carrying all the right references,

walks in the door of the office and says, "Mr. Johnson hired me and asked

me to take a look at your engineering plans. Apparently, there was a technical

problem." Someone says, "Oh, he just went on vacation, he’s not here."

The consultant responds: "Well, you know, I came from out-of-town, I’m

only here for basically the one day. This is pretty important, and, frankly,

you guys already paid me a lot of money. Is there anyone I could talk to about

this?" So this person sits down, spends an entire day going over the engineering

plan, and walks out with copies because there are some issues that he needs

to work on later. Meanwhile, the CEO gets back from vacation and says: "What


A further example. A company went out and did scanning over public networks,

and they did it legally. They wanted to find out how much information they could

find out about the CIA by just using Internet tools only-no phone calls, nothing

else. Know what they found? Phone numbers and the names of people at those desks,

internal lines, through DNS registers and through network scanning. They mapped

the topology of the network, and then they were able to figure out who was in

charge of many of those network sectors. Now you get that information and you

make a phone call, and you know now the person’s name, you know their internal

extension, and you can use that to manipulate: "Hey, Bob, this is Jim over

from network engineering. We’re having a problem. Can you send me this e-mail,

how about this, how about that?" And that’s an example of this scanning

of the physical and the electronic worlds to gain information.

So we’re basically talking about cyber-crime-not necessarily digital break-ins,

but also physical break-ins?

Right. Social engineering is a scam, it’s a con, and whether it’s digital or

physical, it depends on what the attack is. When I talk about it, I talk about

it in the terms of electronic attacks and how it’s used to perpetuate those

particular kinds of attacks. Oftentimes, it’s manipulation to get the user name

and the password. Direct manipulations of corporations for credit card information,

other account information. Insider attacks-somebody within an organization that’s

got some kind of malicious intent-are very large. I also classify former employees

in the same vein because they’ll often take advantage of another employee to

do some kind of internal attack.

How much more of an issue are these kinds of attacks today than they were

five or 10 years ago?

If there’s a worse anything, it’s just that organizations have a higher reliability

on their electronic systems, and oftentimes, if you think about 20 years ago,

more people have access to those systems than ever had access to them before.

But social engineering is a very well-known issue in the security community.

It’s also one that’s a bit more difficult to address than a lot of the traditional

security issues because, you know, you can’t stop people being from being people,

and as much as you’d like, your users are going to make mistakes and they’ll

be manipulated and everything else. I think it’s been a consistent problem.

What do CIOs and CISOs have in their arsenal to battle this problem?

I am not a fan of generic security training. It’s useless, absolutely a waste

of time. A wall poster about security won’t do anything if you don’t properly

structure your program. So the first step is to get your governance in place.

Then you can build you awareness and change your culture. You also train people

on security issues. System administrators need a lot of different training than

a developer, line employees or senior leadership needs. You need to teach them

what to do, how to report problems, how to respond to problems. You have to

have a hotline, and usually the help desk is the best place to put this. So

if there’s something they suspect, be it physical or electronic security, it

doesn’t matter, they’ve got one place to report it. I’ve often heard stories

about people reporting laptop thefts to the IT department and not physical security.

Is computer theft a technical or physical problem? It’s both. Depending on their

level of access, employers need to do background checks and not just a criminal

background check. If they have access to the data center, I don’t care if they’ve

got a garbage can in their hands or if they’ve got a laptop in their hands,

do the same background check. Especially when they’re the guys who are there

at 3 o’clock in the morning.

Terminated employees are a big problem. I hate to say this because you won’t

think it’s nice, but you know what? Don’t give anybody hints that you’re going

to fire them until you do, unless you really, really, really trust this person.

If there’s a sense that they’re disgruntled at all, then you have to have employee-termination

procedures. You have to change all their accounts, changing all their physical

access and make sure that they can’t go back and do stuff. Now again, it depends

on their job role, it depends on what kind of information you have. Monitor

usage patterns for unusual access or behavior. By the way, management hates

it when I say this, but if you have a positive working environment, you have

fewer disgruntled employees.

Are more companies beginning to adopt these policies?

I see some enterprises that are really good and very protective. Financial

services is moving a lot more in this direction, some of the more highly security

conscious organizations. But most people still can’t get their basic security

issues solved, and there are a lot of people out there who still just need to

stick with the basics. That’s because security is a cost center. It can be seen

as an inconvenience. Think about security in real life in the rest of the world.

It’s not something that gets us profit. It’s not necessarily where people put

their first investments, which I think is unfortunate. If you built a house

with no security, with no locks on the windows or doors, you’re going to have

a heck of a lot of work to do to retrofit it. It’s less work and time and cost

to integrate it in from the start.

And that’s what we do in real life. We do integrate it. We know when we buy

a house, we go ahead. Or, if you have a store, okay, you think about what other

forms of security you’ll need. Here’s the safe, here are the door locks, here

are the cameras, here are the security practices and policies, and we’re going

to get insurance if all this stuff fails. Trouble is, many companies haven’t

been all that great about implementing that same kind of design into their digital

systems. Companies need to stop relegating security to a line item of the IT

budget and really take a look at how they can best leverage all of their technology

investments and use security as a positive tool. That involves the security

guys working more closely with the business guys, and making sure that their

wants and needs and everything else are aligned. They have to have strong communication.

The role of a security department is to enable a business to take the greatest

amount of risk it wants to take in the safest way possible.

The IT department is responsible for the overall running of IT systems, so

they’re the ones who make sure the firewalls are up and configured and are functioning

in line with the security team. And then when there’s some kind of a potential

security incident, the security team is brought in, and they actually look at

resolving what the issue is. The security team puts representatives on major

projects so that the security needs of the project are dealt with very early

on. But oftentimes it’s the technology guys that are going to do the nuts and

bolts implementation.

How does social engineering affect the culture of a company?

People have to have a modicum of caution. Let’s face it, we as people are not

naturally distrustful (even though I am, but I’m paranoid and delusional). We’re

not naturally distrustful, and as such we’re open to manipulation, and there

are specific psychological techniques that are actually used to manipulate people.

And how much is too much? When do you cross the line from being secure to

being paranoid?

You don’t need to make people paranoid, not at all. The line is when security

interferes with your ability to do business. If you can’t get your job done

because the security’s getting in the way and if it’s inhibiting your growth,

that’s when you’ve gone too far.

Copyright © 2003 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in CIO Insight.